Remote development mode: access denied on /deployments files

[vsevel]

Describe the bug

When using remote development mode with default Dockerfile jvm, after I start the application and I run mvn quarkus:remote-dev, I get multiple errors, such as:

2024-05-07 18:33:45,302 ERROR [io.qua.ver.htt.run.dev.RemoteSyncHandler] (vert.x-eventloop-thread-0) {sampled=true, spanId=e9c25abe107e1417, traceId=4f1b5f3361e6d0fc418f8a126e1bb017} Failed to update file: java.lang.RuntimeException: java.nio.file.AccessDeniedException: /deployments/lib/deployment/appmodel.dat
	at io.quarkus.deployment.dev.RuntimeUpdatesProcessor.updateFile(RuntimeUpdatesProcessor.java:427)
	at io.quarkus.vertx.http.runtime.devmode.RemoteSyncHandler$7.handle(RemoteSyncHandler.java:223)
	at io.quarkus.vertx.http.runtime.devmode.RemoteSyncHandler$7.handle(RemoteSyncHandler.java:216)
	at io.vertx.core.impl.future.FutureImpl$1.onSuccess(FutureImpl.java:91)
	at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:60)
	at io.vertx.core.impl.ContextImpl.execute(ContextImpl.java:298)
	at io.vertx.core.impl.DuplicatedContext.execute(DuplicatedContext.java:171)
	at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:57)
	at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:259)
	at io.vertx.core.http.impl.HttpEventHandler.handleEnd(HttpEventHandler.java:79)
	at io.vertx.core.http.impl.Http1xServerRequest.onEnd(Http1xServerRequest.java:596)
	at io.vertx.core.http.impl.Http1xServerRequest.lambda$pendingQueue$1(Http1xServerRequest.java:132)
	at io.vertx.core.streams.impl.InboundBuffer.handleEvent(InboundBuffer.java:255)
	at io.vertx.core.streams.impl.InboundBuffer.write(InboundBuffer.java:134)
	at io.vertx.core.http.impl.Http1xServerRequest.handleEnd(Http1xServerRequest.java:577)
	at io.vertx.core.impl.ContextImpl.execute(ContextImpl.java:313)
	at io.vertx.core.impl.DuplicatedContext.execute(DuplicatedContext.java:161)
	at io.vertx.core.http.impl.Http1xServerConnection.onEnd(Http1xServerConnection.java:221)
	at io.vertx.core.http.impl.Http1xServerConnection.onContent(Http1xServerConnection.java:209)
	at io.vertx.core.http.impl.Http1xServerConnection.handleOther(Http1xServerConnection.java:189)
	at io.vertx.core.http.impl.Http1xServerConnection.handleMessage(Http1xServerConnection.java:176)
	at io.vertx.core.net.impl.ConnectionBase.read(ConnectionBase.java:159)
	at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:153)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:289)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1475)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: java.nio.file.AccessDeniedException: /deployments/lib/deployment/appmodel.dat
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:261)
	at java.base/java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:482)
	at java.base/java.nio.file.Files.newOutputStream(Files.java:227)
	at java.base/java.nio.file.Files.write(Files.java:3492)
	at io.quarkus.deployment.dev.RuntimeUpdatesProcessor.updateFile(RuntimeUpdatesProcessor.java:425)
	... 56 more

A workaround consists in adding a chmod to the docker file, such as: RUN chmod 777 -R /deployments.

Expected behavior

Ideally, this would be added to the default jvm docker file, with the appropriate restrictive permissions.
This may raise a security issue, in that case, the doc should add a note about this in section If you plan on running the application via Docker, ...

Actual behavior

The application fails to reload modified resources. This includes everything under /deployments

How to Reproduce?

Create an application, build an image, and run it as a container.

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

89b732b (future 3.11)

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[gsmet]

I'm not sure we can do a lot better than adding some documentation about the issue (maybe as a comment + commented line in the Dockerfile but also probably here https://quarkus.io/guides/maven-tooling#remote-development-mode)

@vsevel would that work for you? If so, would you be able to add it?

[vsevel]

sure @gsmet