-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Features: "User" and Installs to User Home Directory #91
Comments
Yeah agree with this - In fact, #75 proposes to bring in first class support for creating them as well. Part of that would be both the remoteUser and containerUser would be available as env vars in Features as well. That way you can Would that hit what you are getting at here? A first step could just be to add in the env vars though, I agree - FYI @chrmarti since he's been talking about this one. I'd love to drop all of the "automatic" logic since it generally works, but is not foolproof since the UID of the user could be something other than As a FYI, there's also groups created in some Features to help manage privs for some of this, but that's generally due to not having #25 for people running on Linux natively. |
Yeah, that would work. Feature authors can then assume their |
You could update the existing home folders and the E.g., adding a for home in /etc/skel /home/*
do
su $(stat -c '%U' "$home") -c "echo foo >'$home/.bar'"
done |
Yep, this is indeed the case! This is important to allow you to install any OS dependencies w/o passwordless sudo. However, I'm noticing this is not called out in the spec which we should fix for sure. One other tip is that typically the user has a UID of @chrmarti What you are suggesting is one possible solution as well! Though, you'd also need to update Perhaps we should leave this one open to capture that request independent of #75? |
@Chuxel Makes sense, let's track passing the effective username to the feature scripts here. |
GoalFeature scripts run as the (The dev container user can be configured through the ProposalPass Additionally the home folders of the two users are passed to the feature scripts as Notes
|
I imagine that a common use of these in feature installation scripts will be to write to the user home folder in the container. |
Makes sense. Some suggest using We should probably include the home folder for both users. Also prefixing the variables with |
Continuing in #110. |
Hello,
I'm writing a feature which requires writing configuration files to the home directory of the user within the container.
Looking at the source code of existing implemented features as a reference, such as the
anaconda
feature, I encountered code such as the following, which has specific logic to determine the user (and thus the home directory location).https://github.com/devcontainers/features/blob/a5fbdab3c096152dd3a318c0c23da9465815aa69/src/anaconda/install.sh#L29-L44
I wasn't able to find specific documentation in the proposal on a "contract" for feature developers; with details on a
USERNAME
environment variable being provided when executing theinstall.sh
script. Furthermore, use of "magical" users such asautomatic
,auto
,vscode
,node
,codespace
or other (via/etc/passwd
) to aid in the determination behaviour is something I wouldn't want to have to repeat in authoring my features.Furthermore, the reliance on having one of these user exist in a given base image is tenuous and makes this logic quite fragile (and smelly).
Therefore I propose a better and surprisingly much simpler solution, inspired in part by how the
vagrant
shell provisioner works, as follows:The process which is executing the
install.sh
script, has access to the givendevcontainer.json
file, which defines aremoteUser
and thus can be used to provide theUSERNAME
environment variable to the script; sort of like a docker build argument, which would remove the need to have to infer the correct user.Since the feature
install.sh
script is typically executed asroot
, unless the base image switches the user, files installed to the home directory need to bechown
ed to make the files accessible to the user when the dev container is running. This can be solved by having an optionaldevcontainer-feature.json
property, such asinstallAs
, which is an enum type with values ofroot
orremoteUser
. WhenremoteUser
is provided,install.sh
is executed in the context of the user provided by theremoteUser
property. This is similar in concept to how theprivileged
setting of thevagrant
shell provisioner alters the context. This does place a limitation on what theinstall.sh
script can do, so authors should include an assertion for root if required for proper execution.https://github.com/devcontainers/features/blob/a5fbdab3c096152dd3a318c0c23da9465815aa69/src/terraform/install.sh#L35-L38
To aid troubleshooting, since the onus is on the
devcontainer.json
author to ensure alignment of the user(s) contained in the base image and theremoteUser
provided, a check should be performed before installing features, to assert that the givenremoteUser
exists and a nice helpful message if it doesn't.The text was updated successfully, but these errors were encountered: