Podman VSCode cannot open shells nor write to filesystem

[Davidnet]

• VSCode Version: 1.46.1
  cd9ea6488829f560dc949a8b2fb789f3cdc05f5d
  x64

• Local OS Version:
  Remote Version Container v0.122.1
  Remote development 0.20.0

• Remote OS Version:
  Remote Version Container v0.122.1

• Remote Extension/Connection Type:Docker

Steps to Reproduce:

1. Create .devcontainer with the following Dockerfile and devcontainer.json: Link
2. Start development in container and these are the logs:

Logs in gist Github

3. Also it keeps filling the logs with:
   [29875 ms] Start: Run: podman exec -i -u vscode -e VSCODE_REMOTE_CONTAINERS_SESSION=21326170-1097-4ae1-ac3f-35b2c36f70391592728820446 09bf7ec715d4e43aad577ef55f6e9f67c514166c7f0810291a716030edb9a342 /root/.vscode-server/bin/cd9ea6488829f560dc949a8b2fb789f3cdc05f5d/node -e [29967 ms] [08:40:51] [::ffff:127.0.0.1][b33b8a53][ExtensionHostConnection] The client has reconnected. [54973 ms] Start: Run: podman exec -i -u vscode -e VSCODE_REMOTE_CONTAINERS_SESSION=21326170-1097-4ae1-ac3f-35b2c36f70391592728820446 09bf7ec715d4e43aad577ef55f6e9f67c514166c7f0810291a716030edb9a342 /root/.vscode-server/bin/cd9ea6488829f560dc949a8b2fb789f3cdc05f5d/node -e [55072 ms] [08:41:16] [::ffff:127.0.0.1][b33b8a53][ExtensionHostConnection] The client has reconnected.

I have been trying modifying the run args with

"--security-opt", "seccomp=unconfined"
and
security-opt=label=disable

Anything that can I do to help to debug?

Does this issue occur when you try this locally?: Yes
Does this issue occur when you try this locally and all extensions are disabled?: Yes

[chrmarti]

Confirmed. Commenting out the "remoteUser" property in the devcontainer.json makes it work for me.

[Davidnet]

It seems to work (now have a terminal and shell responding) but it seems that it cannot mount the files in the filesystem (permission denied, in a normal CLI setting I put -v host/path:guest/path:Z), also one question how should I log as a different user if "remoteUser" should be different from root.

[Davidnet]

It seems to be related to SELinux, from my journalctl:

Jun 23 10:30:12 noble-dragon systemd[2107]: Started libcrun container.
Jun 23 10:30:13 noble-dragon audit[9958]: AVC avc:  denied  { read } for  pid=9958 comm="node" name="settings.json" dev="dm-2" ino=29366502 scontext=system_u:system_r:container_t:s0:c631,c695 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
Jun 23 10:30:13 noble-dragon audit[9958]: AVC avc:  denied  { read } for  pid=9958 comm="node" name="settings.json" dev="dm-2" ino=29366502 scontext=system_u:system_r:container_t:s0:c631,c695 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

[Davidnet]

@chrmarti I also found that vscode is trying to remove:

[1031 ms] Shell server terminated (code: 255, signal: null)

Error: can only create exec sessions on running containers: container state improper

[8926 ms] Start: Run: podman remove -f 7776a8acf9a8bb87f55abd232ad5836d708e73cf8faf954e6e06264f971d3c53

But I think is not a correct podman command since:

$ podman remove -f 7776a8acf9a8bb87f55abd232ad5836d708e73cf8faf954e6e06264f971d3c53
Error: unknown shorthand flag: 'f' in -f

should I file in another bug report?

[Davidnet]

I was able to get my desired behavior using:

"runArgs": [ "-u", "1000:1000", "--security-opt", "label=disable" ],

[chrmarti]

Which version of podman are you using? Recent versions do have the -f flag for rm. It might be best to upgrade to the latest (which seems to be 2.0.1).

I can get it to work by unsetting the HOME env variable. For some reason that is set to /root on the container itself, that seems unexpected and doesn't happen with Docker. Try adding this to your devcontainer.json:

	"remoteUser": "vscode",
	"containerEnv": {
		"HOME": ""
	}

[Davidnet]

Yes, sorry it seems that fedora hasn't update to the last version. Right now I'm using:

podman version 1.9.3

[Davidnet]

I upgraded to podman version 2.0.1, it seems that creation and connecting to the container is correct, unfortunately vscode cannot mount the folders of the host into the container, I have read before that this is due to SELinux, do you think we should add comments in the examples of the devcontainer.json that address this kind of thing in Fedora 32?

This is my logs from systemctl:

Jul 02 01:34:14 noble-dragon audit[60239]: AVC avc:  denied  { read } for  pid=60239 comm="node" name="settings.json" dev="dm-2" ino=29366502 scontext=system_u:system_r:container_t:s0:c65,c768 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
Jul 02 01:34:14 noble-dragon audit[60239]: AVC avc:  denied  { read } for  pid=60239 comm="node" name="settings.json" dev="dm-2" ino=29366502 scontext=system_u:system_r:container_t:s0:c65,c768 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
Jul 02 01:34:16 noble-dragon vsls-agent[58931]: Agent-ObjectTracker Verbose: 0 :
Jul 02 01:34:16 noble-dragon vsls-agent[58931]: Remove item:KeepAliveAgent reason:RpcSessionDisconnect delay:5000 count:2 others:[KeepAliveAgent reason:AgentStarted delay:30000,RpcSession #1]
Jul 02 01:34:16 noble-dragon vsls-agent[58931]: Agent-ObjectTracker Verbose: 0 :
Jul 02 01:34:16 noble-dragon vsls-agent[58931]: Remove item:RpcSession #1 count:1 others:[KeepAliveAgent reason:AgentStarted delay:30000]

Thanks for the support! Amazing tool.

[Davidnet]

Seems that this was already mentioned in #1333 I will close this as the expected behavior is already solved. Thanks!