bug: bad permission in current working directory

[aaronzs]

Description

There is a permission issue when the CWD has difference UID, GID with the USER in container.

I used to fix this issue with --user $(id -u):$(id -g) in docker-cli or create and switch to the new user in the Dockerfile

I didn't find the user configuration in build.envd. It may be a new feature.

Reproduction

(envd) ➜  envd-quick-start whoami
envd
(envd) ➜  envd-quick-start id
uid=1000(envd) gid=1000(envd) groups=1000(envd),27(sudo)
(envd) ➜  envd-quick-start ll
total 28K
-rw-rw-r-- 1 1042 1042  12K Jun 16 02:54 LICENSE
-rw-rw-r-- 1 1042 1042 4.4K Jun 16 02:54 README.md
-rw-rw-r-- 1 1042 1042  250 Jun 16 03:16 build.envd
-rw-rw-r-- 1 1042 1042   54 Jun 16 02:54 demo.py
(envd) ➜  envd-quick-start touch new_file
touch: cannot touch 'new_file': Permission denied

Additional Info

Maybe related to issue #343, see also VS Code devcontainer add non-root user

[gaocegege]

Thanks for the issue. We use the 1000:1000 in the envd. Thus if the user in the host is not 1000, it may not work now.

How about getting the current user who is running the envd bin, then use this UID:GID in the container?

[gaocegege]

It is also related to #237 #282

[Zheaoli]

How about getting the current user who is running the envd bin, then use this UID:GID in the container?

I think this should be the default behavior. But the envd should open an API in the spec to allow people to spec a uid:gid themself

[gaocegege]

We are thinking if we can do UID remapping during runtime, instead of build time.

As you said, it should be the default behavior. But, if the image is run on other hosts, the UID will fail again.

[aaronzs]

@gaocegege if envd can remapping UID and GID at runtime that will be great. I'm also agree with @Zheaoli that if UID/GID remapping is doable there should be an API or config option allowing user to modify it.

I've used VSCode Dev Container with some projects, and I found that they also need to fix this UID/GID issue. https://github.com/microsoft/vscode-dev-containers/blob/main/containers/python-3/.devcontainer/library-scripts/common-debian.sh#L182

As far as I understand it, they fix it in build time but not build from scratch. The base Dockerfile has several build args. The user firstly downloads the base image and re-builds it with new args e.g., NEW_UID, NEW_GID.

Here is the build log I captured from VSCode console:

[11184 ms] Start: Check Docker is running
[11184 ms] Start: Run in Host: docker version --format {{.Server.APIVersion}}
[11405 ms] Server API version: 1.41
[11408 ms] Start: Run in Host: docker volume ls -q
[11581 ms] Start: Run in Host: docker inspect --type container 016e7f0fda022020f0e1403ffb8c970ed625c157df31e85f46c4c69a950561ac
[11649 ms] Start: Run in Host: docker rm -f 016e7f0fda022020f0e1403ffb8c970ed625c157df31e85f46c4c69a950561ac
[12280 ms] Start: Run in Host: docker ps -q -a --filter label=vsch.local.folder=/home/aaron/tmp/devcontainer-test --filter label=vsch.quality=stable
[12346 ms] Start: Run in Host: docker ps -q -a --filter label=devcontainer.local_folder=/home/aaron/tmp/devcontainer-test
[12457 ms] Start: Run in Host: /home/aaron/.vscode-server/bin/30d9c6cd9483b2cc586687151bcbcd635f373630/node /home/aaron/.vscode-remote-containers/dist/dev-containers-cli-0.238.2/dist/spec-node/devContainersSpecCLI.js up --workspace-folder /home/aaron/tmp/devcontainer-test --workspace-mount-consistency cached --id-label devcontainer.local_folder=/home/aaron/tmp/devcontainer-test --log-level debug --log-format json --config /home/aaron/tmp/devcontainer-test/.devcontainer/devcontainer.json --default-user-env-probe loginInteractiveShell --mount type=volume,source=vscode,target=/vscode,external=true --skip-post-create --update-remote-user-uid-default on --mount-workspace-git-root true --terminal-columns 197 --terminal-rows 15
[13910 ms] remote-containers 0.238.2.
[13909 ms] Start: Run: docker buildx version
[14098 ms] Start: Resolving Remote
[14119 ms] Start: Run: git rev-parse --show-cdup
[14127 ms] Start: Run: docker ps -q -a --filter label=devcontainer.local_folder=/home/aaron/tmp/devcontainer-test
[14210 ms] Start: Run: docker buildx build --load --build-arg BUILDKIT_INLINE_CACHE=1 -f /home/aaron/tmp/devcontainer-test/.devcontainer/Dockerfile -t vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944 --build-arg VARIANT=3.10-bullseye --build-arg NODE_VERSION=lts/* /home/aaron/tmp/devcontainer-test
[+] Building 0.5s (7/7) FINISHED                                                                                                                                                                     
 => [internal] load build definition from Dockerfile                                                                                                                                            0.0s
 => => transferring dockerfile: 32B                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                               0.1s
 => => transferring context: 2B                                                                                                                                                                 0.1s
 => [internal] load metadata for mcr.microsoft.com/vscode/devcontainers/python:0-3.10-bullseye                                                                                                  0.3s
 => [1/2] FROM mcr.microsoft.com/vscode/devcontainers/python:0-3.10-bullseye@sha256:21a12816fcadaa16dabb4ba0e8c358361d02ea062b1b89db8786eb67173489d0                                            0.0s
 => CACHED [2/2] RUN if [ "lts/*" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install lts/* 2>&1"; fi                                                    0.0s
 => exporting to image                                                                                                                                                                          0.0s
 => => exporting layers                                                                                                                                                                         0.0s
 => => writing image sha256:f5ca2cc4cd9b08f9d763be03a35e06542c6b58d1c8a6a7533fa7562c70a66124                                                                                                    0.0s
 => => naming to docker.io/library/vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944                                                                                                       0.0s
 => exporting cache                                                                                                                                                                             0.0s
 => => preparing build cache for export                                                                                                                                                         0.0s
[15279 ms] Start: Run: docker inspect --type image vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944
[15342 ms] Start: Run: docker build -f /tmp/vsch/updateUID.Dockerfile-0.238.2 -t vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944-uid --build-arg BASE_IMAGE=vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944 --build-arg REMOTE_USER=vscode --build-arg NEW_UID=1042 --build-arg NEW_GID=1042 --build-arg IMAGE_USER=root /tmp/vsch
Sending build context to Docker daemon   5.12kB
Step 1/10 : ARG BASE_IMAGE
Step 2/10 : FROM $BASE_IMAGE
 ---> f5ca2cc4cd9b
Step 3/10 : USER root
 ---> Using cache
 ---> 874aed0bb282
Step 4/10 : ARG REMOTE_USER
 ---> Using cache
 ---> da9f4a3c90b4
Step 5/10 : ARG NEW_UID
 ---> Using cache
 ---> e4cd38d66757
Step 6/10 : ARG NEW_GID
 ---> Using cache
 ---> fbbcd0fcde1f
Step 7/10 : SHELL ["/bin/sh", "-c"]
 ---> Using cache
 ---> 1b67b44ac8b8
Step 8/10 : RUN eval $(sed -n "s/${REMOTE_USER}:[^:]*:\([^:]*\):\([^:]*\):[^:]*:\([^:]*\).*/OLD_UID=\1;OLD_GID=\2;HOME_FOLDER=\3/p" /etc/passwd);       eval $(sed -n "s/\([^:]*\):[^:]*:${NEW_UID}:.*/EXISTING_USER=\1/p" /etc/passwd);     eval $(sed -n "s/\([^:]*\):[^:]*:${NEW_GID}:.*/EXISTING_GROUP=\1/p" /etc/group);        if [ -z "$OLD_UID" ]; then              echo "Remote user not found in /etc/passwd ($REMOTE_USER).";         elif [ "$OLD_UID" = "$NEW_UID" -a "$OLD_GID" = "$NEW_GID" ]; then               echo "UIDs and GIDs are the same ($NEW_UID:$NEW_GID).";         elif [ "$OLD_UID" != "$NEW_UID" -a -n "$EXISTING_USER" ]; then               echo "User with UID exists ($EXISTING_USER=$NEW_UID).";         elif [ "$OLD_GID" != "$NEW_GID" -a -n "$EXISTING_GROUP" ]; then     echo "Group with GID exists ($EXISTING_GROUP=$NEW_GID).";        else            echo "Updating UID:GID from $OLD_UID:$OLD_GID to $NEW_UID:$NEW_GID.";           sed -i -e "s/\(${REMOTE_USER}:[^:]*:\)[^:]*:[^:]*/\1${NEW_UID}:${NEW_GID}/" /etc/passwd;             if [ "$OLD_GID" != "$NEW_GID" ]; then                   sed -i -e "s/\([^:]*:[^:]*:\)${OLD_GID}:/\1${NEW_GID}:/" /etc/group;        fi;              chown -R $NEW_UID:$NEW_GID $HOME_FOLDER;        fi;
 ---> Using cache
 ---> 141aa2bb60aa
Step 9/10 : ARG IMAGE_USER
 ---> Using cache
 ---> d7ed6a1029e5
Step 10/10 : USER $IMAGE_USER
 ---> Using cache
 ---> 7d85ff3a9f1d
Successfully built 7d85ff3a9f1d
Successfully tagged vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944-uid:latest

[gaocegege]

The user firstly downloads the base image and re-builds it with new args e.g., NEW_UID, NEW_GID.

It is interesting. I think the best option is UID remapping but I am not sure if it is possible. Or we should have a similar mechanism with vscode dev container.

[gaocegege]

/assign

I will fix it ASAP

[gaocegege]

Ref https://stackoverflow.com/questions/49417622/is-there-a-way-to-remap-a-user-id-at-runtime

It is not easy to support uid remap at runtime.

[gaocegege]

It should be fixed in the new release, please give it another try with

pip install --upgrade --pre envd

[aaronzs]

It is fixed in v0.1.0-alpha.10 release, thank you for your quick response.

[gaocegege]

Thanks for the report!

Let's open the issue to keep track of the UID ARG feature.

[gaocegege]

@all-contributors Please add @aaronzs for user testing!

[allcontributors]

@gaocegege

I've put up a pull request to add @aaronzs! 🎉

[gaocegege]

#398

Got another issue on macOS.

[gaocegege]

It may be related to docker desktop for mac.

[aaronzs]

It may be related to docker desktop for mac.

@gaocegege FYI, just tried envd on a M1 MacBook with Docker Desktop and Lima.

envd_quick_start works fine with Docker Desktop + envd(v0.1.0-alpha.11)

But pip install raises permission error when I switch to Lima-VM. Currently I have no idea about Lima configuration, and I don't think there are many people using Lima in ML/DS area.

[gaocegege]

@rudeigerc Do you know how Lima works?

[gaocegege]

envd_quick_start works fine with Docker Desktop + envd(v0.1.0-alpha.11)

Sorry, I misread it.

But pip install raises permission error when I switch to Lima-VM. Currently I have no idea about Lima configuration, and I don't think there are many people using Lima in ML/DS area.

Could you please show the err logs with envd --debug up?

[aaronzs]

Could you please show the err logs with envd --debug up?

Sorry, I didn't read the error message carefully... The error is pip cannot figure out the Linux distribution version. Permission issue is warning.

DOCKER_HOST=unix:///Users/aaron/.lima/docker/sock/docker.sock envd --debug up

=> 🔥 (error) pip install numpy                                                                                                                                                                                                          3.2s
------
 > pip install numpy:
#0 3.092 WARNING: The directory '/home/envd/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
#0 3.109 ERROR: Exception:
#0 3.109 Traceback (most recent call last):
#0 3.109   File "/usr/lib/python3/dist-packages/pip/_internal/cli/base_command.py", line 186, in _main
#0 3.109     status = self.run(options, args)
#0 3.109   File "/usr/lib/python3/dist-packages/pip/_internal/commands/install.py", line 305, in run
#0 3.109     session = self.get_default_session(options)
#0 3.109   File "/usr/lib/python3/dist-packages/pip/_internal/cli/req_command.py", line 74, in get_default_session
#0 3.109     self._session = self.enter_context(self._build_session(options))
#0 3.109   File "/usr/lib/python3/dist-packages/pip/_internal/cli/req_command.py", line 84, in _build_session
#0 3.109     session = PipSession(
#0 3.109   File "/usr/lib/python3/dist-packages/pip/_internal/network/session.py", line 241, in __init__
ERRO[2022-06-17T08:02:39+08:00] failed to solve LLB: failed to solve: process "/dev/.buildkit_qemu_emulator pip install --no-warn-script-location numpy" did not complete successfully: exit code: 2  tag="envd-quick-start:dev"
#0 3.109     self.headers["User-Agent"] = user_agent()
#0 3.109   File "/usr/lib/python3/dist-packages/pip/_internal/network/session.py", line 132, in user_agent
#0 3.109     zip(["name", "version", "id"], distro.linux_distribution()),
#0 3.109   File "/usr/share/python-wheels/distro-1.4.0-py2.py3-none-any.whl/distro.py", line 122, in linux_distribution
#0 3.109     return _distro.linux_distribution(full_distribution_name)
#0 3.109   File "/usr/share/python-wheels/distro-1.4.0-py2.py3-none-any.whl/distro.py", line 677, in linux_distribution
#0 3.109     self.version(),
#0 3.109   File "/usr/share/python-wheels/distro-1.4.0-py2.py3-none-any.whl/distro.py", line 737, in version
#0 3.109     self.lsb_release_attr('release'),ERRO[2022-06-17T08:02:39+08:00] failed to load docker image: Post "http://%2FUsers%2Faaron%2F.lima%2Fdocker%2Fsock%2Fdocker.sock/v1.41/images/load?quiet=1": context canceled  tag="envd-quick-start:dev"

#0 3.109   File "/usr/share/python-wheels/distro-1.4.0-py2.py3-none-any.whl/distro.py", line 899, in lsb_release_attr
#0 3.109     return self._lsb_release_info.get(attribute, '')
#0 3.109   File "/usr/share/python-wheels/distro-1.4.0-py2.py3-none-any.whl/distro.py", line 552, in __get__
#0 3.109     ret = obj.__dict__[self._fname] = self._f(obj)
#0 3.109   File "/usr/share/python-wheels/distro-1.4.0-py2.py3-none-any.whl/distro.py", line 1012, in _lsb_release_info
#0 3.109     stdout = subprocess.check_output(cmd, stderr=devnull)
#0 3.109   File "/usr/lib/python3.8/subprocess.py", line 415, in check_output
#0 3.109     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
#0 3.109   File "/usr/lib/python3.8/subprocess.py", line 516, in run
#0 3.109     raise CalledProcessError(retcode, process.args,
#0 3.109 subprocess.CalledProcessError: Command '('lsb_release', '-a')' returned non-zero exit status 1.
------
error: failed to build the image: failed to build: failed to wait error group: failed to solve LLB: failed to solve: process "/dev/.buildkit_qemu_emulator pip install --no-warn-script-location numpy" did not complete successfully: exit code: 2
error: process "/dev/.buildkit_qemu_emulator pip install --no-warn-script-location numpy" did not complete successfully: exit code: 2

[gaocegege]

Thanks! There are users who also encounter it. I created issue #409 to keep track.

[gaocegege]

And, I created a new issue to keep track of the UID/GID ARG feature here #410

I am closing this one. But feel free to leave comments if there is any update.

[rudeigerc]

I haven't encountered any trouble building envd-quick-start with docker in lima on Intel Mac, so I have no idea. 😂