not root user in vscode remote container extension

Question

not root user in vscode remote container extension

Closed this issue 3 years ago · 2 comments

i cant seem to get the remote container vs code extension to allow me to use the integrated terminal as the "deno" user that the image provides. it says this when the container is run:

# cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
deno:x:1993:1993:Linux User,,,:/home/deno:/sbin/nologin

Dockerfile:

FROM hayd/alpine-deno:1.9.2

RUN apk --update add python3 git smartmontools tzdata && \
    apk add snapraid --update-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing --allow-untrusted && \
    rm -rf /var/cache/apk/*

COPY .devcontainer/config/snapraid.conf /etc

EXPOSE 8080 

WORKDIR /app

USER deno

COPY deps.ts .
RUN deno cache deps.ts

ADD src ./src

RUN deno cache src/server.ts

devcontainer.json:

{
  "name": "snapraid-api",
  "dockerFile": "Dockerfile",
  "context": "..",
  "settings": {
    "terminal.integrated.defaultProfile.linux": "/bin/sh"
  },
  "extensions": ["denoland.vscode-deno"],
  "forwardPorts": [8080],
  "remoteUser": "deno"
}

i know that some of their example images have non root users, like node. commenting out USER deno in the image and "remoteUser": "deno" in the json config allows me to use the integrated terminal as root just fine. maybe someone familiar with the extension might spot what im doing wrong?

source of my .devcontainer directory: https://github.com/kinghat/snapraid-gui/tree/0dc7e54815d68ef2f9abd8934ede9fcaca404714/apps/api/.devcontainer

adding the shadow package and using chsh to change the shell of deno results in PAM auth error that might be related here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11025

Answer 1 · 2021-05-13T04:47:21.000Z

so it looks like i was running into two issues:

deno is created as an system user -S
the assigned gid and uid were not mapping to my host and getting permission errors

i altered the base image to below to play nice with the remote container vscode extension:

RUN addgroup deno \
  && adduser --disabled-password deno --ingroup deno\
  && mkdir /deno-dir/ \
  && chown deno:deno /deno-dir/

i do still have a couple questions though. why are the uid/gid set to 1993 and why the -S system user flag? is it a security thing?

Answer 2 · 2021-05-13T05:09:22.000Z

I thought the base image examples I had seen used system users... but maybe this is not the case?
e.g. https://github.com/nodejs/docker-node/blob/8b68fca7a5089bd8795ae85b55617314e966487b/16/alpine3.11/Dockerfile#L6

1993 is the year Jurassic Park was released 😳

Happy to take PR for alpine dockerfile to fix.