DevContainer and Mac OSX mount permissions

[tarilabs]

If this is not the right place for this report, my apologies and kindly let me know where this shall better be placed 🙏

My issue is: I am wondering if this is the expected way to use DevContainer on a Mac when not using Docker for Mac, or I hope these notes could be helpful if someone lands here :) --like I landed myself when I first needed to address "my" issue.

Exec summary

I have the need to develop using a particular version of CPython and ABI/platform for architecture x86_64 but I'm on Apple Silicon M2 (arm64) (SEO: aarch64 ARM).
I found DevContainer could be helpful but I experienced some issues as detailed in this article.
I am NOT using Docker for Mac, I'm specifically using colima version 0.5.6 as it was the first suggesion on this page, but the concepts can be helpful in general for mount permission issues.

i.e.: Take the DevContainter image, use it as the FROM in a Dockerfile, and apply snippet at the end similar to:

# Here I use the USER from the FROM image
ARG USERNAME=vscode
ARG GROUPNAME=vscode

# Here I use the UID/GID from _my_ computer
ARG USER_UID=nnn
ARG USER_GID=nn

RUN groupmod --gid $USER_GID -o $GROUPNAME \
    && usermod --uid $USER_UID --gid $USER_GID $USERNAME \
    && chown -R $USER_UID:$USER_GID /home/$USERNAME

👉 In the end it seems to me any DevContainer mount permission issues I encounterd, boils down to the mountType (virtiofs, 9p, sshfs) used by Colima depending if using qemu or vz Rosetta.

Details

mountType: sshfs - works out of the box

Used: colima start.

Because by default is mountType: sshfs, writing file seems to be working just fine.

mountType: 9p - does NOT work ootb

Used: colima start --mount-type 9p.
Because is mountType: 9p, writing file does not work and seems to be affected by what described here.

vscode ➜ /workspaces/demo20231027-dcmac (main) $ python demo.py 
Traceback (most recent call last):
  File "/workspaces/demo20231027-dcmac/demo.py", line 23, in <module>
    write_datetime_to_file(unique_filename)
  File "/workspaces/demo20231027-dcmac/demo.py", line 16, in write_datetime_to_file
    with open(filename, 'w') as file:
PermissionError: [Errno 13] Permission denied: 'tmp20231027-190139-0.log'
vscode ➜ /workspaces/demo20231027-dcmac (main) $ touch asdf
touch: cannot touch 'asdf': Permission denied

To fix the permission issue,
using a variation from this: https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user#_change-the-uidgid-of-an-existing-container-user

That is using image as FROM in a Dockerfile and a snippet as:

ARG USERNAME=vscode
ARG GROUPNAME=vscode

# Here I use the UID/GID from _my_ computer
ARG USER_UID=nnn
ARG USER_GID=nn

RUN groupmod --gid $USER_GID -o $GROUPNAME \
    && usermod --uid $USER_UID --gid $USER_GID $USERNAME \
    && chown -R $USER_UID:$USER_GID /home/$USERNAME

I have added -o to groupmod as the gid might be already present from the inherited Docker images.

mountType: virtiofs - does NOT work ootb

Used: colima start --vz-rosetta --vm-type vz --arch x86_64 --cpu 4 --memory 8.
Because is mountType: virtiofs, writing file (againg) does not work and seems to be affected by what described here.

vscode ➜ /workspaces/demo20231027-dcmac (main) $ python demo.py 
Traceback (most recent call last):
  File "/workspaces/demo20231027-dcmac/demo.py", line 23, in <module>
    write_datetime_to_file(unique_filename)
  File "/workspaces/demo20231027-dcmac/demo.py", line 16, in write_datetime_to_file
    with open(filename, 'w') as file:
PermissionError: [Errno 13] Permission denied: 'tmp20231027-194539-0.log'
vscode ➜ /workspaces/demo20231027-dcmac (main) $ touch asdf
touch: cannot touch 'asdf': Permission denied

So again to fix the permission issue,
applying the variation of the Dockerfile snippet.

vscode ➜ /workspaces/demo20231027-dcmac (main) $ python demo.py 
File 'tmp20231027-195156-0.log' has been created.

This is what I need.
The DevContainer is connecting into a x86_64.
I can use the CPython and the ABI/Platform I need.
I can write to file in the workspace/repository.

What did not work

Tried with using in devcontainer.json:

"runArgs": ["--user=uid:gid"]

but did not help.

You can follow along notes of the tests also in the git history of this repo: https://github.com/tarilabs/demo20231027-dcmac/commits/main

Other resources I found helpful

• DevContainer: Changing UID/GID for remote user fails when GID exists (Linux/WSL) microsoft/vscode-remote-release#7284 (comment)
• https://stackoverflow.com/a/77105985/893991
• this was not helpful for my case because I need to use virtiofs: Cannot chown or chmod bind mounted files/dirs abiosoft/colima#83 (comment) but might be simpler for other setups

[samruddhikhandale]

Hi 👋

Thanks for opening a detailed issue, appreciate it. Looping in @chrmarti for his expertise.

[chrmarti]

We update the UID and GID when using Linux as the host automatically. If there was a reliable and quick way to determine if this is needed on macOS, we could do it there too.

[tarilabs]

Thanks for the quick feedback!

So is this "hardcode" in place because there is no reliable way to determine when needed on MacOSX?

https://github.com/devcontainers/cli/blob/5a5a9b209d673a4b9e5389f6d64ac124cce3ec62/src/spec-node/devContainers.ts#L179

Sorry if a banal question, just curious as I'm learning on DevContainer more 😅

[chrmarti]

When using Docker Desktop, you get automatic ownership on bind mounts and the UID/GID updating isn't needed. I added the updateRemoteUserUIDOnMacOS flag to experiment with colima.