Docker Compose: Add Git safe directory when needed

[chrmarti]

I'm adding a fix to the single container case (Docker Compose case needs more investigation) where the repository root folder is added as a safe directory in the container if the current user in the container is not the same as the owner of the repository root folder and on the local machine the current user and the owner of the repository root folder are the same.

This is available in Dev Containers 0.274.0-pre-release. Will open a new issue to investigate adding this for Docker Compose setups too.

Originally posted by @chrmarti in #7628 (comment)

[markedwards]

Any rough idea of timeline on this? This doesn't always happen, and it's difficult to understand what triggers it, but when it happens it doesn't go away.

The "fix" using postStartCommand is pretty annoying because it insists on popping up a notification on every single rebuild.

[markedwards]

❤️

[chrmarti]

Could you give Dev Containers 0.373.0-pre-release a try and let me know if that works? That fixes the Docker Compose case and also covers cases where the Git root folder is between the workspace folder and the mount point.

[andreamah]

@markedwards have you had a chance to test using the pre-release? Thanks!

[markedwards]

@markedwards have you had a chance to test using the pre-release? Thanks!

I haven't, and the problem is I haven't experienced this issue in quite some time. I have no idea how to reproduce it consistently.

[andreamah]

@chrmarti is there an alternative way to verify this bug?

[pamelafox]

I did test with the pre-release, and I did get the error in the middle of the session. I haven't seen it again yet at the beginning of a session (ie. right after Dev Container is built).

[andreamah]

Hmm. @chrmarti I will reopen this bug so that you can investigate further.

[andreamah]

Thanks, @pamelafox!

[chrmarti]

@pamelafox If it is only in the middle of a session I wonder what might have changed at that point. Could you check the ownership of the Git root folder when this occurs? Is this with the repository on a local folder or in a Docker volume?

[pamelafox]

Here's a screenshot of it happening- this is inside the Dev Container from https://github.com/Azure-Samples/rag-postgres-openai-python/tree/main/.devcontainer

Here's what it says for ownership of .git inside workspace:

vscode ➜ /workspace $ ls -ld .git
drwxr-xr-x 16 vscode vscode 512 Jun 27 07:44 .git

[pamelafox]

Here's what it says run I check ownership from my local Terminal:

rag-postgres-openai-python % ls -ld .git
drwxr-xr-x  16 pamelafox  staff  512 Jun 27 00:47 .git

[chrmarti]

@pamelafox What ownership does the /workspace folder have?

[pamelafox]

vscode ➜ /workspace $ ls -ld ../workspace/
drwxr-xr-x 24 vscode vscode 768 Jun 24 13:30 ../workspace/

[chrmarti]

That doesn't match my previous understanding of the error message. I thought that would only show when the ownership/permissions are such that someone else might have manipulated the repository, but that does not appear to be the case here. 🤔

[pamelafox]

I just had the git issue with a new Dev Container rebuild.
Here are results right after the dev container starts:

vscode ➜ /workspace $ ls -ld .git
drwxr-xr-x 15 vscode vscode 480 Jul 1 23:12 .git

vscode ➜ /workspace $ ls -ld ../workspace/
drwxr-xr-x 27 root root 864 Jun 11 20:39 ../workspace/

[chrmarti]

@pamelafox Do you know why /workspace is owned by root? Docker Desktop would normally set ownership of mounted local folders to the user in the container. Are you on Windows working with a local Docker Desktop install?

[pamelafox]

I am on a Mac M1 with local Docker Desktop. I don't know why, no. I could jump on a Teams call so you could poke at my system, if that'd help. I actually just got it a few minutes ago with another repo after container rebuild, so it might be reproducible in a call. Or let me know what other logs/commands to run.

[nikostro]

For what it's worth, I have the same issue on Mac M1 with local Docker Desktop.

[anz-ableton]

I ran into this issue a couple times as well, with a simple devcontainer setup that is not using docker-compose.
Sometimes /workspace/$project is owned by root, sometimes not. It does not matter what USER is set to in the Dockerfile, nor which value containerUser in devcontainer.json is set to.

My current workaround is to prepare the workspace folder in my devcontainer Dockerfile like this: This workaround is not reliable.

RUN install --owner vscode --group vscode --directory /workspaces/app

You can find my VSCode and Docker version below:

macOS Sonoma 14.5 (23F79)

Docker Desktop 4.32.0 (157355)

$ docker --version
Docker version 26.1.4-1, build 5650f9b10226d75e8e9a490a31cc3e5b846e0034

VSCode:

Version: 1.91.0 (Universal)
Commit: ea1445cc7016315d0f5728f8e8b12a45dc0a7286
Date: 2024-07-01T18:54:18.541Z
Electron: 29.4.0
ElectronBuildId: 9728852
Chromium: 122.0.6261.156
Node.js: 20.9.0
V8: 12.2.281.27-electron.0
OS: Darwin arm64 23.5.0

[nikostro]

My workaround, which seems to be reliable, is:

1. Map $HOME/.gitconfig:/home/vscode/.gitconfig in the devcontainer docker-compose, so that the host .gitconfig is available in the devcontainer (I was doing this anyway, you may be too.)
2. To your host .gitconfig, add

[safe]
    directory = /workspace

or whatever your workspace directory is that you're having issues with.

3. Rebuild devcontainer.

[skwde]

Today I also encountered this issue for the first time.

I am using a single container (no docker compose).
In my Dockerfile I add user and in my devcontainer.json I set "remoteUser": "user",.

So the fix mentioned by @chrmarti seems not to work in this case.

Possible workarounds (from within the container):

• run git config --global --add safe.directory $(pwd)
• change the ownership of the repo folder sudo chown $(whoami):$(whoami) $(pwd)

[duncan-oxd]

@nikostro the .gitconfig file is automatically copied into the devcontainer, so there's no need to copy/mount it manually.

Workarounds suggest using postStartCommand or postAttachCommand to run that git config command inside the container, but your idea of running it on the host machine means the config is already set when the file gets copied in. 💡
This neatly avoids the notice that you'd need to dismiss every time you open a dev container.

I just tried it on my machine*

# On my host machine
# Note: there is no /app in my filesystem -
# it's the project root (directory with .git) in my dev container
git config --global --add safe.directory /app

That seems like the cleanest solution, as long as you're comfortable with a non-existent directory marked as safe on your host machine. 👍

---

* My machine is also an M1 Mac with Docker Desktop and a docker-compose project as others have reported.
Inside the container, the workspace directory (app/backend/ or app/frontend/) is owned by node but app/ is owned by root 🤷

[chrmarti]

Related and maybe fixed by it: #8656

[vs-code-engineering]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[chrmarti]

The fix for #8656 is in Dev Containers 0.385.0-pre-release. Could you give that a try and let me know if that fixes it?

[vs-code-engineering]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!