From 52955db371cbf345586965d252d9850318186a51 Mon Sep 17 00:00:00 2001 From: Leonardo Gallego <993814+leogallego@users.noreply.github.com> Date: Tue, 21 Apr 2026 15:10:32 -0300 Subject: [PATCH 1/3] fix: devspaces sudo support with correct UID and user setup Fixes sudo execution in the Dev Spaces workspace image by removing the injected base image user (uid 10001) and recreating it with uid 1000 to match the SCC-enforced UID. Adds ADT_CONTAINER_ENGINE=podman to devfile. Based on work by @cgruver in #734. Co-Authored-By: cgruver <39659182+cgruver@users.noreply.github.com> --- devfile.yaml | 2 ++ devspaces/Containerfile | 3 ++- devspaces/context/setup.sh | 10 ++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/devfile.yaml b/devfile.yaml index 7a7461d1..594026d2 100644 --- a/devfile.yaml +++ b/devfile.yaml @@ -12,6 +12,8 @@ components: env: - name: "ANSIBLE_COLLECTIONS_PATH" value: "~/.ansible/collections:/usr/share/ansible/collections:/projects/ansible-devspaces-demo/collections" + - name: "ADT_CONTAINER_ENGINE" + value: "podman" commands: - id: molecule-create exec: diff --git a/devspaces/Containerfile b/devspaces/Containerfile index a3aa32d1..51f958d8 100644 --- a/devspaces/Containerfile +++ b/devspaces/Containerfile @@ -16,7 +16,8 @@ RUN --mount=type=bind,target=. --mount=type=cache,dst=/var/cache/dnf --mount=typ ENV BUILDAH_ISOLATION=chroot -USER 10001 +# Reflect the UID that the SCC will force the workspace to run as. +USER 1000 ENTRYPOINT ["/entrypoint.sh"] CMD ["tail", "-f", "/dev/null"] diff --git a/devspaces/context/setup.sh b/devspaces/context/setup.sh index 0d73ad6b..6d0780ee 100755 --- a/devspaces/context/setup.sh +++ b/devspaces/context/setup.sh @@ -49,6 +49,16 @@ setcap cap_setuid+ep /usr/bin/newuidmap setcap cap_setgid+ep /usr/bin/newgidmap touch /etc/subgid /etc/subuid chown 0:0 /etc/subgid /etc/subuid +# Remove the base image entries for user +if id user >/dev/null 2>&1 +then + userdel user + # Add the user with the UID that the SCC will enforce + useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user + usermod -L user + chmod 400 /etc/shadow + chown -R user /home/user +fi if [[ "${ENABLE_NOPASSWD_SUDO:-false}" == "true" ]]; then echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/wheel-nopasswd From e3daaf3b194cf8f3d7a8701112f84b6277daeb84 Mon Sep 17 00:00:00 2001 From: shatakshiiii Date: Wed, 22 Apr 2026 10:23:35 +0530 Subject: [PATCH 2/3] fix tox -e lint --- .config/dictionary.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.config/dictionary.txt b/.config/dictionary.txt index 09941237..35eafd9d 100644 --- a/.config/dictionary.txt +++ b/.config/dictionary.txt @@ -39,4 +39,5 @@ skopeo unmarshal unmarshalling urandom +userdel userns From 7deafcdc92936d7576825a77f73f2c43cb88cd21 Mon Sep 17 00:00:00 2001 From: Leonardo Gallego <993814+leogallego@users.noreply.github.com> Date: Wed, 22 Apr 2026 10:00:23 -0300 Subject: [PATCH 3/3] fix: add error handling for useradd in devspaces setup Co-Authored-By: alisonlhart --- devspaces/context/setup.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/devspaces/context/setup.sh b/devspaces/context/setup.sh index 6d0780ee..9668a55b 100755 --- a/devspaces/context/setup.sh +++ b/devspaces/context/setup.sh @@ -54,7 +54,10 @@ if id user >/dev/null 2>&1 then userdel user # Add the user with the UID that the SCC will enforce - useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user + if ! useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user; then + echo "ERROR: Failed to create user with UID 1000" >&2 + exit 1 + fi usermod -L user chmod 400 /etc/shadow chown -R user /home/user