fix: devspaces sudo support with correct UID and user setup by leogallego · Pull Request #735 · ansible/ansible-dev-tools

leogallego · 2026-04-21T18:10:58Z

Summary

Remove injected base image user (uid 10001) and recreate with uid 1000 to match the SCC-enforced UID, fixing duplicate /etc/passwd and /etc/group entries that prevented sudo from working
Lock the user account (usermod -L) and set /etc/shadow permissions to avoid PAM errors in the workspace container
Add ADT_CONTAINER_ENGINE=podman env var to devfile.yaml for tox podman support
Guard userdel with id check so the build doesn't break if the base image drops the user account

Based on work by @cgruver in #734 (closed due to GPG signing issues). Incorporates all review feedback from that PR.

Test plan

Build the devspaces container image (tox -e devspaces)
Launch a Dev Spaces workspace with the built image
Verify sudo works without password prompts
Verify podman works inside the workspace
Verify no duplicate entries in /etc/passwd and /etc/group

@cgruver

Fixes sudo execution in the Dev Spaces workspace image by removing the injected base image user (uid 10001) and recreating it with uid 1000 to match the SCC-enforced UID. Adds ADT_CONTAINER_ENGINE=podman to devfile. Based on work by @cgruver in ansible#734. Co-Authored-By: cgruver <39659182+cgruver@users.noreply.github.com>

alisonlhart

Awesome stuff.
Can some tests/verification be added? If it's too difficult to add specific tests, we should have a few in-line checks. I suggested one.

Co-Authored-By: alisonlhart <alisonlhart@users.noreply.github.com>

leogallego · 2026-04-23T01:51:25Z

Hi — the fix from this PR is confirmed working in ghcr.io/ansible/ansible-devspaces:v26.4.5 (the old UID 10001 user is gone). However, we're still seeing duplicate /etc/passwd entries at runtime in OpenShift DevSpaces:

user:x:1000:1000::/home/user:/bin/bash
user:x:1000860000:0:user user:/home/user:/bin/bash

The second entry is injected by OpenShift's CRI-O runtime when the SCC assigns a UID from the namespace range. Since the image already has user at UID 1000, this creates a name collision — two user entries with different UIDs.

This causes:

getent passwd user resolving to UID 1000, while the process actually runs as 1000860000
Potential issues with terminal spawning and environment resolution in che-code

Tracking the runtime behavior issue separately at rhpds/ansible-dev-tools-workspace#10. This may need a different approach for the DevSpaces image (e.g., not pre-creating user in the image, or using a different username to avoid the collision).

leogallego · 2026-04-23T04:13:39Z

Follow-up on the sudo fix — we tested on DevSpaces 3.27.0 / OCP 4.21.9 and sudo still doesn't work on either v26.4.4 or v26.4.5.

v26.4.4 (tenant user-bm7f6):

$ id
uid=1000940000(user) gid=0(root) groups=0(root),1000940000
$ groups
root 1000940000
$ sudo whoami
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

v26.4.5 (tenant user-jtvxh):

$ id
uid=1000900000(user) gid=0(root) groups=0(root),1000900000
$ groups
root 1000900000
$ sudo whoami
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

The workspace pods land on the restricted-v2 SCC, which sets allowPrivilegeEscalation: false and drops all capabilities. This may prevent setuid binaries from working regardless of the UID/passwd fix.

The UID cleanup from this PR is likely still a prerequisite for sudo to work, but it may not be sufficient on its own — the SCC/security context also needs to allow privilege escalation. Still investigating whether this is a cluster configuration issue or something that needs to be addressed in the DevWorkspace/CheCluster setup.

We need to figure out if there are specific SCC settings, CheCluster configuration, or DevWorkspace attributes required for sudo to work in DevSpaces — this will need to be addressed in the documentation for GA as part of the configuration requirements.

Tracking at rhpds/ansible-dev-tools-workspace#10.

cc @cgruver @alisonlhart @cidrblock

v26.4.4 rollback confirmed the terminal crash is not image-specific. Restoring v26.4.5 which includes the UID/passwd fix from ansible/ansible-dev-tools#735. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cgruver · 2026-04-23T11:42:52Z

@leogallego I successfully started a workspace from this repo, main revision.

Sudo works as expected. When you are online today, ping me and we'll take a look at your config.

@rockygeekz

##### [\`26.4.5\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.4.5) #### Fixes - fix: pass adt env to tox ([#733](ansible/ansible-dev-tools#733)) [@rockygeekz](https://github.com/rockygeekz) #### Maintenance - fix: devspaces sudo support with correct UID and user setup ([#735](ansible/ansible-dev-tools#735)) [@leogallego](https://github.com/leogallego) - chore(deps): update pep621 ([#732](ansible/ansible-dev-tools#732)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps): update all dependencies ([#731](ansible/ansible-dev-tools#731)) @[renovate\[bot\]](https://github.com/apps/renovate)

@rockygeekz

##### [\`26.4.5\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.4.5) #### Fixes - fix: pass adt env to tox ([#733](ansible/ansible-dev-tools#733)) [@rockygeekz](https://github.com/rockygeekz) #### Maintenance - fix: devspaces sudo support with correct UID and user setup ([#735](ansible/ansible-dev-tools#735)) [@leogallego](https://github.com/leogallego) - chore(deps): update pep621 ([#732](ansible/ansible-dev-tools#732)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps): update all dependencies ([#731](ansible/ansible-dev-tools#731)) @[renovate\[bot\]](https://github.com/apps/renovate)

leogallego requested a review from a team as a code owner April 21, 2026 18:10

github-project-automation Bot added this to 🧰 devtools project board Apr 21, 2026

leogallego had a problem deploying to ack April 21, 2026 18:11 — with GitHub Actions Failure

github-actions Bot added the minor label Apr 21, 2026

shatakshiiii added chore and removed minor labels Apr 22, 2026

shatakshiiii had a problem deploying to ack April 22, 2026 04:44 — with GitHub Actions Error

shatakshiiii temporarily deployed to ack April 22, 2026 04:44 — with GitHub Actions Inactive

github-actions Bot added the minor label Apr 22, 2026

shatakshiiii approved these changes Apr 22, 2026

View reviewed changes

github-project-automation Bot moved this to Review in 🧰 devtools project board Apr 22, 2026

shatakshiiii temporarily deployed to ack April 22, 2026 04:50 — with GitHub Actions Inactive

fix tox -e lint

e3daaf3

shatakshiiii temporarily deployed to ack April 22, 2026 04:53 — with GitHub Actions Inactive

shatakshiiii requested a review from alisonlhart April 22, 2026 04:54

alisonlhart reviewed Apr 22, 2026

View reviewed changes

Comment thread devspaces/context/setup.sh Outdated

cgruver mentioned this pull request Apr 22, 2026

fix: Update Dev Spaces image to support sudo #736

Closed

fix: add error handling for useradd in devspaces setup

7deafcd

Co-Authored-By: alisonlhart <alisonlhart@users.noreply.github.com>

leogallego temporarily deployed to ack April 22, 2026 13:01 — with GitHub Actions Inactive

alisonlhart approved these changes Apr 22, 2026

View reviewed changes

shatakshiiii merged commit 340570b into ansible:main Apr 22, 2026
29 checks passed

github-project-automation Bot moved this from Review to Done in 🧰 devtools project board Apr 22, 2026

This was referenced Apr 22, 2026

DevSpaces sudo support — fix UID mismatch and duplicate passwd entries rhpds/ansible-dev-tools-workspace#10

Closed

VS Code terminal fails to spawn in DevSpaces workspace rhpds/ansible-dev-tools-workspace#11

Closed

This was referenced Apr 23, 2026

Add SHELL and ADT_CONTAINER_ENGINE env vars to tenant DevWorkspace rhpds/ansible-dev-tools-automation#11

Merged

Add SHELL env var, ADT_CONTAINER_ENGINE, and disable workspace trust rhpds/ansible-dev-tools-workspace#12

Merged

leogallego mentioned this pull request Apr 24, 2026

DevSpaces image: duplicate /etc/passwd entries and /var write permissions #738

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: devspaces sudo support with correct UID and user setup#735

fix: devspaces sudo support with correct UID and user setup#735
shatakshiiii merged 3 commits into
ansible:mainfrom
leogallego:fix/devspaces-sudo-support

leogallego commented Apr 21, 2026

Uh oh!

alisonlhart left a comment

Uh oh!

Uh oh!

Uh oh!

leogallego commented Apr 23, 2026

Uh oh!

leogallego commented Apr 23, 2026

Uh oh!

cgruver commented Apr 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

leogallego commented Apr 21, 2026

Summary

Test plan

Uh oh!

alisonlhart left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

leogallego commented Apr 23, 2026

Uh oh!

leogallego commented Apr 23, 2026

Uh oh!

cgruver commented Apr 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants