fix: Update Dev Spaces image to support sudo#736
Conversation
|
Label error. Requires at least 1 of: breaking, chore, feat, fix. Found: . Follow https://www.conventionalcommits.org to get auto-labeling to work correctly. |
There was a problem hiding this comment.
Pull request overview
This PR updates the Dev Spaces workspace image configuration to make sudo work reliably by ensuring the expected user identity/group mappings exist (and aren’t duplicated), and adjusts the Dev Spaces devfile to prefer podman as the container engine.
Changes:
- Recreate the
useraccount at build time with UID 1000 and required group memberships to avoid duplicate/etc/passwd//etc/groupentries impactingsudo. - Set the image’s default
USERto 1000 (intended to reflect the Dev Spaces SCC-enforced UID). - Add
ADT_CONTAINER_ENGINE=podmantodevfile.yaml.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| devspaces/context/setup.sh | Deletes/recreates user (UID 1000) and adjusts account properties to prevent passwd/group duplication and support sudo configuration. |
| devspaces/Containerfile | Changes default container runtime user from 10001 to 1000 and documents the intent. |
| devfile.yaml | Sets ADT_CONTAINER_ENGINE to podman for Dev Spaces workflows (e.g., tox). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| userdel user | ||
| # Add the user with the UID that the SCC will enforce | ||
| useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user | ||
| usermod -L user |
There was a problem hiding this comment.
usermod -L user locks the account, which will make password-based sudo impossible when ENABLE_NOPASSWD_SUDO is set to false (since sudo will prompt for a password that cannot be validated). Either only lock the account when NOPASSWD sudo is enabled, or explicitly set/unlock a password when NOPASSWD is disabled so both modes work as intended.
| userdel user | |
| # Add the user with the UID that the SCC will enforce | |
| useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user | |
| usermod -L user | |
| user_password_hash="$(getent shadow user | cut -d: -f2)" | |
| userdel user | |
| # Add the user with the UID that the SCC will enforce | |
| useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user | |
| if [[ "${ENABLE_NOPASSWD_SUDO:-false}" == "true" ]]; then | |
| usermod -L user | |
| elif [[ -n "${user_password_hash}" && "${user_password_hash}" != '!' && "${user_password_hash}" != '!!' && "${user_password_hash}" != '*' ]]; then | |
| usermod -p "${user_password_hash}" user | |
| fi |
| # Reflect the UID that the SCC will force the workspace to run as. | ||
| USER 1000 |
There was a problem hiding this comment.
The PR description says changing USER has “no runtime effect”, but updating the image default user to 1000 does change behavior when the image is run outside the Dev Spaces SCC context (e.g., local podman run defaults, file ownership, and permissions). Please either adjust the PR description or clarify in-file/comment text to reflect that this is a runtime/default-user change (even if Dev Spaces overrides it).
cgruver
changed the title
|
Closing as duplicate of #735 |
fix: Fixes sudo execution in the Dev Spaces workspace image
Added logic to remove the user entry with uid 10001. This user is injected by the base image that this image is built from. The presence of that user entry results in duplicate entries in /etc/passwd and /etc/group. The duplicate entries prevent sudo from working properly since uid 1000 is not resolved as belonging to the wheel group.
Changed the USER entry in the Containerfile to 1000. This change has no runtime effect. It is for reference.
Added the env var ADT_CONTAINER_ENGINE=podman to the devfile.yaml. This enables using podman in the Dev Spaces workspace for tox