Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions devfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ components:
env:
- name: "ANSIBLE_COLLECTIONS_PATH"
value: "~/.ansible/collections:/usr/share/ansible/collections:/projects/ansible-devspaces-demo/collections"
- name: "ADT_CONTAINER_ENGINE"
value: "podman"
commands:
- id: molecule-create
exec:
Expand Down
3 changes: 2 additions & 1 deletion devspaces/Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ RUN --mount=type=bind,target=. --mount=type=cache,dst=/var/cache/dnf --mount=typ

ENV BUILDAH_ISOLATION=chroot

USER 10001
# Reflect the UID that the SCC will force the workspace to run as.
USER 1000
Comment on lines +19 to +20

Copilot AI Apr 21, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says changing USER has “no runtime effect”, but updating the image default user to 1000 does change behavior when the image is run outside the Dev Spaces SCC context (e.g., local podman run defaults, file ownership, and permissions). Please either adjust the PR description or clarify in-file/comment text to reflect that this is a runtime/default-user change (even if Dev Spaces overrides it).

Copilot uses AI. Check for mistakes.

ENTRYPOINT ["/entrypoint.sh"]
CMD ["tail", "-f", "/dev/null"]
10 changes: 10 additions & 0 deletions devspaces/context/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,16 @@ setcap cap_setuid+ep /usr/bin/newuidmap
setcap cap_setgid+ep /usr/bin/newgidmap
touch /etc/subgid /etc/subuid
chown 0:0 /etc/subgid /etc/subuid
# Remove the base image entries for user
if id user >/dev/null 2>&1
then
userdel user
# Add the user with the UID that the SCC will enforce
useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user
usermod -L user
Comment on lines +55 to +58

Copilot AI Apr 21, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

usermod -L user locks the account, which will make password-based sudo impossible when ENABLE_NOPASSWD_SUDO is set to false (since sudo will prompt for a password that cannot be validated). Either only lock the account when NOPASSWD sudo is enabled, or explicitly set/unlock a password when NOPASSWD is disabled so both modes work as intended.

Suggested change
userdel user
# Add the user with the UID that the SCC will enforce
useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user
usermod -L user
user_password_hash="$(getent shadow user | cut -d: -f2)"
userdel user
# Add the user with the UID that the SCC will enforce
useradd -u 1000 -G wheel,root -d /home/user --shell /bin/bash -m user
if [[ "${ENABLE_NOPASSWD_SUDO:-false}" == "true" ]]; then
usermod -L user
elif [[ -n "${user_password_hash}" && "${user_password_hash}" != '!' && "${user_password_hash}" != '!!' && "${user_password_hash}" != '*' ]]; then
usermod -p "${user_password_hash}" user
fi

Copilot uses AI. Check for mistakes.
chmod 400 /etc/shadow
chown -R user /home/user
fi

if [[ "${ENABLE_NOPASSWD_SUDO:-false}" == "true" ]]; then
echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/wheel-nopasswd
Expand Down
Loading