error EACCES: permission denied, open '/home/coder/.config/code-server'

[unites]

OS/Web Information

• Web Browser: Chrome
• Local OS: Fedora
• Remote OS: Fedora
• Remote Architecture: Docker/Podman?
• code-server --version: Latest as of today's docker

Steps to Reproduce

1. Run Docker/Podman command from docker install doc. Default command
2. Errors out
3. NA

Expected

App should start

Actual

docker run -it --name code-server -p 127.0.0.1:8080:8080 \
  -v "$HOME/Coder/.config:/home/coder/.config" \
  -v "$HOME/Coder/project:/home/coder/project" \
  -u "$(id -u):$(id -g)" \
  -e "DOCKER_USER=$USER" \
  codercom/code-server:latest
[2021-09-15T14:57:59.429Z] error EACCES: permission denied, open '/home/coder/.config/code-server'

After running mkdir -p .config/code-server in my coder directory

[2021-09-15T14:57:59.429Z] error EACCES: permission denied, open '/home/coder/.config/code-server/config.yaml'

Logs

[2021-09-15T14:57:59.429Z] error EACCES: permission denied, open '/home/coder/.config/code-server/config.yaml'

This issue can be reproduced in VS Code: No

Note:

Looks like this was being worked in this closed thread... #2234 The statement was made there to start another thread, so here I am!

[jsjoeio]

@code-asher any ideas on what this might be caused by?

[oshanz]

I'm new to the coder. got the same error on Opensuse tumbleweed, Podman version 3.4.4

[2022-01-19T16:05:46.708Z] error EACCES: permission denied, mkdir '/home/coder/.config/code-server'

I was only able to try coder using commands from here https://github.com/coder/deploy-code-server/tree/main/deploy-container

docker run -p 127.0.0.1:8080:8080 \
  -v "$PWD/project:/home/coder/project" \
  -u "$(id -u):$(id -g)" \
  -e "DOCKER_USER=$USER" \
  -e "PASSWORD=12345" \
  -it bencdr/code-server-deploy-container:latest

[unites]

@oshanz
Ultimately I found adding to the container that it is privileged can resolve these errors. In the case of RHEL (which podman is a RHEL product), they have a higher base security standard. All you may need to do is add a --privileged to your container run command. I was using coreOS (now under RHEL standards and development) but this seemed to resolve this for me. Maybe worth adding this to the Coder Install/Quickstart guide.

The short explanation is that without it being privileged the coder container won't be able to create the local bind mounted directories and files, RHEL doesn't by default allow docker to write to local directories easily. In your case -v "$PWD/project:/home/coder/project" . An alternative would be to house everything in a docker volume, then I don't believe you will need the privileged flag. Yet another alternative is to change your base podman or docker config to automatically treat all containers as privileged in this sense. To me it was easier and probably preferrable all around to just add the flag to what is needed.

Your example would then be...

docker run -p 127.0.0.1:8080:8080  --privileged \
  -v "$PWD/project:/home/coder/project" \
  -u "$(id -u):$(id -g)" \
  -e "DOCKER_USER=$USER" \
  -e "PASSWORD=12345" \
  -it bencdr/code-server-deploy-container:latest

[unites]

I am closing my issue as the above resolved it, feel free to open back up if you all deem it needed. Thanks!

[Jamie-]

For anyone coming here in future, --privileged has considerably security implications that you should be aware of before using it. Do not use it blindly without understanding what those implications are.