"Insufficient permission" error on save

[yusukeoshiro]

• code-server version: 1.621
• OS Version: Ubuntu 18.04.2 LTS (on GCP)

Description

Files cannot be saved nor folders cannot be created from the editor.
This problem only started to occur on the latest release. (I think)

Steps to Reproduce

1. Start the server with docker run -it -p 127.0.0.1:8443:8443 -v "${PWD}:/home/coder/project" codercom/code-server:1.621 --allow-http --no-auth
2. Open the editor on another page and try to make change to any file or folder. You will get this error Failed to save 'README.md': Insufficient permissions. Select 'Retry as Sudo' to retry as superuser..

[evemorgen]

Setting wider access settings on those files/directories worked for me - from 664 to 666.

If access rights are not the case, you can use chmod o+w file or chmod o+w -R dir on whole directory if needed. However, mind that this is not the safe solution.

I believe it's due to trying to edit files by user 'docker' or something similar (since we're operating from inside of the container) and it is not issue with code-server itself.

[michaelgao8]

Reverting back to the 1.604-vsc1.32.0 Dockerfile resolves the issue for me, which means it was potentially introduced in the new release.

[coadler]

Yeah, we recently changed the dockerfile to run as a regular user rather than root, so any previous files created as root will have to be fixed. You should be able to just chown -R the projects folder to the user inside the docker container

[sr229]

@yusukeoshiro due to recent changes I proposed that are merged, you will need to fix the permissions. Your files are owned by root so you need to recursively own all files to the user.

[DavisAre]

Your files are owned by root so you need to recursively own all files to the user.

To which user? What user/group is the coder-server running?

[DavisAre]

Ok, I circumvented this by passing -u variables and running as current user. In my case - root. You can also specify other user's/group's IDs like -u 1000:1000
docker run -it -p 127.0.0.1:8443:8443 -u $(id -u):$(id -g) -v "${PWD}:/home/coder/project" codercom/code-server:1.621 --allow-http

Might not be the best approach but may be helpful for someone as quick workaround without dealing with directory, file ownership.

[sr229]

@DavisAre that’s redundant. UID/GID is already 1000 when you exec the container

[cstoneham]

I think @DavisAre's solution seems like the best path forward here, typically when I've needed to edit files from inside a container this has been the recommended approach. The alternative seems to be changing host file permissions which isn't great...

I will note though that in my case when I try to run it with a forwarded user I get:

ERROR { Error: EACCES: permission denied, mkdir '/.cache'
  [stack]: 'Error: EACCES: permission denied, mkdir \'/.cache\'',
  [message]: 'EACCES: permission denied, mkdir \'/.cache\'',
  errno: -13,
  code: 'EACCES',
  syscall: 'mkdir',
  path: '/.cache' }
free(): invalid pointer

[ghost]

@cstoneham I'm dealing with the same situation. How do you deal with the errors you get with a forwarded user?

[sr229]

I already logged a fix but its stuck at pending for god knows how long.

#679

[acondura]

I have the same permission issue described in the top screenshot and my set up is as follows.

I use a host user with IDs 1007:1007 which launches a coder container through docker compose. When I bash into the coder container, the coder user has 1000:1000 IDs and the /home/coder/project dir is owned by 1007:1007 thus, anything I change in the Coder UI is halted by the permission issue error in the top description. If I try to change ownershipt from 1007:1007 to coder:coder, everything changes back to 1007:1007 at the first file change in the Coder UI. I am thinking this is because of the bind mount.

I tried to 'usermod -u 1007 coder' and 'groupmod -g 1007 coder' and then set ownership of /home/coder to 1007:1007 but then the Coder UI is blank and the coder container logs say:

coder_1 | INFO WebSocket opened / {"client":4,"ip":"[IP_REMOVED_BY_ME]"}
coder_1 | (node:6) UnhandledPromiseRejectionWarning: SystemError [ERR_SYSTEM_ERROR]: A system error occurred: uv_os_get_passwd returned ENOENT (no such file or directory)
coder_1 | at Object.userInfo (os.js:249:11)
coder_1 | at new t.Server (/src/packages/server/out/cli.js:340:122627)
coder_1 | at e.exports.k.on (/src/packages/server/out/cli.js:340:118974)
coder_1 | at e.exports.emit (events.js:194:15)
coder_1 | at handleUpgrade.t (/src/packages/server/out/cli.js:504:29992)
coder_1 | at e.exports.completeUpgrade (/src/packages/server/out/cli.js:504:32439)
coder_1 | at e.exports.handleUpgrade (/src/packages/server/out/cli.js:504:31556)
coder_1 | at upgrade (/src/packages/server/out/cli.js:504:29963)
coder_1 | at u.emit (events.js:189:13)
coder_1 | at onParserExecuteCommon (_http_server.js:552:14)
coder_1 | at onParserExecute (_http_server.js:500:3)
coder_1 | (node:6) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 4)

Any hints here would be greatly appreciated!

[kasperschnack]

@acondura
If you give write permission to any user in the directory you are using like this sudo chmod o+w -R . you should be able to edit files (it's a bad idea, but it works ¯_(ツ)_/¯)

[acondura]

I already have it as o+w, the trouble is every time I update a file through VS and try to save, it still says 'insufficient permission' because it changes the UID of the dir to 1007, the local user.

I've currently forked the coder github repo and I'm building an image of my own in order to fix the permission denied because I need it to work for 2 of my customers.

[nhooyr]

The problem is the default user inside the container has UID 1000 but outside you've got 1007 @acondura, you just need to chown -R 1000:1000 myfolder to get it to work.

This needs to be a documented limitation of using a non root docker container.

TBH I'm thinking we just switch back to root as this is very confusing I'm sure and there is no real good workaround.

[nhooyr]

There is https://github.com/cdr/code-server/pull/640/files but iirc we tried that and fixuid slows down the container startup.

[acondura]

I've created an image of my own which uses the coder binary + fixuid and it is working great! I combine that with docker compose commands and I'm able to spin up lots of coder instances for myself and colleagues. Image at https://hub.docker.com/r/acondura/code-server.

[Leopere]

services:
  visual:
    image: codercom/code-server:latest
    restart: always
    user: "0:0"

It's not pretty but it solves the issue.

[nhooyr]

I'll fix in #1307