Enforce user permissions for user data and extension dirs on container startup

[frank-dspeed]

Description

When we start code-server as a docker container and mounting a path for extensions we need to make sure on startup that it belongs to the same user as the code-server

Steps to Reproduce

use the oneliner from README.md

Result

docker run -it -p 127.0.0.1:8080:8080 -v "${HOME}/.local/share/code-server:/home/coder/.local/share/code-server" -v "$PWD:/home/coder/project" codercom/code-server
(node:6) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
ERROR { [Error: EACCES: permission denied, mkdir '/home/coder/.local/share/code-server/extensions']
  [stack]:
   'Error: EACCES: permission denied, mkdir \'/home/coder/.local/share/code-server/extensions\'',
  [message]:
   'EACCES: permission denied, mkdir \'/home/coder/.local/share/code-server/extensions\'',
  errno: -13,
  code: 'EACCES',
  syscall: 'mkdir',
  path: '/home/coder/.local/share/code-server/extensions' }

[frank-dspeed]

or we add instructions for mkdir -p befor running that and chmod 0777 so that it will work

[DDeme]

I got the same problem.

[sr229]

This is a open field of debate at the moment as one of the Engineers declined to have the RW access workaround due to "permission concerns" - where it shouldn't. Revisiting this once more.

[frank-dspeed]

@sr229 but this issue is about the extensions dir i think there the discussion is less relevant as it is always clear that extensions need to be readwrite by code-server user it self its not about the project files

[nhooyr]

Yes this is a separate issue. But closely related to #640

[mukk85]

I am still getting this error. Are we waiting for an updated push for this to be fixed?

[frank-dspeed]

@mukk85 current state is you manualy create the extensions dir befor you run the oneliner and chmod the folder right befor you start the oneliner

because when docker creates the folder while starting it will be owned by root

[pedrolucasoliva]

Running:
docker run -d -p 0.0.0.0:8000:8080 --name codeserver -v "/home/dev/codeserver/.local/share/code-server:/home/coder/.local/share/code-server" -v "/home/dev/projects:/home/coder/project" codercom/code-server:v2
I resolve this problem with:
sudo chmod 777 -R dev/

[sr229]

mode 0777 is a dangerous permission to give since it gives R/W and execution perms, you should only give it R/W perms (mode 0600 AFAIK).

[frank-dspeed]

@pedrolucasoliva
i am docker specialist i give you a little hint the --user flag

docker run --user $(id):$(id) -d -p 0.0.0.0:8000:8080 --name codeserver -v "/home/dev/codeserver/.local/share/code-server:/home/coder/.local/share/code-server" -v "/home/dev/projects:/home/coder/project" codercom/code-server:v2

the --user $(id):$(id) will switch the user id of the coder user to your user id and group :)

[CXZ7720]

I still have same issue on Ubuntu server 18.04 LTS
I tried to make the folder manually, but it doesn't work.

Edited
Finally It runs very well! 🎉 🎉
I used this command
docker run --user 1000:1000 -d -p 0.0.0.0:8000:8080 --name codeserver -v "/home/dev/codeserver/.local/share/code-server:/home/coder/.local/share/code-server" -v "/home/dev/projects:/home/coder/project" codercom/code-server:v2
and it runs perfectly.

The only thing I changed is $(id):$(id) to 1000:1000.

Thanks for @frank-dspeed

[nhooyr]

See #1307