diff --git a/.gitignore b/.gitignore index ffaa56b42253..fb8cdf949ee9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /lib +code-server node_modules dist out diff --git a/Dockerfile b/Dockerfile index 0610301a3fb3..83a951403d46 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,20 +34,29 @@ RUN locale-gen en_US.UTF-8 # configured in /etc/default/locale so we need to set it manually. ENV LC_ALL=en_US.UTF-8 -RUN adduser --gecos '' --disabled-password coder && \ +RUN addgroup --gid 1000 coder && \ + adduser --uid 1000 --ingroup coder --home /home/coder --shell /bin/sh --disabled-password --gecos "" coder && \ echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd +RUN USER=coder && \ + GROUP=coder && \ + curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.4/fixuid-0.4-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \ + chown root:root /usr/local/bin/fixuid && \ + chmod 4755 /usr/local/bin/fixuid && \ + mkdir -p /etc/fixuid && \ + printf "user: $USER\ngroup: $GROUP\n" > /etc/fixuid/config.yml + USER coder -# We create first instead of just using WORKDIR as when WORKDIR creates, the user is root. -RUN mkdir -p /home/coder/project -WORKDIR /home/coder/project +# Setup our entrypoint +COPY entrypoint.sh /usr/local/bin/ +RUN sudo chmod +x /usr/local/bin/entrypoint.sh # This assures we have a volume mounted even if the user forgot to do bind mount. # So that they do not lose their data if they delete the container. -VOLUME [ "/home/coder/project" ] +VOLUME [ "/home/coder" ] COPY --from=0 /src/packages/server/cli-linux-x64 /usr/local/bin/code-server EXPOSE 8443 -ENTRYPOINT ["dumb-init", "code-server"] +ENTRYPOINT ["dumb-init", "entrypoint.sh", "code-server"] diff --git a/README.md b/README.md index c4ce894a9bae..a345ff616923 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Try it out: ```bash -docker run -it -p 127.0.0.1:8443:8443 -v "${PWD}:/home/coder/project" codercom/code-server --allow-http --no-auth +docker run -it -p 127.0.0.1:8443:8443 -v "${PWD}/code-server:/home/coder" codercom/code-server --allow-http --no-auth ``` - Code on your Chromebook, tablet, and laptop with a consistent dev environment. @@ -31,6 +31,32 @@ Use [sshcode](https://github.com/codercom/sshcode) for a simple setup. See docker oneliner mentioned above. Dockerfile is at [/Dockerfile](/Dockerfile). +**Run as Non-root user dynamically mapped at runtime in docker** +You can configure code server to run as a UID:GID of your choice. This uses the [boxboat/fixuid](https://github.com/boxboat/fixuid) utility to dynmaically remap the coder uid/gid at runtime. This is especially useful in environments where UIDs change, affect volume mount permissions, and process ownership. You can enable this feature easily with env variables, and the `docker -u` cli flag. + +WARNING: there are some concerns around [security](https://github.com/boxboat/fixuid/issues/1) with this approach, ensure you understand the implications + +Example 1: Run as the host UID:GID, by setting the FIXUID docker env var +```bash +docker run -it -p 127.0.0.1:8443:8443 \ +-v "${PWD}/code-server:/home/coder" \ +-u $(id -u):$(id -g) \ +-e FIXUID=y \ +codercom/code-server:latest --allow-http --no-auth +``` + +Example 2: Same as above, but disable the fixuid warning message +```bash +docker run -it -p 127.0.0.1:8443:8443 \ +-v "${PWD}/code-server:/home/coder" \ +-u $(id -u):$(id -g) \ +-e FIXUID=y \ +-e FIXUID_QUIET=y \ +codercom/code-server:latest --allow-http --no-auth +``` + + + ### Binaries 1. [Download a binary](https://github.com/cdr/code-server/releases) (Linux and OS X supported. Windows coming soon) diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 000000000000..dfc9aa0c9b76 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +export HOME=/home/coder + +if [[ -z $FIXUID ]]; + then + echo "fixuid flag not set..." + else + echo "fixuid is set..." + if [[ -z $FIXUID_QUIET ]]; + then + fixuid + else + fixuid -q + fi +fi + +echo "starting coder..." +exec "$@" \ No newline at end of file