Use fixuid for mapping host uid:gid to docker uid:gid

Nathan Potter · Nathan Potter · commit 1576a6a5fa81 · 2019-05-03T20:26:23.000Z
diff --git a/images/Dockerfile b/images/Dockerfile
@@ -28,6 +28,22 @@ LABEL share.ssh="~/.ssh:~/.ssh"
 RUN wget -O /usr/bin/code-server https://codesrv-ci.cdr.sh/latest-linux && \
     chmod +x /usr/bin/code-server
 
-RUN adduser --gecos '' --disabled-password user && \
+
+# Use fixuid so that we can dynamically change the uid:gid to match what is being used by the host user.
+# Note: If the project is large, the `chown -R` call from fixuid can take a long time.
+# TODO: optimize the chown for larger projects.
+RUN addgroup --gid 1000 user && \
+    adduser --uid 1000 --ingroup user --home /home/user --shell /bin/sh --disabled-password --gecos "" user && \
     echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
-USER user
+
+RUN USER=user && \
+    GROUP=user && \
+    curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.4/fixuid-0.4-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
+    chown root:root /usr/local/bin/fixuid && \
+    chmod 4755 /usr/local/bin/fixuid && \
+    mkdir -p /etc/fixuid && \
+    printf "user: $USER\ngroup: $GROUP\n" > /etc/fixuid/config.yml
+
+USER user:user
+
+ENTRYPOINT ["fixuid"]
diff --git a/internal/codeserver/proc.go b/internal/codeserver/proc.go
@@ -34,7 +34,7 @@ func Port(containerName string) (string, error) {
 	// tcp        0      0 127.0.0.53:domain       0.0.0.0:*               LISTEN      -
 	out, err := dockutil.Exec(containerName, "netstat", "-tpl").CombinedOutput()
 	if err != nil {
-		return "", xerrors.Errorf("failed to netstat: %s, %v", out, err)
+		return "", xerrors.Errorf("failed to netstat %s: %w", out, err)
 	}
 
 	lines := strings.Split(string(out), "\n")
diff --git a/project.go b/project.go
@@ -250,7 +250,9 @@ func (p *project) waitOnline() error {
 	cli := dockerClient()
 	defer cli.Close()
 
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	// Give a pretty significant amount of time since the `chown -R` call from
+	// fixuid can take a long time if the project codebase is large.
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
 
 	for ctx.Err() == nil {
diff --git a/proxycmd.go b/proxycmd.go
@@ -12,12 +12,13 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
-	"nhooyr.io/websocket"
 	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
 
+	"nhooyr.io/websocket"
+
 	"go.coder.com/cli"
 	"go.coder.com/flog"
 	"golang.org/x/xerrors"
@@ -87,7 +88,10 @@ func (p *proxy) getCodeServerPort() (string, error) {
 }
 
 func (p *proxy) refreshPort() {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	// Give a longer period of time since the chown process in fixuid can take a bit
+	// to complete. This only happens if the uid:gid on the host isn't already 1000:1000.
+	// TODO: optimize fixuid and chown.
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
 
 	atomic.StoreInt64(&p.refreshing, 1)
diff --git a/runner.go b/runner.go
@@ -7,6 +7,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -80,6 +81,11 @@ func (r *runner) runContainer(image string) error {
 		return err
 	}
 
+	u, err := user.Current()
+	if err != nil {
+		return err
+	}
+
 	var envs []string
 	envs = r.environment(envs)
 
@@ -97,10 +103,7 @@ func (r *runner) runContainer(image string) error {
 			projectNameLabel:     r.projectName,
 			proxyURLLabel:        r.proxyURL,
 		},
-		// The user inside has uid 1000. This works even on macOS where the default user has uid 501.
-		// See https://stackoverflow.com/questions/43097341/docker-on-macosx-does-not-translate-file-ownership-correctly-in-volumes
-		// The docker image runs it as uid 1000 so we don't need to set anything.
-		User: "",
+		User: fmt.Sprintf("%s:%s", u.Uid, u.Gid),
 	}
 
 	err = r.addImageDefinedLabels(image, containerConfig.Labels)
diff --git a/runner_test.go b/runner_test.go
@@ -3,6 +3,7 @@ package main
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -39,59 +40,59 @@ func Test_runner(t *testing.T) {
 		})
 	}
 
+	// codeServerStarts ensures that the code server process
+	// starts up inside the container.
+	codeServerStarts := func(t *testing.T, p *params) {
+		t.Run("CodeServerStarts", func(t *testing.T) {
+			err := p.proj.waitOnline()
+			require.NoError(t, err)
+		})
+	}
+
 	// loadFromContainer ensures that our state is properly stored
 	// on the container and can rebuild our in memory structures
 	// correctly.
 	loadFromContainer := func(t *testing.T, p *params) {
 		t.Run("FromContainer", func(t *testing.T) {
-			// 	bldr, err := hatBuilderFromContainer(p.proj.cntName())
-			// 	require.NoError(t, err)
-
-			// 	assert.Equal(t, p.bldr.hatPath, bldr.hatPath)
-			// 	assert.Equal(t, p.bldr.baseImage, bldr.baseImage)
-
-			// 	runner, err := runnerFromContainer(p.proj.cntName())
-			// 	require.NoError(t, err)
+			bldr, err := hatBuilderFromContainer(p.proj.cntName())
+			require.NoError(t, err)
 
-			// 	assert.Equal(t, p.runner.cntName, runner.cntName)
-			// 	assert.Equal(t, p.runner.hostname, runner.hostname)
-			// 	assert.Equal(t, p.runner.port, runner.port)
-			// 	assert.Equal(t, p.runner.projectLocalDir, runner.projectLocalDir)
-			// 	assert.Equal(t, p.runner.projectName, runner.projectName)
-			// 	assert.Equal(t, p.runner.testCmd, runner.testCmd)
-		})
-	}
+			assert.Equal(t, p.bldr.hatPath, bldr.hatPath)
+			assert.Equal(t, p.bldr.baseImage, bldr.baseImage)
 
-	// codeServerStarts ensures that the code server process
-	// starts up inside the container.
-	codeServerStarts := func(t *testing.T, p *params) {
-		t.Run("CodeServerStarts", func(t *testing.T) {
-			err := p.proj.waitOnline()
+			runner, err := runnerFromContainer(p.proj.cntName())
 			require.NoError(t, err)
+
+			assert.Equal(t, p.runner.cntName, runner.cntName)
+			assert.Equal(t, p.runner.hostname, runner.hostname)
+			assert.Equal(t, p.runner.port, runner.port)
+			assert.Equal(t, p.runner.projectLocalDir, runner.projectLocalDir)
+			assert.Equal(t, p.runner.projectName, runner.projectName)
+			assert.Equal(t, p.runner.testCmd, runner.testCmd)
 		})
 	}
 
 	run(t, "BaseImageNoHat", "https://github.com/cdr/nbin", "",
 		labelChecker,
-		loadFromContainer,
 		codeServerStarts,
+		loadFromContainer,
 	)
 
 	run(t, "BaseImageHat", "https://github.com/cdr/flog", "./hat-examples/fish",
 		labelChecker,
-		loadFromContainer,
 		codeServerStarts,
+		loadFromContainer,
 	)
 
 	run(t, "ProjImageNoHat", "https://github.com/cdr/bigdur", "",
 		labelChecker,
-		loadFromContainer,
 		codeServerStarts,
+		loadFromContainer,
 	)
 
 	run(t, "ProjImageHat", "https://github.com/cdr/sshcode", "./hat-examples/net",
 		labelChecker,
-		loadFromContainer,
 		codeServerStarts,
+		loadFromContainer,
 	)
 }
diff --git a/ubuntu-dev/buildpush.sh b/ubuntu-dev/buildpush.sh

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func Port(containerName string) (string, error) {`
`34`	`34`	`// tcp 0 0 127.0.0.53:domain 0.0.0.0:* LISTEN -`
`35`	`35`	`out, err := dockutil.Exec(containerName, "netstat", "-tpl").CombinedOutput()`
`36`	`36`	`if err != nil {`
`37`		`- return "", xerrors.Errorf("failed to netstat: %s, %v", out, err)`
	`37`	`+ return "", xerrors.Errorf("failed to netstat %s: %w", out, err)`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`lines := strings.Split(string(out), "\n")`