Skip to content

Commit 078f9ac

Browse files
chrmartichrmarti
committed
Check if remote user is root (#1004)
1 parent c246645 commit 078f9ac

File tree

1 file changed

+8
-5
lines changed

1 file changed

+8
-5
lines changed

src/spec-node/singleContainer.ts

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -344,7 +344,7 @@ export async function extraRunArgs(common: ResolverParameters, params: DockerRes
344344
return extraArguments;
345345
}
346346

347-
export async function spawnDevContainer(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig, mergedConfig: MergedDevContainerConfig, imageName: string, labels: string[], workspaceMount: string | undefined, imageDetails: (() => Promise<ImageDetails>) | undefined, containerUser: string | undefined, extraLabels: Record<string, string>) {
347+
export async function spawnDevContainer(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig, mergedConfig: MergedDevContainerConfig, imageName: string, labels: string[], workspaceMount: string | undefined, imageDetails: () => Promise<ImageDetails>, containerUser: string | undefined, extraLabels: Record<string, string>) {
348348
const { common } = params;
349349
common.progress(ResolverProgress.StartingContainer);
350350

@@ -392,7 +392,7 @@ ${customEntrypoints.join('\n')}
392392
exec "$@"
393393
while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` to run (synchronous `sleep` would not).
394394
const overrideCommand = mergedConfig.overrideCommand;
395-
if (overrideCommand === false && imageDetails) {
395+
if (overrideCommand === false) {
396396
const details = await imageDetails();
397397
cmd.push(...details.Config.Entrypoint || []);
398398
cmd.push(...details.Config.Cmd || []);
@@ -409,7 +409,7 @@ while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` t
409409
...getLabels(labels),
410410
...containerEnv,
411411
...containerUserArgs,
412-
...getPodmanArgs(params, config),
412+
...await getPodmanArgs(params, config, mergedConfig, imageDetails),
413413
...(config.runArgs || []),
414414
...(await extraRunArgs(common, params, config) || []),
415415
...featureArgs,
@@ -434,12 +434,15 @@ while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` t
434434
common.output.stop(text, start);
435435
}
436436

437-
function getPodmanArgs(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig): string[] {
437+
async function getPodmanArgs(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig, mergedConfig: MergedDevContainerConfig, imageDetails: () => Promise<ImageDetails>): Promise<string[]> {
438438
if (params.isPodman && params.common.cliHost.platform === 'linux') {
439439
const args = ['--security-opt', 'label=disable'];
440440
const hasIdMapping = (config.runArgs || []).some(arg => /--[ug]idmap(=|$)/.test(arg));
441441
if (!hasIdMapping) {
442-
args.push('--userns=keep-id');
442+
const remoteUser = mergedConfig.remoteUser || findUserArg(config.runArgs) || (await imageDetails()).Config.User || 'root';
443+
if (remoteUser !== 'root' && remoteUser !== '0') {
444+
args.push('--userns=keep-id');
445+
}
443446
}
444447
return args;
445448
}

0 commit comments

Comments
 (0)