Omit --userns=keep-id for root (#1004)

Author: chrmarti

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 Notable changes.
 
+## May 2025
+
+### [0.77.0]
+- Fix: --uidmap/--gidmap conflict with --userns (https://github.com/microsoft/vscode-remote-release/10954)
+- Fix: Omit --userns=keep-id for root (https://github.com/devcontainers/cli/pull/1004)
+
 ## April 2025
 
 ### [0.76.0]

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@devcontainers/cli",
 	"description": "Dev Containers CLI",
-	"version": "0.76.0",
+	"version": "0.77.0",
 	"bin": {
 		"devcontainer": "devcontainer.js"
 	},

src/spec-node/singleContainer.ts

@@ -344,7 +344,7 @@ export async function extraRunArgs(common: ResolverParameters, params: DockerRes
 	return extraArguments;
 }
 
-export async function spawnDevContainer(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig, mergedConfig: MergedDevContainerConfig, imageName: string, labels: string[], workspaceMount: string | undefined, imageDetails: (() => Promise<ImageDetails>) | undefined, containerUser: string | undefined, extraLabels: Record<string, string>) {
+export async function spawnDevContainer(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig, mergedConfig: MergedDevContainerConfig, imageName: string, labels: string[], workspaceMount: string | undefined, imageDetails: () => Promise<ImageDetails>, containerUser: string | undefined, extraLabels: Record<string, string>) {
 	const { common } = params;
 	common.progress(ResolverProgress.StartingContainer);
 
@@ -392,7 +392,7 @@ ${customEntrypoints.join('\n')}
 exec "$@"
 while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` to run (synchronous `sleep` would not).
 	const overrideCommand = mergedConfig.overrideCommand;
-	if (overrideCommand === false && imageDetails) {
+	if (overrideCommand === false) {
 		const details = await imageDetails();
 		cmd.push(...details.Config.Entrypoint || []);
 		cmd.push(...details.Config.Cmd || []);
@@ -409,7 +409,7 @@ while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` t
 		...getLabels(labels),
 		...containerEnv,
 		...containerUserArgs,
-		...getPodmanArgs(params, config),
+		...await getPodmanArgs(params, config, mergedConfig, imageDetails),
 		...(config.runArgs || []),
 		...(await extraRunArgs(common, params, config) || []),
 		...featureArgs,
@@ -434,12 +434,15 @@ while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` t
 	common.output.stop(text, start);
 }
 
-function getPodmanArgs(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig): string[] {
+async function getPodmanArgs(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig, mergedConfig: MergedDevContainerConfig, imageDetails: () => Promise<ImageDetails>): Promise<string[]> {
 	if (params.isPodman && params.common.cliHost.platform === 'linux') {
 		const args = ['--security-opt', 'label=disable'];
 		const hasIdMapping = (config.runArgs || []).some(arg => /--[ug]idmap(=|$)/.test(arg));
 		if (!hasIdMapping) {
-			args.push('--userns=keep-id');
+			const remoteUser = mergedConfig.remoteUser || findUserArg(config.runArgs) || (await imageDetails()).Config.User || 'root';
+			if (remoteUser !== 'root' && remoteUser !== '0') {
+				args.push('--userns=keep-id');
+			}
 		}
 		return args;
 	}