Addition of --userns=keep-id is a significant breaking change for many podman devcontainers.

[gilesknap]

See:

https://github.com/devcontainers/cli/blame/da16ca99500f519043f39f957d9ff55d971acec5/src/spec-node/singleContainer.ts#L439

The recent addition of --userns-keep-id to the launch parameters for podman devcontainers has broken all of the devcontainers at our facility.

We have been running devcontainers with rootless podman for more than 4 years and our approach has always been to use root inside the container with that mapping to our user-id for host mounted filesystems. This recent change means that although my devcontainer loads and is still running as root (because we have remoteUser="" in .devcontainer.json) it is unable to make changes to the git repo as that is now owned by a different user id (my own user id).

A significant change like this should be given a configuration field so that we can turn it off - perhaps that already exists and I have missed it?

[gilesknap]

I expect this change is compatible with Official Developer Base Containers. But they do not work for our facility because our UIDs are huge and out of range for these containers. e.g. when opening the default python developer container I see this error:

Updating UID:GID from 1000:1000 to 1200288:1200288.
chown: changing ownership of '/home/vscode/.zprofile': Invalid argument
chown: changing ownership of '/home/vscode/.zshrc': Invalid argument
chown: changing ownership of '/home/vscode/.profile': Invalid argument
...

This is one of the reasons we are not using offical base containers and why we use (psuedo-)root inside our devcontainers. But it also means that there is no path to a working solution except pinning the version of the devcontainer extension.

[gilesknap]

For others seeing this issue: the workaround is to pin the Dev Containers plugin to 0.409.0

[gilesknap]

@chrmarti please can you comment on this? What is the reason for this change? Thanks.

[chrmarti]

We need to check if the user is root before we add this option. (The option fixes the non-root case.)

Another workaround is to add "runArgs": ["--userns="] to the devcontainer.json until we have this fixed.

[gilesknap]

Thanks @chrmarti that is a better workaround for us.

I'm not sure that adding keep-id for non root users will be good for existing projects that already have some workaround for the problem (e.g. creating a fixed id in the container to run as non-root).

Therefore this feels like it could be a breaking change for all existing podman devcontainers - even if it is a good idea for all future podman devcontainers.

Hopefully the solution should also work for rootless docker. My earlier experiments a while back found that this had the same issues as podman.

I would vote for us having:

• no opinionated defaults at all
• some documentation that helps navigate the various args you might want for build and run steps, especially for rootless.

[chrmarti]

There is a fix for when using --uid-/gidmap that will be in the next releases: microsoft/vscode-remote-release#10954. Let us know when you encounter other issues. My hope is that we can make this work well for everyone using Podman.

[gilesknap]

Thanks - that fix does look like you are chasing valid combinations of settings! no defaults would be easier for you - but I get the desire for default behavior working well with the majority of cases and in particular the MS base images.