How to handle --editable for rootless Podman

[rgaiacs]

When working in support for Podman, I noticed that tests

• tests/unit/test_editable.py::test_editable
• tests/unit/test_editable.py::test_editable_by_host

would fail.

The tests fails due

/usr/local/bin/change.sh: line 3: newfile: Permission denied

This is because Podman runs, by default, as rootless. When Podman and Docker run as rootless, we have

flowchart TB
    subgraph container[rootless container]
    container-root[root UID=0]
    jovyan[jovyan UID=1000]
    end

    subgraph host
    host-root[root UID=0]
    alice[alice UID=1000]
    bob[bob UID=1001]
    repo2docker[repo2docker UID=101000]
    end

    alice-->container-root
    repo2docker-->jovyan

Loading

A file that is owned by alice will not be accessible to jovyan.

The recommendation in this cases is to run Jupyter in the container as root but this should be done by the user.

How do others think that repo2docker should behave?

[manics]

I think it's reasonable to say editable can't be used with a rootless container unless it's run as rootless "root", since you've chosen to partially break the isolation that full rootless offers.

[rgaiacs]

When reading more the code, I found

repo2docker/repo2docker/__main__.py

Lines 426 to 435 in 4992a43

	if r2d.user_id == 0 and not r2d.dry_run:
	print("Root as the primary user in the image is not permitted.")
	print(
	"The uid and the username of the user invoking repo2docker "
	"is used to create a mirror account in the image by default. "
	"To override that behavior pass --user-id <numeric_id> and "
	" --user-name <string> to repo2docker.\n"
	"Please see repo2docker --help for more details.\n"
	)
	sys.exit(1)

saying that

Root as the primary user in the image is not permitted.

[manics]

I think we should keep this issue open, and consider allowing a container to run as root.