Merge pull request #40 from ubc-provenance/dev

Fix docker permission error + simplified install

Author: TristanBilot

.devcontainer/devcontainer.json

@@ -4,15 +4,16 @@
   "service": "pids",
   "workspaceFolder": "/home/pids",
   "forwardPorts": ["${env:DOCKER_PORT}"],
-  "remoteUser": "${env:USER_NAME}",
+  "remoteUser": "pids",
   "customizations": {
     "vscode": {
       "extensions": [
         "ms-python.python",
         "ms-vscode-remote.remote-containers",
         "nvidia.nsight-vscode-edition", // For CUDA/GPU debugging
         "eamodio.gitlens",
-        "ms-toolsai.jupyter"
+        "ms-toolsai.jupyter",
+        "anthropic.claude-code"
       ]
     }
   },

.env.local

@@ -2,6 +2,3 @@ INPUT_DIR=./data
 ARTIFACTS_DIR=./artifacts
 DOCKER_PORT=8888
 COMPOSE_PROJECT_NAME=pidsmaker
-HOST_UID=1000
-HOST_GID=1000
-USER_NAME=user

Dockerfile

@@ -15,8 +15,13 @@ RUN apt update && \
 ENV JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
 ENV PATH=$JAVA_HOME/bin:$PATH
 
-# installing sudo
-RUN apt-get update && apt-get install -y sudo git
+# installing sudo, git, gosu (for privilege dropping in entrypoint)
+RUN apt-get update && apt-get install -y sudo git && \
+    set -eux; \
+    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64"; \
+    chmod +x /usr/local/bin/gosu; \
+    gosu --version; \
+    gosu nobody true
 
 # installing node for Claude Code
 RUN apt-get update \
@@ -32,17 +37,19 @@ RUN wget https://repo.anaconda.com/archive/Anaconda3-2023.03-1-Linux-x86_64.sh
 RUN bash Anaconda3-2023.03-1-Linux-x86_64.sh -b -p /opt/conda
 RUN rm Anaconda3-2023.03-1-Linux-x86_64.sh
 
-ARG USER_ID
-ARG GROUP_ID
-ARG USER_NAME
-RUN groupadd -g ${GROUP_ID} ${USER_NAME} && useradd -u ${USER_ID} -g ${GROUP_ID} -m -s /bin/bash ${USER_NAME}
+# Create a fixed container user. The UID/GID will be remapped at runtime
+# by entrypoint.sh to match the host user — no build args required.
+# Home is kept separate from WORKDIR (/home/pids) to avoid conflicts with
+# the bind-mounted project directory.
+RUN groupadd -g 1000 pids && \
+    useradd -u 1000 -g 1000 -m -d /home/user -s /bin/bash pids
 WORKDIR /home/pids
 
 ENV PATH="/opt/conda/bin:$PATH"
 ENV PATH="/opt/conda/envs/pids/bin:$PATH"
 RUN conda create -n pids python=3.9 && \
-    echo "source /opt/conda/etc/profile.d/conda.sh" >> /home/${USER_NAME}/.bashrc && \
-    echo "conda activate pids" >> /home/${USER_NAME}/.bashrc
+    echo "source /opt/conda/etc/profile.d/conda.sh" >> /home/user/.bashrc && \
+    echo "conda activate pids" >> /home/user/.bashrc
 # https://pythonspeed.com/articles/activate-conda-dockerfile/
 SHELL ["conda", "run", "-n", "pids", "/bin/bash", "-c"]
 # Activate the environment and install dependencies
@@ -69,10 +76,18 @@ RUN pip install pytest==8.3.5 pytest-cov==6.1.1 pre-commit==4.2.0 setuptools==61
 
 COPY . .
 
-# COPY is done by the docker daemon as root, so we need to chown
-RUN chown -R ${USER_NAME}:${USER_NAME} /home
-USER ${USER_NAME}
-
+# COPY is done by the docker daemon as root, so we need to chown.
+# Only chown the project dir and the user home — not /home/artifacts
+# which is a runtime volume managed by entrypoint.sh.
+RUN chown -R pids:pids /home/pids /home/user
+USER pids
 
 RUN [ -f pyproject.toml ] && pip install -e . || echo "No pyproject.toml found, skipping install"
 RUN [ -f .pre-commit-config.yaml ] && pre-commit install || echo "No pre-commit found, skipping install"
+
+# Switch back to root so the entrypoint can remap UID/GID and fix permissions
+USER root
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["bash"]

compose-pidsmaker.yml

@@ -2,10 +2,6 @@ services:
   pids:
     build:
       context: .
-      args:
-        USER_ID: ${HOST_UID}
-        GROUP_ID: ${HOST_GID}
-        USER_NAME: ${USER_NAME}
     container_name: ${COMPOSE_PROJECT_NAME}-pids
     networks:
       - shared_network
@@ -18,9 +14,8 @@ services:
       DB_PASSWORD: postgres
     volumes:
       - ./:/home/pids
-      - ${ARTIFACTS_DIR:-/artifacts}:/home/artifacts
+      - ${ARTIFACTS_DIR:-/home/artifacts}:/home/artifacts
       # - /path/to/raw/data:/data
-    entrypoint: bash
     stdin_open: true
     tty: true
     deploy:

docs/docs/ten-minute-install.md

@@ -83,65 +83,69 @@ sudo systemctl restart docker
 ## Load databases
 We create two containers: one that runs the postgres database, the other runs the Python env and the pipeline.
 
-1. Set your paths in .env
-    ```sh
-    cd ..
-    cp .env.local .env
-    ```
-    
-    - In `.env`, set `INPUT_DIR` to the `data` folder path. Optionally, set `ARTIFACTS_DIR` to the folder where all generated files will go (multiple GBs).
-    
-    - Run the following command and set accordingly `HOST_UID`, `HOST_GID` and `USER_NAME` in `.env`.
-        ```sh
-        echo "HOST_UID=$(id -u)" && echo "HOST_GID=$(id -g)" && echo "USER_NAME=$(whoami)"
-        ```
-
-    - Then run:
-        ```sh
-        source .env
-        ```
-
-    - Then create the output artifacts folder if it doesn't exist yet and ensure it is owned by your user.
-        ```sh
-        mkdir ${ARTIFACTS_DIR} || chown ${USER_NAME} -R ${ARTIFACTS_DIR}
-        ```
-
-2. Build  and start the database container up:
-    ```sh
-    docker compose -p postgres -f compose-postgres.yml up -d --build
-    ```
-    Note: each time you modify variables in `.env`, update env variables using `source .env` prior to running `docker compose`.
+### 1. Set your paths in .env
+
+```sh
+cp .env.local .env
+```
+
+ In `.env`, set `INPUT_DIR` to the `data` folder path. Optionally, set `ARTIFACTS_DIR` to a path where all generated files will go (multiple GBs).
+
+
+### 2. Build  and start the database container up:
+
+```sh
+docker compose -p postgres -f compose-postgres.yml up -d --build
+```
+Note: each time you modify variables in `.env`, update env variables using `source .env` prior to running `docker compose`.
     
-3. In a terminal, get a shell into this container:
-    ```sh
-    docker compose -p postgres exec postgres bash
-    ```
-4. If you have enough space to uncompress all datasets locally (135 GB), run this script to load all databases:
-    ```sh
-    ./scripts/load_dumps.sh
-    ```
-    If you have limited space and want to load databases one by one, do:
-    ```sh
-    pg_restore -U postgres -h localhost -p 5432 -d DATASET /data/DATASET.dump
-    ```
-    !!! note
-        If you want to parse raw data and create database from scratch, please follow the [guideline](./create-db-from-scratch.md) instead of running the above two commands.
-6. Once databases are loaded, we won't need to touch this container anymore:
-    ```sh
-    exit
-    ```
+### 3. Get a shell into the postgres container
+
+```sh
+docker compose -p postgres exec postgres bash
+```
+
+### 4. Load database dumps
+
+If you have enough space to uncompress all datasets you have downloaded locally in the `data` folder, run this script:
+
+```sh
+./scripts/load_dumps.sh
+```
+
+If you have limited space and want to load databases one by one, do:
+
+```sh
+pg_restore -U postgres -h localhost -p 5432 -d DATASET /data/DATASET.dump
+```
+
+!!! note
+    If you want to parse raw data and create database from scratch, please follow the [guideline](./create-db-from-scratch.md) instead of running the above two commands.
+
+Once databases are loaded, we won't need to touch this container anymore:
+
+```sh
+exit
+```
 
 ## Get into the PIDSMaker container
 
 It is within the `pids` container that coding and experiments take place.
 
-1. For VSCode users, we recommend using the [dev container](https://code.visualstudio.com/docs/devcontainers/create-dev-container) extension to directly open VSCode in the container. To do so, simply install the extension, then ctrl+shift+P and <i>Dev Containers: Open Folder in Container</i>.
+### 1. VSCode Devcontainer approach
 
-2. The other alternative is to load the container manually and open a shell directly in your terminal.
-    ```sh
-    docker compose -f compose-pidsmaker.yml up -d --build
-    docker compose exec pids bash
-    ```
+
+For VSCode users, we recommend using the [dev container](https://code.visualstudio.com/docs/devcontainers/create-dev-container) extension to directly open VSCode in the container. To do so, simply install the extension, then ctrl+shift+P and <i>Dev Containers: Open Folder in Container</i>.
+
+
+### 2. Manual approach
+
+The other alternative is to load the container manually and open a shell directly in your terminal.
+
+```sh
+docker compose -f compose-pidsmaker.yml up -d --build
+docker compose exec pids bash
+```
 
 It's in this container that the python env is installed and where the framework will be used.
 

entrypoint.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+CONTAINER_USER="pids"
+CONTAINER_HOME="/home/user"
+
+# Detect the host user's UID/GID from the bind-mounted project directory.
+# Bind mounts preserve the host file ownership, so stat gives us the host UID/GID
+# without needing any environment variables.
+TARGET_UID=$(stat /home/pids -c '%u' 2>/dev/null || echo "1000")
+TARGET_GID=$(stat /home/pids -c '%g' 2>/dev/null || echo "1000")
+
+# Safety guard: never remap to root
+[ "$TARGET_UID" = "0" ] && TARGET_UID=1000
+[ "$TARGET_GID" = "0" ] && TARGET_GID=1000
+
+CURRENT_UID=$(id -u "$CONTAINER_USER")
+CURRENT_GID=$(id -g "$CONTAINER_USER")
+
+if [ "$TARGET_UID" != "$CURRENT_UID" ] || [ "$TARGET_GID" != "$CURRENT_GID" ]; then
+    groupmod -g "$TARGET_GID" "$CONTAINER_USER" 2>/dev/null || true
+    usermod -u "$TARGET_UID" -g "$TARGET_GID" "$CONTAINER_USER" 2>/dev/null || true
+    # Re-own the user's home directory (not the bind-mounted project dir)
+    chown -R "$TARGET_UID:$TARGET_GID" "$CONTAINER_HOME" 2>/dev/null || true
+fi
+
+# Ensure the artifacts directory exists and is writable by the container user.
+# This handles both the case where Docker created it as root and the case
+# where it doesn't exist yet on the host.
+mkdir -p /home/artifacts
+chown "$TARGET_UID:$TARGET_GID" /home/artifacts
+
+exec gosu "$CONTAINER_USER" "$@"