Skip to content

Fix /workspaces permissions so the node user can clone repos #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 1 commit into
base: main
Choose a base branch
from
+24 −1
Open

Fix /workspaces permissions so the node user can clone repos #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .devcontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ RUN npm install -g playwright \
&& playwright install --with-deps chromium \
&& chmod -R a+rx /ms-playwright

# Make `/workspaces` owned by the non-root `node` user so cloning repos into it
# works. The base image creates `/workspaces` as root, and envbuilder (used by
# Coder) does not chown the workspace to the target user, so `node` otherwise
# can't create directories there:
# git clone ... -> fatal: could not create work tree dir: Permission denied
RUN mkdir -p /workspaces && chown node:node /workspaces

# Tell dev container features where the target user's home directory is.
# The devcontainer CLI passes `_REMOTE_USER_HOME`/`_CONTAINER_USER_HOME` to every
# feature's install.sh, but envbuilder (used by Coder) only sets `_REMOTE_USER`
Expand Down
18 changes: 17 additions & 1 deletion scripts/verify-devcontainer.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@
# It asserts the things that have previously broken on Coder/envbuilder:
# 1. the effective user is `node`, not root,
# 2. tmux is on PATH and can start a session that reads ~/.tmux.conf,
# 3. the lifecycle ran to completion (postCreateCommand sentinel exists).
# 3. the lifecycle ran to completion (postCreateCommand sentinel exists),
# 4. `/workspaces` is writable by `node` (so `git clone` into it works).
#
# Any failed check exits non-zero so CI fails loudly instead of silently
# dropping you into a broken shell.
Expand Down Expand Up @@ -80,6 +81,21 @@ else
fail "lifecycle sentinel missing ($sentinel); postCreateCommand did not complete"
fi

# 4. `/workspaces` must be writable by the current user so cloning repos into it
# (e.g. `git clone ...` from `/workspaces`) doesn't fail with "Permission denied".
workspaces_dir="/workspaces"
if [ -d "$workspaces_dir" ]; then
probe="${workspaces_dir}/.verify-write-$$"
if (umask 022 && mkdir "$probe") 2>/dev/null; then
pass "/workspaces is writable by $(id -un)"
rmdir "$probe" 2>/dev/null || true
else
fail "/workspaces is not writable by $(id -un); 'git clone' into it will fail"
fi
else
fail "/workspaces does not exist"
fi

echo "=== Verification complete ==="
if [ "$failures" -ne 0 ]; then
echo "$failures check(s) failed." >&2
Expand Down