profile
viewpoint

Ask questionsSupport docker run with --user $(id -u):$(id -g) cli arg (shared process error)

Test environment

Host OS: OSX 10.14.4 Docker: 2.0.0.3 (31259) image: codercom/code-server:1.621

Request

Hi,

We run docker in a locked down environment where we alias the docker run cli command to prepend --user $(id -u):$(id -g) on all host operating systems. This is a security constraint we can't remove. When i try to execute code server simulating this environment it throws a shared process error. Any ideas on an approach to resolve?

Repro

docker run -it -p 127.0.0.1:8443:8443 -v "${PWD}/codeserver:/home/coder/project" -u $(id -u):$(id -g) -v "${PWD}/codeserver/.cache:/.cache" -v "${PWD}/codeserver/.local:/.local" codercom/code-server:1.621 --allow-http --no-auth
INFO  code-server development
INFO  Additional documentation: http://github.com/codercom/code-server
INFO  Initializing {"data-dir":"/.local/share/code-server","extensions-dir":"/.local/share/code-server/extensions","working-dir":"/home/coder/project","log-dir":"/.cache/code-server/logs/20190405152816797"}
INFO  Starting webserver... {"host":"0.0.0.0","port":8443}
WARN  No certificate specified. This could be insecure.
WARN  Documentation on securing your setup: https://github.com/codercom/code-server/blob/master/doc/security/ssl.md
WARN  Launched without authentication.
INFO   
INFO  Started (click the link below to open):
INFO  http://localhost:8443/
INFO   
INFO  Starting shared process [1/5]...
INFO  Starting shared process [2/5]... {"error":"Exited with 1"}
INFO  Starting shared process [3/5]... {"error":"Exited with 1"}
/src/packages/server/out/cli.js:325
return"boolean"==typeof e.extractComments?(r.preserve=i,r.extract=/^\**!|@preserve|@license|@cc_on/i):"string"==typeof e.extractComments||e.extractComments instanceof RegExp?(r.preserve=i,r.extract=e.extractComments):"function"==typeof e.extractComments?(r.preserve=i,r.extract=e.extractComments):Object.prototype.hasOwnProperty.call(e.extractComments,"condition")?(r.preserve=i,r.extract=e.extractComments.condition):(r.preserve=!1,r.extract=i),["preserve","extract"].forEach(e=>{let t,n;switch(typeof r[e]){case"boolean":r[e]=r[e]?()=>!0:()=>!1;break;case"function":break;case"string":if("all"===r[e]){r[e]=(()=>!0);break}if("some"===r[e]){r[e]=((e,t)=>"comment2"===t.type&&/^\**!|@preserve|@license|@cc_on/i.test(t.value));break}t=r[e],r[e]=((e,n)=>new RegExp(t).test(n.value));break;default:n=r[e],r[e]=((e,t)=>n.test(t.value))}}),(e,t)=>{if(r.extract(e,t)){const e="comment2"===t.type?`/*${t.value}*/`:`//${t.value}`;n.includes(e)||n.push(e)}return r.preserve(e,t)}})(e,c,u));const

Error: ENOENT: no such file or directory, uv_os_get_passwd
    at new t.Server (/src/packages/server/out/cli.js:325:105264)
    at e.exports.w.on (/src/packages/server/out/cli.js:325:102138)
    at emitTwo (events.js:131:20)
    at e.exports.emit (events.js:214:7)
    at handleUpgrade.t (/src/packages/server/out/cli.js:489:29992)
    at e.exports.completeUpgrade (/src/packages/server/out/cli.js:489:32439)
    at e.exports.handleUpgrade (/src/packages/server/out/cli.js:489:31556)
    at upgrade (/src/packages/server/out/cli.js:489:29963)
    at emitThree (events.js:136:13)
    at u.emit (events.js:217:7)
    at onParserExecuteCommon (_http_server.js:542:14)
    at socketOnData (_http_server.js:477:3)
    at emitOne (events.js:116:13)
    at Socket.emit (events.js:211:7)
    at Socket.Readable.read (_stream_readable.js:475:10)
    at flow (_stream_readable.js:846:34)
    at emitReadable_ (_stream_readable.js:514:3)
    at emitReadable (_stream_readable.js:507:7)
    at addChunk (_stream_readable.js:274:7)
    at readableAddChunk (_stream_readable.js:250:11)
    at Socket.Readable.push (_stream_readable.js:208:10)
    at TCP.onread (net.js:601:20)
cdr/code-server

Answer questions ibnesayeed

If I supply -u (or --user) flag to keep file permissions correct as if I were to play with my files on the host, the service is failing to create a ./cache directory. Is it something that can be configured to create under the /tmp instead of the root of the file system?

$ mkdir /tmp/foo
$ cd /tmp/foo
$ docker run --rm -it \
  -u $(id -u):$(id -g) \
  -p 127.0.0.1:8443:8443 \
  -v $PWD:/home/coder/project \
  codercom/code-server --allow-http --no-auth
(node:6) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
ERROR { [Error: EACCES: permission denied, mkdir '/.cache']
  [stack]: 'Error: EACCES: permission denied, mkdir \'/.cache\'',
  [message]: 'EACCES: permission denied, mkdir \'/.cache\'',
  errno: -13,
  code: 'EACCES',
  syscall: 'mkdir',
  path: '/.cache' }
useful!
source:https://uonfu.com/
answerer
Sawood Alam ibnesayeed Old Dominion University Norfolk, Virginia - 23529 (USA) http://www.cs.odu.edu/~salam/ Web, Digital Library, Web Archiving, Machine Learning, AI, Ruby on Rails, PHP, Python, Go, HTML, CSS, JavaScript, Urdu, RTL, Docker, and Linux.
Github User Rank List