Devcontainer: use "batman" user instead of root (#29704)

* devcontainer user * cleanup permissions * remove that * remove that since it's not used * clean that up after merge * build base image first * remove the pull * build base image * ensure we can pip install * build base image as batman user * add user uid * add temporary comment about chown instruction
commaai · Sep 25, 2023 · 021effc · 021effc
1 parent 003018f
commit 021effc
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 10 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,8 +1,5 @@
 FROM ghcr.io/commaai/openpilot-base:latest
 
-# remove gitconfig if exists, since its gonna be replaced by host one
-RUN rm -f /root/.gitconfig
-
 RUN apt update && apt install -y vim net-tools usbutils htop ripgrep tmux
 RUN pip install ipython jupyter jupyterlab
 

diff --git a/.devcontainer/container_post_create.sh b/.devcontainer/container_post_create.sh
@@ -12,3 +12,9 @@ if [ -n "\$DISPLAY" ]; then
 fi
 EOF
 fi
+
+# These lines are temporary, to remain backwards compatible with old devcontainers
+# that were running as root and therefore had their caches written as root
+USER=batman
+sudo chown -R $USER: /tmp/scons_cache
+sudo chown -R $USER: /tmp/comma_download_cache
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -14,13 +14,23 @@
   },
   "runArgs": [
     "--volume=/tmp/.X11-unix:/tmp/.X11-unix",
-    "--volume=${localWorkspaceFolder}/.devcontainer/.host/.Xauthority:/root/.Xauthority",
-    "--volume=${localEnv:HOME}/.comma:/root/.comma",
+    "--volume=${localWorkspaceFolder}/.devcontainer/.host/.Xauthority:/home/batman/.Xauthority",
+    "--volume=${localEnv:HOME}/.comma:/home/batman/.comma",
     "--volume=/tmp/comma_download_cache:/tmp/comma_download_cache",
     "--volume=/tmp/devcontainer_scons_cache:/tmp/scons_cache",
     "--shm-size=1G",
     "--add-host=host.docker.internal:host-gateway" // required to use host.docker.internal on linux
   ],
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "installZsh": false,
+      "installOhMyZsh": false,
+      "upgradePackages": false,
+      "username": "batman"
+    }
+  },
+  "containerUser": "root",
+  "remoteUser": "batman",
   "customizations": {
     "vscode": {
       "extensions": [

diff --git a/Dockerfile.openpilot_base b/Dockerfile.openpilot_base
@@ -22,18 +22,24 @@ RUN cd /tmp && \
     rm -rf arm/ && \
     rm -rf thumb/nofp thumb/v6* thumb/v8* thumb/v7+fp thumb/v7-r+fp.sp
 
+ARG USER=batman
+ARG USER_UID=1000
+RUN useradd -m -s /bin/bash -u $USER_UID $USER
+USER $USER
+
 ENV POETRY_VIRTUALENVS_CREATE=false
 ENV PYENV_VERSION=3.11.4
-ENV PYENV_ROOT="/root/.pyenv"
+ENV PYENV_ROOT="/home/$USER/pyenv"
 ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
 
-COPY pyproject.toml poetry.lock .python-version /tmp/
-COPY tools/install_python_dependencies.sh /tmp/tools/
+COPY --chown=$USER pyproject.toml poetry.lock .python-version /tmp/
+COPY --chown=$USER tools/install_python_dependencies.sh /tmp/tools/
 
 RUN cd /tmp && \
     tools/install_python_dependencies.sh && \
     rm -rf /tmp/* && \
-    rm -rf /root/.cache && \
+    rm -rf /home/$USER/.cache && \
     pip uninstall -y poetry
 
-RUN sudo git config --global --add safe.directory /tmp/openpilot
+USER root
+RUN sudo git config --global --add safe.directory /tmp/openpilot