Making Visual Studio Code devcontainer work properly on rootless Podman
In this article I will explain what I did to make devcontainer work with Podman in rootless mode.
Though Visual Studio Code devcontainers are compatible with Podman, the configuration is not so straightforward as with the de-facto Docker container runtime.
Why is that?
Well, Podman has 2 operation modes, rootful and rootless .
The problem lays in how the permissions and ownerships are mapped to the workspace’s user in the container (root vs non-root).
Therefore, configuration that applies to one mode makes not much sense to the other (map to root vs map to non-root).
TLDR
Minimal solution
Add this to ensure that vscode is really mapped in the container by adding this config to devcontainers.json: and forcing podman to map to this user explicitly:
"runArgs": [
"--userns=keep-id:uid=1000,gid=1000"
],
"containerUser": "vscode",
"updateRemoteUserUID": trueOptionally: Add the home folder mapping explicitly
Add this to ensure that vscode ‘s HOME is explicitly set in the container by adding this config to devcontainers.json:
"runArgs": [
"--userns=keep-id:uid=1000,gid=1000"
],
"containerUser": "vscode",
"updateRemoteUserUID": true,
"containerEnv": {
"HOME": "/home/vscode"
}But how does it work?
It’s all about passing the proper arguments to Podman’s runtime. That’s what the Visual Studio Code Helper does in the background to lift the workspace within the container.
How to troubleshoot?
First, make sure that you really use Podman in true rootless mode, that is, make sure that your configuration is so.
If you use podman machine check the settings of your current machine so:
export PODMAN_MACHINE=”your machine here or podman-machine-default”jq -r ‘.Rootful’ $HOME/.config/containers/podman/machine/qemu/$PODMAN_MACHINE.json
falseYou can always create another machine in case you receive true as an answer to the previous command.
Problems and Solutions
devcontainer tries to create the root folder
The first problem that I encountered is that the container will try to use root user to create the workspace for the vscode server:
mkdir: cannot create directory ‘/root’: Permission deniedLet’s tell devcontainers to use the vscode user instead, this way it does not try to create anything under /root:
edit .devcontainer/devcontainer.json and add this key:
"containerUser": "vscode"Ownership of the files and folders in the container’s workspace are set to root
While the previous step probably worked, the permissions are still wrong in the workspace:
ls -lah .devcontainer/devcontainer.json
-rw-r — r — . 1 root nogroup 1.6K Jan 13 14:23 .devcontainer/devcontainer.jsonObviously, this won’t allow us to work within the workspace:
- The git repository in the current folder is potentially unsafe as the folder is owned by someone other than the current user.
- Some projects have trouble loading. Please review the output for more details.
Let’s fix this:
Check for the UID and GID of the user (vscode in our example) within the container:
UID:
id -u
1000GID:
id -g
1000Afterwards map this UID and GID to the container in Podman:
"runArgs": [
"--userns=keep-id:uid=1000,gid=1000"
],
"containerUser": "vscode",(Close Visual Studio Code for sanity, restart the podman machine at this point, specially if you encounter an error with “/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper” crashing)
Afterwards rebuild the dev container image.
Check that the permissions are mapped correctly:
ls -lah .devcontainer/devcontainer.json
-rw-r--r--. 1 vscode nogroup 1.6K Jan 13 14:32 .devcontainer/devcontainer.jsonRejoice!
P.S: Do you have the Docker Extension installed? Configure it too:
https://medium.com/@guillem.riera/use-podman-with-visual-studio-code-docker-extension-f4c00e78c5bf
