When using podman rootless change socket host path to

[DevDorrejo]

Hello,

I am trying to setup with Dev Container a C++ Container in a user, but in the run part it fails with:

[4750 ms] Start: Run: /usr/bin/podman run -d --mount type=volume,src=cpp,dst=/workspaces -v /var/run/docker.sock:/var/run/docker.sock vsc-volume-bootstrap sleep infinity
[4853 ms] Command failed: /usr/bin/podman run -d --mount type=volume,src=cpp,dst=/workspaces -v /var/run/docker.sock:/var/run/docker.sock vsc-volume-bootstrap sleep infinity
[4853 ms] Error: statfs /var/run/docker.sock: permission denied
[4853 ms] Exit code 125

a solution to this is in the run script add a condition:

if [ id != 0 ]
systemctl --user start podman.socket
/usr/bin/podman run -d --mount type=volume,src=cpp,dst=/workspaces -v $XDG_RUNTIME_DIR/podman/podman.sock:/var/run/docker.sock vsc-volume-bootstrap

It's a straightforward way to solve this issue.

Note:

All extension Dev Container and Docker in the latest version remove docker.host or any config related to container HOST.

[chrmarti]

Is there a podman context inspect command? What is the output of that? Maybe we can pick up the socket path from there.

[DevDorrejo]

Empty:

but we have this:

But podman user socket is enabled doing: systemctl --user enable --now podman.socket

and then the file will be created in: $XDG_RUNTIME_DIR/podman/podman.sock

Edit:

I create the context:

$ podman context create default --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
$ podman context inspect default
[
    {
        "Name": "default",
        "URI": "unix:///run/user/1000/podman/podman.sock",
        "Default": true,
        "ReadWrite": true
    }
]

[chrmarti]

I have:

❯ docker context inspect default                       
[
    {
        "Name": "default",
        "Metadata": {},
        "Endpoints": {
            "docker": {
                "Host": "unix:///var/run/docker.sock",
                "SkipTLSVerify": false
            }
        },
        "TLSMaterial": {},
        "Storage": {
            "MetadataPath": "\u003cIN MEMORY\u003e",
            "TLSPath": "\u003cIN MEMORY\u003e"
        }
    }
]

[DevDorrejo]

I have:

❯ docker context inspect default                       
[
    {
        "Name": "default",
        "Metadata": {},
        "Endpoints": {
            "docker": {
                "Host": "unix:///var/run/docker.sock",
                "SkipTLSVerify": false
            }
        },
        "TLSMaterial": {},
        "Storage": {
            "MetadataPath": "\u003cIN MEMORY\u003e",
            "TLSPath": "\u003cIN MEMORY\u003e"
        }
    }
]

I am using podman, for rootless.

What I ask if is possible to add a conditional if, when using podman and the id != 0:

if [[ podman ]] && [[ id != 0 ]]; then

podman -v $XDG_RUNTIME_DIR/podman/podman.sock:/var/run/docker.sock

else podman -v /var/run/docker.sock:/var/run/docker.sock

[chrmarti]

I'm looking for a way to fix this without introducing too much Podman-specifics to simplify code maintenance.

[chrmarti]

Adding a user setting 'Docker Socket Path'.

[chrmarti]

This is now available with Dev Containers 0.376.0-pre-release. Please give it a try and let me know how it goes.

[DevDorrejo]

Hello, just installed, but can't find the option "Docker Socket Path", neither in the json and/or the extension pages.

[chrmarti]

Make sure you have the pre-release version of Dev Containers, that should give you the following in the user settings:

[DevDorrejo]

it work. (it would be great if allow use Variables [i.e.: $XDG_RUNTIME_DIR])

But looks like Dev Containers, need some work to be functional in rootless environment, which is more secure that being root.

[151099 ms] Start: Run: docker events --format {{json .}} --filter event=start
[151101 ms] Start: Starting container
[151101 ms] Start: Run: docker run --sig-proxy=false -a STDOUT -a STDERR --mount type=volume,src=cpp-2,dst=/workspaces --mount type=volume,src=vscode,dst=/vscode -l vsc.devcontainer.volume.name=cpp-2 -l vsc.devcontainer.volume.folder=cpp-2 -l devcontainer.config_file=/workspaces/cpp-2/.devcontainer/devcontainer.json --cap-add SYS_PTRACE --security-opt seccomp=unconfined --entrypoint /bin/sh vsc-cpp-2-bfdb0fec8644f369e2cc84c2f215b8c4e35822a3d9d6fee202873026706cf9a1 -c echo Container started
Container started
[151609 ms] Start: Run: docker ps -q -a --filter label=vsc.devcontainer.volume.name=cpp-2 --filter label=vsc.devcontainer.volume.folder=cpp-2 --filter label=devcontainer.config_file=/workspaces/cpp-2/.devcontainer/devcontainer.json
[151623 ms] Start: Run: docker inspect --type container c1e0ec87a3ce
[151647 ms] Start: Inspecting container
[151647 ms] Start: Run: docker inspect --type container c1e0ec87a3ce56b9728e14c53116213d761ae7d61805868c42b4f2534ceabfba
[151661 ms] Start: Run in container: /bin/sh
[151664 ms] Start: Run in container: uname -m
[151768 ms] x86_64
[151768 ms] 
[151768 ms] Start: Run in container: (cat /etc/os-release || cat /usr/lib/os-release) 2>/dev/null
[151769 ms] PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
[151769 ms] 
[151769 ms] Start: Run in container:  (command -v getent >/dev/null 2>&1 && getent passwd 'vscode' || grep -E '^vscode|^[^:]*:[^:]*:vscode:' /etc/passwd || true)
[151771 ms] Start: Run in container: test -f '/var/devcontainer/.patchEtcEnvironmentMarker'
[151771 ms] 
[151771 ms] 
[151771 ms] Exit code 1
[151772 ms] Start: Run in container: /bin/sh
[151773 ms] Start: Run in container: test ! -f '/var/devcontainer/.patchEtcEnvironmentMarker' && set -o noclobber && mkdir -p '/var/devcontainer' && { > '/var/devcontainer/.patchEtcEnvironmentMarker' ; } 2> /dev/null
[151897 ms] 
[151898 ms] 
[151898 ms] Start: Run in container: cat >> /etc/environment <<'etcEnvrionmentEOF'
[151898 ms] 
[151898 ms] 
[151899 ms] Start: Run in container: test -f '/var/devcontainer/.patchEtcProfileMarker'
[151899 ms] 
[151899 ms] 
[151899 ms] Exit code 1
[151899 ms] Start: Run in container: test ! -f '/var/devcontainer/.patchEtcProfileMarker' && set -o noclobber && mkdir -p '/var/devcontainer' && { > '/var/devcontainer/.patchEtcProfileMarker' ; } 2> /dev/null
[151900 ms] 
[151900 ms] 
[151900 ms] Start: Run in container: sed -i -E 's/((^|\s)PATH=)([^\$]*)$/\1${PATH:-\3}/g' /etc/profile || true
[151901 ms] 
[151901 ms] 
[152053 ms] Start: Run: /usr/bin/podman inspect --type container c1e0ec87a3ce56b9728e14c53116213d761ae7d61805868c42b4f2534ceabfba
[152075 ms] Start: Run: /usr/bin/podman exec -i -u root c1e0ec87a3ce56b9728e14c53116213d761ae7d61805868c42b4f2534ceabfba /bin/sh -c echo "New container started. Keep-alive process started." ; export VSCODE_REMOTE_CONTAINERS_SESSION=9ca29caa-0035-4ad5-971d-5022c77f17b51720116930383 ; /bin/sh
[152075 ms] Start: Inspecting container
[152075 ms] Start: Run: /usr/bin/podman inspect --type container c1e0ec87a3ce56b9728e14c53116213d761ae7d61805868c42b4f2534ceabfba
[152100 ms] Start: Run in container: /bin/sh
[152103 ms] Start: Run in container: uname -m
[152150 ms] New container started. Keep-alive process started.
[152232 ms] x86_64
[152232 ms] 
[152232 ms] Start: Run in container: (cat /etc/os-release || cat /usr/lib/os-release) 2>/dev/null
[152233 ms] PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
[152233 ms] 
[152233 ms] Start: Run in container:  (command -v getent >/dev/null 2>&1 && getent passwd 'vscode' || grep -E '^vscode|^[^:]*:[^:]*:vscode:' /etc/passwd || true)
[152234 ms] Start: Run in container: /bin/sh
[152237 ms] Start: Run in container: stat -c %u /workspaces/cpp-2
[152331 ms] 0
[152331 ms] 
[152331 ms] Start: Run in container: chown vscode:1000 /workspaces
[152332 ms] 
[152332 ms] 
[152332 ms] Start: Run in container: chown -R vscode:1000 /workspaces/cpp-2
[152333 ms] 
[152333 ms] 
[152334 ms] Start: Updating configuration state
[152561 ms] Start: Setup shutdown monitor
[152562 ms] Forking shutdown monitor: /home/IND/wdorrejo/.vscode/extensions/ms-vscode-remote.remote-containers-0.376.0/dist/shutdown/shutdownMonitorProcess /run/user/23009/vscode-remote-containers-281ba6f5-8a2b-4b5b-9e4d-587a622ade92.sock singleContainer Debug /home/IND/wdorrejo/.config/Code/logs/20240704T113137/window2/exthost/ms-vscode-remote.remote-containers 1720116930747
[152567 ms] Start: Run in container: test -d '/root/.vscode-server'
[152568 ms] 
[152568 ms] 
[152568 ms] Exit code 1
[152568 ms] Start: Run in container: test -d '/root/.vscode-remote'
[152568 ms] 
[152568 ms] 
[152568 ms] Exit code 1
[152569 ms] Start: Run in container: test ! -f '/root/.vscode-server/data/Machine/.writeMachineSettingsMarker' && set -o noclobber && mkdir -p '/root/.vscode-server/data/Machine' && { > '/root/.vscode-server/data/Machine/.writeMachineSettingsMarker' ; } 2> /dev/null
[152570 ms] 
[152570 ms] mkdir: cannot create directory '/root': Permission denied
[152570 ms] Exit code 1
[152570 ms] Start: Run in container: cat /root/.vscode-server/data/Machine/settings.json
[152571 ms] 
[152571 ms] cat: /root/.vscode-server/data/Machine/settings.json: Permission denied
[152571 ms] Exit code 1
[152571 ms] Start: Run in container: test -d '/root/.vscode-server/bin/ea1445cc7016315d0f5728f8e8b12a45dc0a7286'
[152572 ms] 
[152572 ms] 
[152572 ms] Exit code 1
[152572 ms] Start: Run in container: test -d '/vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286'
[152572 ms] 
[152572 ms] 
[152572 ms] Exit code 1
[152572 ms] Installing VS Code Server for commit ea1445cc7016315d0f5728f8e8b12a45dc0a7286
[152572 ms] Start: Downloading VS Code Server
[152573 ms] ea1445cc7016315d0f5728f8e8b12a45dc0a7286 linux-x64 stable
[178692 ms] Start: Installing VS Code Server
[178692 ms] Start: Run in container: mkdir -p /vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286_1720117109439
[178693 ms] 
[178694 ms] 
[178711 ms] Start: Run in container: (dd iflag=fullblock bs=8192 count=7047; dd iflag=fullblock bs=494 count=1) | tar --no-same-owner -xz -C /vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286_1720117109439
[179502 ms] 7047+0 records in
7047+0 records out
57729024 bytes (58 MB, 55 MiB) copied, 0.777703 s, 74.2 MB/s
1+0 records in
1+0 records out
494 bytes copied, 1.4548e-05 s, 34.0 MB/s
[179502 ms] 
[179502 ms] Start: Run in container: mv -n /vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286_1720117109439/* /vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286 && rmdir /vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286_1720117109439
[179504 ms] 
[179504 ms] 
[179504 ms] Start: Run in container: mkdir -p '/root/.vscode-server/bin' && ln -snf '/vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286' '/root/.vscode-server/bin/ea1445cc7016315d0f5728f8e8b12a45dc0a7286'
[179505 ms] 
[179505 ms] mkdir: cannot create directory '/root': Permission denied
[179505 ms] Exit code 1
[179505 ms] Start: Run: /usr/bin/podman rm -f f8fd3e138e2becfeb58c956090ddc2a55d1aa2d946ff57d0986b351018dd066e
[179509 ms] Command in container failed: mkdir -p '/root/.vscode-server/bin' && ln -snf '/vscode/vscode-server/bin/linux-x64/ea1445cc7016315d0f5728f8e8b12a45dc0a7286' '/root/.vscode-server/bin/ea1445cc7016315d0f5728f8e8b12a45dc0a7286'
[179509 ms] mkdir: cannot create directory '/root': Permission denied
[179509 ms] Exit code 1

[chrmarti]

This is likely because Podman sets HOME to /root and Dev Containers picks it up. Try adding "remoteUser": "root" to your devcontainer.json.

[DevDorrejo]

Working!!!!!!!!!!!, nice thank you very much.

In the documentation, can be added the next? :

For rootless with podman, the user need to do the following steps:

1. Enabled podman socket: systemctl --user enable --now podman.socket

2. in vscode do the next change:

   1. Go to Dev Container extension settings
   2. Search for "Docker Socket Path"
   3. Put: `/run/user/$(id -u)/podman/podman.socket
      • Or if variable is enabled in the plugin to allow expand variables: $XDG_RUNTIME_DIR/podman/podman.socket
   4. This will allow "Dev Ccontainer" setup the container, but still we need to setup the remote user.
      1. In the workspaces:
         1. Press F1 or ctrl + shift + p.
         2. Search for Dev Containers: Add Dev Container Configuration Files .
         3. In the folder .devcontainer, search the file devcontainer.json
         4. Uncomment the line "remoteUser": "root" and add a comma (,) in the line 7 after the }

With those steps you will be ready to go.

[chrmarti]

Great, thanks for the feedback! The socket path should only be needed when using F1 > Dev Containers: New Dev Container... or Dev Containers: Clone Repository in Container Volume..., but not when the devcontainer.json is in a local folder. Is that correct?

[DevDorrejo]

I would recommend in each time a new container is need to be created.

[eleanorjboyd]

Working!!!!!!!!!!!, nice thank you very much.

verified by @DevDorrejo