devpod icon indicating copy to clipboard operation
devpod copied to clipboard
verified publisher icon loft-sh

Permission issues with podman

Open custardpy opened this issue 10 months ago • 4 comments

What happened?

Errors while trying to access the contents of the devpod container created with podman (see the screenshot).

Image

What did you expect to happen instead?

Normally working environment.

How can we reproduce the bug? (as minimally and precisely as possible)

My devcontainer.json:

No such file since the access to the workspace folder is missing.

Local Environment:

  • DevPod Version: v0.7.0-alpha.30
  • Operating System: Linux
  • ARCH of the OS: AMD64

DevPod Provider:

Custom provider: edited build-in docker provider (see the screenshot).

Image

Anything else we need to know?

DevPod installed using Flathub flatpak. I also tested workspace creation using docker. No permission issues present in this case.

custardpy avatar May 14 '25 10:05 custardpy

Found the workaround tip on the official site.

{
    // some fields

    "workspaceMount": "",
    "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
    "runArgs": [
        // other args
        "--volume=${localWorkspaceFolder}:/workspaces/${localWorkspaceFolderBasename}:Z"
    ]
}

This workaround kinda works, however it both renames the current project file directory to content and adds another folder by the name '${localWorkspaceFolderBasename}' to the workspaces directory with the same project contents in it (see screenshot below).

Image

custardpy avatar May 15 '25 12:05 custardpy

Seems like the issue hasn't been properly addressed as of yet.

There are three workarounds at the moment none of which is a good solution in my opinion:

  • set SELinux as permissive (no option for me);
  • append :Z in .devcontainer.json as described on the official site (not acceptable since the repos used by another devs);
  • configure Podman to switch off labeling entirely via adding "label = false" option to [containers] section either in /etc/containers/containers.conf or $HOME/.config/containers/containers.conf (not a very bright idea since it affects all the other containers).

Ended up temporarily using the third option while waiting for the proper solution.

Turns out the resolution announced by @bkneis in #1476 never happened as the issue has been closed.

custardpy avatar May 16 '25 08:05 custardpy

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jul 16 '25 02:07 github-actions[bot]

Manually editing the devcontainer.json file is impossible when using a quickstart template in the UI, so this issue definitely needs a real solution.

It seems to me like these security labels are quite easy to infer when the devpod website presents such a broadly applicable manual fix, so they should be automatically added when the Podman / SELinux combination is detected. A manual checkbox / CLI option would also suffice if automatic detection isn't possible.

RoyaltyInTraining avatar Jul 25 '25 16:07 RoyaltyInTraining