Bind mount mounted as root on Kubernetes

[ljluestc]

Problem

Bind mounts on Kubernetes providers were consistently owned by root, whereas on Docker providers they are owned by the remoteUser. This inconsistency caused permission issues when accessing mounted files within the devcontainer on Kubernetes.

Symptoms

• Files mounted via mounts in devcontainer.json are owned by root:root inside the container.
• ls -la <mounted-dir> shows root ownership.
• Users cannot write to mounted directories if the container runs as a non-root user (e.g., ubuntu or vscode).

Root Cause

The Kubernetes provider (unlike Docker) does not automatically map UID/GID for bind mounts. The setup phase of the container initialization was missing a step to explicitly chown these mounted directories to the configured remoteUser.

Solution

Explicitly change the ownership of all bind mount targets to the remoteUser during the container setup phase.

Key Changes

1. Added ChownMounts function in pkg/devcontainer/setup/setup.go:

   • Iterates over all configured mounts.
   • Filters for type=bind.
   • Skips the main workspace folder (as it's handled separately).
   • Executes chown on the target directory to match the remoteUser.
   • Uses a marker file (chownMounts.marker) to ensure this only runs once per container initialization.

2. Updated SetupContainer in pkg/devcontainer/setup/setup.go:

   • Calls ChownMounts after workspace initialization and before environment patching.

3. Refactored Marker Logic:

   • Introduced MarkerBaseDir to allow safer testing by redirecting marker file creation to temporary directories during tests.

4. Added Unit Test:

   • Created pkg/devcontainer/setup/setup_test.go to verify the logic of ChownMounts, ensuring it correctly identifies mounts and attempts ownership changes.

Files Changed

• pkg/devcontainer/setup/setup.go: Implementation of ChownMounts and integration into the setup flow.
• pkg/devcontainer/setup/setup_test.go: New test file for verification.