Feature: Support docker-from-docker for dev containers with non-root user

Proposal

This broadly follows the idea above and makes the steps a bit more explicit. It also adds some checks to error and fail in the conditions from the notes. My hope is that the error conditions will be fairly unlikely to be encountered and that this approach will be successful. Checking for these cases and erroring seems like a safe approach and can be revisited to look at alternative options if it ends up blocking usage.

Align user UID/GID

• check /etc/passwd on the host to get the host user’s UID/GID
• check /etc/passwd in the container to get the container user’s UID/GID
• if the UID and GID match then no further action needed
• check /etc/passwd in the container to see if the host user’s UID exists. If it does then error as there is a different user with that ID
• check /etc/group in the container to see if the host user’s GID exists. If it does then error as there is a different group with that ID
• If the UID didn’t match then update /etc/passwd in the container to use the new UID
• If the GID didn’t match then update /etc/passwd and /etc/group in the container to use the new GID

Align docker group ID

• check /etc/group on the host to get the docker group ID on the host
• check /etc/group in the container to get the docker group ID in the container
• if the group IDs match then no further action needed
• check /etc/group in the container to see if the host group ID exists. If it does then error as there is a different group with that ID
• if docker group doesn’t exist in the container then create with the host group ID
• if the docker group does exist in the container then update it to have the host group ID

This can be extended to check the owning group for the docker socket rather than assuming that it is docker by running stat -c '%G' /var/run/docker.sock

I think this would also make it possible to remove the chown ‘workaround’ here which would be a nice benefit 😃