From 9effda6c2edea9268f0c9e0128e6def197bd4e22 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 06:36:50 +0000 Subject: [PATCH 1/7] Initial plan From efdf2b86a1ff8d3402d290a5a3fa61c2eeff995b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 06:44:02 +0000 Subject: [PATCH 2/7] Add non-root 'code' user to both C++ and Rust devcontainers Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .devcontainer/cpp/Dockerfile | 22 ++++++++++++++++++++++ .devcontainer/cpp/devcontainer.json | 1 + .devcontainer/rust/Dockerfile | 12 ++++++++++++ .devcontainer/rust/devcontainer.json | 1 + 4 files changed, 36 insertions(+) diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile index 310924fe..22ed0db5 100644 --- a/.devcontainer/cpp/Dockerfile +++ b/.devcontainer/cpp/Dockerfile @@ -116,6 +116,12 @@ RUN --mount=type=cache,target=/var/log,sharing=locked \ && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 \ && cp /etc/skel/.bashrc /root/.bashrc +# Create the 'code' user +RUN groupadd --gid 1000 code \ + && useradd --uid 1000 --gid code --shell /bin/bash --create-home code \ + && cp /etc/skel/.bashrc /home/code/.bashrc \ + && chown -R code:code /home/code + # Set up package managers CPM and Conan # - Install CPM.cmake to the CMake module path # - Configure a default profile for Conan and set the CMake generator to Ninja @@ -123,3 +129,19 @@ RUN --mount=type=cache,target=/cache,sharing=locked \ wget --no-hsts -qP /usr/local/lib/python*/dist-packages/cmake/data/share/cmake-*/Modules/ https://github.com/cpm-cmake/CPM.cmake/releases/download/v${CPM_VERSION}/CPM.cmake \ && conan profile detect \ && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)" + +# Create cache directories with appropriate permissions for the code user +RUN mkdir -p /cache/.ccache /cache/.cpm /cache/.python \ + && chown -R code:code /cache \ + && chmod -R 755 /cache + +# Set up conan for the code user +USER code +RUN conan profile detect \ + && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)" + +# Switch back to root temporarily for any remaining setup +USER root + +# Set the default user +USER code diff --git a/.devcontainer/cpp/devcontainer.json b/.devcontainer/cpp/devcontainer.json index 18a9566d..0db09c34 100644 --- a/.devcontainer/cpp/devcontainer.json +++ b/.devcontainer/cpp/devcontainer.json @@ -3,6 +3,7 @@ "dockerfile": "Dockerfile", "context": "../.." }, + "remoteUser": "code", "forwardPorts": [ 6080 ], diff --git a/.devcontainer/rust/Dockerfile b/.devcontainer/rust/Dockerfile index f32b48da..33652360 100644 --- a/.devcontainer/rust/Dockerfile +++ b/.devcontainer/rust/Dockerfile @@ -67,3 +67,15 @@ RUN --mount=type=cache,target=/var/log,sharing=locked \ # Install additional rust tools RUN wget -qO - "https://github.com/cargo-bins/cargo-binstall/releases/download/v${CARGO_BINSTALL_VERSION}/cargo-binstall-$(uname -m)-unknown-linux-gnu.tgz" | tar xz -C "/usr/bin" \ && cargo-binstall -y --locked cargo-binutils@0.3.6 cargo-mutants@25.3.1 flip-link@0.1.10 probe-rs-tools@0.29.1 + +# Create the 'code' user +RUN groupadd --gid 1000 code \ + && useradd --uid 1000 --gid code --shell /bin/bash --create-home code \ + && cp /etc/skel/.bashrc /home/code/.bashrc \ + && chown -R code:code /home/code + +# Ensure the code user has access to cargo and rustup +RUN chmod -R a+rX /usr/local/cargo /usr/local/rustup + +# Set the default user +USER code diff --git a/.devcontainer/rust/devcontainer.json b/.devcontainer/rust/devcontainer.json index 7b75e8ec..fa626704 100644 --- a/.devcontainer/rust/devcontainer.json +++ b/.devcontainer/rust/devcontainer.json @@ -3,6 +3,7 @@ "dockerfile": "Dockerfile", "context": "../.." }, + "remoteUser": "code", "privileged": true, "remoteEnv": { "CONTAINER_FLAVOR": "rust" From 472f76b18ee3eead7be15ee10b9b5243ebeb37b2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 06:49:52 +0000 Subject: [PATCH 3/7] Fix Rust Dockerfile user permissions and improve security Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .devcontainer/cpp/Dockerfile | 11 ++++------- .devcontainer/rust/Dockerfile | 3 ++- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile index 22ed0db5..ba15e5a0 100644 --- a/.devcontainer/cpp/Dockerfile +++ b/.devcontainer/cpp/Dockerfile @@ -130,18 +130,15 @@ RUN --mount=type=cache,target=/cache,sharing=locked \ && conan profile detect \ && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)" -# Create cache directories with appropriate permissions for the code user -RUN mkdir -p /cache/.ccache /cache/.cpm /cache/.python \ - && chown -R code:code /cache \ - && chmod -R 755 /cache +# Create cache directories and conan directory with appropriate permissions for the code user +RUN mkdir -p /cache/.ccache /cache/.cpm /cache/.python /opt/conan \ + && chown -R code:code /cache /opt/conan \ + && chmod -R 755 /cache /opt/conan # Set up conan for the code user USER code RUN conan profile detect \ && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)" -# Switch back to root temporarily for any remaining setup -USER root - # Set the default user USER code diff --git a/.devcontainer/rust/Dockerfile b/.devcontainer/rust/Dockerfile index 33652360..f3ead8ce 100644 --- a/.devcontainer/rust/Dockerfile +++ b/.devcontainer/rust/Dockerfile @@ -75,7 +75,8 @@ RUN groupadd --gid 1000 code \ && chown -R code:code /home/code # Ensure the code user has access to cargo and rustup -RUN chmod -R a+rX /usr/local/cargo /usr/local/rustup +RUN chmod -R a+rX /usr/local/cargo /usr/local/rustup \ + && chown -R code:code /usr/local/cargo /usr/local/rustup # Set the default user USER code From 9fa27eb015d742d3d4a7dc880ea25fab1027f8c2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 07:07:13 +0000 Subject: [PATCH 4/7] docs: add conventional commit guidelines to copilot instructions Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .github/copilot-instructions.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index b2614955..98f8e159 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -24,3 +24,30 @@ The folder structure of amp-devcontainer is described below, adhere to the exist - `/.devcontainer/[flavor]-test`: Contains a devcontainer.json file for testing the container flavor. - `/.github`: Contains the GitHub workflows for CI/CD, linter configuration, issue templates and re-usable actions. - `/test/[flavor]`: Contains [Bats](https://bats-core.readthedocs.io/en/stable/) integration- and Playwright verification tests for the containers. + +## Conventional Commits + +This repository uses [conventional commit](https://www.conventionalcommits.org/) style for pull request titles and commit messages. Always follow this format: + +``` +[optional scope]: + +[optional body] + +[optional footer(s)] +``` + +Common types used in this repository: +- `feat:` for new features +- `fix:` for bug fixes +- `chore:` for maintenance tasks, dependency updates, etc. +- `docs:` for documentation changes +- `ci:` for CI/CD related changes + +Examples: +- `feat: add non-root user support to devcontainers` +- `fix: resolve permission issues in rust container` +- `chore(deps): update ubuntu base image to latest` +- `docs: update README with security best practices` + +Always use conventional commit style for pull request titles. From 7afd26130ebc23852d4f6c9bfb86bd6e5d81f924 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 07:34:04 +0000 Subject: [PATCH 5/7] fix: remove default ubuntu user before creating code user Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .devcontainer/cpp/Dockerfile | 5 ++++- .devcontainer/rust/Dockerfile | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile index ba15e5a0..b6e4a82b 100644 --- a/.devcontainer/cpp/Dockerfile +++ b/.devcontainer/cpp/Dockerfile @@ -117,7 +117,10 @@ RUN --mount=type=cache,target=/var/log,sharing=locked \ && cp /etc/skel/.bashrc /root/.bashrc # Create the 'code' user -RUN groupadd --gid 1000 code \ +# First remove the existing ubuntu user and group that use UID/GID 1000 +RUN userdel -r ubuntu 2>/dev/null || true \ + && groupdel ubuntu 2>/dev/null || true \ + && groupadd --gid 1000 code \ && useradd --uid 1000 --gid code --shell /bin/bash --create-home code \ && cp /etc/skel/.bashrc /home/code/.bashrc \ && chown -R code:code /home/code diff --git a/.devcontainer/rust/Dockerfile b/.devcontainer/rust/Dockerfile index f3ead8ce..8c66b52a 100644 --- a/.devcontainer/rust/Dockerfile +++ b/.devcontainer/rust/Dockerfile @@ -69,7 +69,10 @@ RUN wget -qO - "https://github.com/cargo-bins/cargo-binstall/releases/download/v && cargo-binstall -y --locked cargo-binutils@0.3.6 cargo-mutants@25.3.1 flip-link@0.1.10 probe-rs-tools@0.29.1 # Create the 'code' user -RUN groupadd --gid 1000 code \ +# First remove the existing ubuntu user and group that use UID/GID 1000 +RUN userdel -r ubuntu 2>/dev/null || true \ + && groupdel ubuntu 2>/dev/null || true \ + && groupadd --gid 1000 code \ && useradd --uid 1000 --gid code --shell /bin/bash --create-home code \ && cp /etc/skel/.bashrc /home/code/.bashrc \ && chown -R code:code /home/code From ce4eaa02de0cb60c479e3acf1120eedaec7e3d37 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Oct 2025 21:27:26 +0200 Subject: [PATCH 6/7] chore: rename user instead of delete and create --- .devcontainer/cpp/Dockerfile | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile index 3245659c..d7396884 100644 --- a/.devcontainer/cpp/Dockerfile +++ b/.devcontainer/cpp/Dockerfile @@ -102,7 +102,7 @@ RUN --mount=type=cache,target=/cache,sharing=locked \ && apt-get clean # Update all tool alternatives to the correct version -# and patch root's bashrc to include bash-completion +# and rename the default 'ubuntu' user to 'code' RUN --mount=type=cache,target=/var/log,sharing=locked \ update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-14 10 \ --slave /usr/bin/g++ g++ /usr/bin/g++-14 \ @@ -114,34 +114,15 @@ RUN --mount=type=cache,target=/var/log,sharing=locked \ --slave /usr/bin/mull-reporter mull-reporter /usr/bin/mull-reporter-${CLANG_VERSION} \ --slave /usr/lib/mull-ir-frontend mull-ir-frontend /usr/lib/mull-ir-frontend-${CLANG_VERSION} \ && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 \ - && cp /etc/skel/.bashrc /root/.bashrc + && usermod -m -d /home/code -l code ubuntu \ + && groupmod -n code ubuntu -# Create the 'code' user -# First remove the existing ubuntu user and group that use UID/GID 1000 -RUN userdel -r ubuntu 2>/dev/null || true \ - && groupdel ubuntu 2>/dev/null || true \ - && groupadd --gid 1000 code \ - && useradd --uid 1000 --gid code --shell /bin/bash --create-home code \ - && cp /etc/skel/.bashrc /home/code/.bashrc \ - && chown -R code:code /home/code +USER code # Set up package managers CPM and Conan # - Install CPM.cmake to the CMake module path # - Configure a default profile for Conan and set the CMake generator to Ninja RUN --mount=type=cache,target=/cache,sharing=locked \ - wget --no-hsts -qP /usr/local/lib/python*/dist-packages/cmake/data/share/cmake-*/Modules/ https://github.com/cpm-cmake/CPM.cmake/releases/download/v${CPM_VERSION}/CPM.cmake \ + wget --no-hsts -qP /usr/local/lib/python*/dist-packages/cmake/data/share/cmake-*/Modules/ https://github.com/cpm-cmake/CPM.cmake/releases/download/v${CPM_VERSION}/CPM.cmake && conan profile detect \ && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)" - -# Create cache directories and conan directory with appropriate permissions for the code user -RUN mkdir -p /cache/.ccache /cache/.cpm /cache/.python /opt/conan \ - && chown -R code:code /cache /opt/conan \ - && chmod -R 755 /cache /opt/conan - -# Set up conan for the code user -USER code -RUN conan profile detect \ - && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)" - -# Set the default user -USER code From ce63becf5a8e85e4dc4c12f93682e98379212e94 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Oct 2025 21:30:32 +0200 Subject: [PATCH 7/7] chore: fix continuation --- .devcontainer/cpp/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile index d7396884..bcbb71d6 100644 --- a/.devcontainer/cpp/Dockerfile +++ b/.devcontainer/cpp/Dockerfile @@ -123,6 +123,6 @@ USER code # - Install CPM.cmake to the CMake module path # - Configure a default profile for Conan and set the CMake generator to Ninja RUN --mount=type=cache,target=/cache,sharing=locked \ - wget --no-hsts -qP /usr/local/lib/python*/dist-packages/cmake/data/share/cmake-*/Modules/ https://github.com/cpm-cmake/CPM.cmake/releases/download/v${CPM_VERSION}/CPM.cmake + wget --no-hsts -qP /usr/local/lib/python*/dist-packages/cmake/data/share/cmake-*/Modules/ https://github.com/cpm-cmake/CPM.cmake/releases/download/v${CPM_VERSION}/CPM.cmake \ && conan profile detect \ && echo -e "\n[conf]\ntools.cmake.cmaketoolchain:generator=Ninja" >> "$(conan profile path default)"