Correct USER after features stage: Investigate other cases

[chrmarti]

#70 follow-up

cli/src/spec-node/utils.ts

Line 344 in c67f5c8

// TODO: Other targets.

Multi-stage builds could result in the current approach returning the wrong user.

Also: Variables are not supported.

Considering the possible cases an alternative approach might work better (if one exists).

[Chuxel]

One thought here - why don't we simply chain an entrypoint script into the actual ENTRYPOINT for the container image as a part of the image build for the feature step? We can get the existing entrypoint (via docker inspect) and invoke it afterwards as an arg set. (Using exec "$@"). That also removes the need to reference the feature to get the entrypoint to apply... and it would automatically use whatever the container user was.

This was partly my rational for entrypoint.d in devcontainers/spec#19.

[chrmarti]

The difficulty is with us temporarily setting USER root for the feature install scripts and then having to go back to USER <previous>. When features were built in a separate image (FROM <user image>), we did inspect the user image and pass its user as a build argument. Now that we build the user image and add the features in a single Dockerfile (for caching checksums and multi-arch builds), I haven't yet found a way to determine the user before we change it to root and then go back to it with USER.

E.g., if ENV would support command substitution (which it doesn't):

# Here: user's Dockerfile content
ENV PREVIOUS_USER=$(id -u -n)
# Here: features installation
USER ${PREVIOUS_USER}

The current fix covers a few cases by looking at the Dockerfile (which is hard to cover all cases including variables and multiple stages).