Make volumes accessible on SELinux systems by adding relabel option.

[tmds]

The volumes mounted by the plugin are not accessible in the container on SELinux systems like Fedora and RHEL.
They need to be relabeled.

For more info see the Labeling Volume Mounts section in https://docs.podman.io/en/latest/markdown/podman-run.1.html.

@bwateratmsft ptal.

[bwateratmsft]

I'm reluctant to have this flag added by default to all volume mounts in all docker-run tasks, especially given how ominously the docs warn about the z and Z options ("Use extreme caution...", emphasis theirs). An alternative option would be to add rw,z and ro,z as options here, which would allow end users to specify these flags if they wish. It should be noted, you can specify those values today, it will work but it will give a yellow squiggle (and a warning) (only when the document is open):

We have logic to implicitly add several volume mappings as needed for debugging .NET and Python. If there are conflicts; i.e. if the user specifies a volume mapping to the same destination in the container, the user's input will be respected. In the example above I'm taking advantage of that logic to get /src mapped with rw,z.

Do you think updating package.json with rw,z and ro,z as enum options is sufficient? Or is this likely a narrow enough scenario that the yellow squiggles can just be ignored, with no changes to the extension?

[tmds]

We have logic to implicitly add several volume mappings as needed for debugging .NET and Python.

More changes are needed besides updating package.json to allow the 'z' option.
I'm unable to debug .NET applications because the volumes used by the plugin don't set the z flag.

especially given how ominously the docs warn about the z and Z options

I'll look into this a bit deeper and get back to you.

[bwateratmsft]

In addition to the changes to package.json, you'll need to update your tasks.json to override the default volume mappings. Something like this:

        {
            "type": "docker-run",
            "label": "docker-run: debug",
            "dependsOn": [
                "docker-build: debug"
            ],
            "dockerRun": {
                "volumes": [
                    {
                        "containerPath": "/src",
                        "localPath": "${workspaceFolder}",
                        "permissions": "rw,z"
                    },
                    {
                        "containerPath": "/app",
                        "localPath": "${workspaceFolder}",
                        "permissions": "rw,z"
                    },
                    {
                        "containerPath": "/remote_debugger",
                        "localPath": "~/.vsdbg",
                        "permissions": "ro,z"
                    },
                    {
                        "containerPath": "/root/.nuget/packages",
                        "localPath": "~/.nuget/packages",
                        "permissions": "ro,z"
                    },
                ]
            },
            "netCore": {
                "appProject": "${workspaceFolder}/Net6.csproj",
                "enableDebugging": true
            }
        },

This should work today albeit with the warning squiggles. For a Windows host, just replace the ~ in the localPath's with %USERPROFILE%.

[tmds]

I'll look into this a bit deeper and get back to you.

The comment in the docker docs is out-of-date with the implementation. It will not accept any of the paths mentioned for relabeling.

Trying to relabel them will cause docker to fail.

That means it is not a good idea to unconditionally add the 'z' as the PR is currently doing.

We have logic to implicitly add several volume mappings as needed for debugging .NET and Python.

We should make a change that the volumes used for debugging are relabeled. Then they work out of the box on systems with SELinux.

@bwateratmsft do you have a suggestion on how to change DockerContainerVolume to support the relabling?

export interface DockerContainerVolume {
    localPath: string;
    containerPath: string;
    permissions?: 'ro' | 'rw';
}

[bwateratmsft]

Should we set it so that that flag is only added when enableDebugging is set to true? I suppose it's sorta moot since all these implicit volumes are only added if it's true.

For DockerContainerVolume you could just add values ro,z and rw,z, same as for package.json.

[tmds]

@bwateratmsft I've added the ,z flag to the debug volumes.

[tmds]

@bwateratmsft I had reverted the wrong commit. I've fixed it now.

[bwateratmsft]

Looks good to me!

[tmds]

@bwateratmsft I've addressed your feedback. ptal.

[bwateratmsft]

Looks good to me, thanks @tmds!

[bwateratmsft]

This is now released in Docker extension version 1.19.0.