Remove unused /home/tooling/.local

[dkwon17]

This PR fixes the issue where podman was not found when there is a volume mounted to /home/user/.local.

Fixes eclipse-che/che#23095

In the base image, before this PR an empty /home/tooling/.local directory is created. Stowing this empty directory to /home/user created a hard link for the /home/.local directory, which caused both /home/user/.local and /home/tooling/.local to be affected by the volume mount to /home/user/.local.

This PR removes the /home/tooling/.local directory, since it was not used at all in the Dockerfile, and was only used in the entrypoint to store the podman wrapper. In this PR, the podman wrapper set up by the entrypoint is now stored in /home/user/.local instead.

To test this PR

1. Build the base image:

$ cd base/ubi8
$ DOCKER_BUILDKIT=1 docker image build --progress=plain -t quay.io/<username>/<repo>:base-image .

I've built my own here: quay.io/dkwon17/developer-images:base-image

2. Push the image to quay.

3. Start the following workspace:

<CHE-HOST>#https://github.com/redhat-developer/devspaces/tree/devspaces-3-rhel-8?image=quay.io/<username>/<repo>:base-image

4. In the terminal, there should be no problems with running podman info

devspaces (devspaces-3-rhel-8) $ podman info
host:
  arch: amd64
  buildahVersion: 1.33.8
  cgroupControllers:
...

And which podman should output the following:

devspaces (devspaces-3-rhel-8) $ which podman
~/.local/bin/podman

[dkwon17]

To test this even further, you can build the UDI image with your custom base image by replacing line 4 of the udi dockerfile here so that the base image matches the base image built from this PR.

Then, the UDI can be built and pushed by running:

cd universal/ubi8
DOCKER_BUILDKIT=1 docker image build --progress=plain -t  quay.io/<username>/<repo>:udi .
docker push quay.io/<username>/<repo>:udi

To test that eclipse-che/che#23095 is fixed, create a workspace with this URL:

<CHE-HOST>/#https://github.com/redhat-developer/devspaces/tree/devspaces-3-rhel-8?image=quay.io/<username>/<repo>:udi

I've built my own UDI image from this PR available here: quay.io/dkwon17/developer-images:udi

Check that podman exists by running which podman. podman should be located in ~/.local/bin

[svor]

Tested with https://github.com/redhat-developer/devspaces/tree/devspaces-3-rhel-8

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dkwon17, ibuziuk, svor

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[AObuchow]

LGTM, I was able to reproduce the bug with a workspace created from a fork of the ds-plugin-registry-dev devfile that uses a custom DWOC that disables persistent home on the dogfooding cluster.

With the fixed image, podman was again on path:

$ which podman
~/.local/bin/podman

However, with my custom DWOC, podman info failed:

$ podman info
ERRO[0000] running `/usr/bin/newuidmap 1520 0 1001030000 1 1 10000 65536`:  
Error: cannot set up namespace using "/usr/bin/newuidmap": fork/exec /usr/bin/newuidmap: operation not permitted

I'm almost certain the reason podman info is failing here is due to my custom DWOC having missing configuration fields, because:

• If I start the same workspace with persistent home enabled, the same issue arises (home persistence is not causing the issue)
• If I start the same workspace without my custom DWOC, and use the dogfooding's Che-owned DWOC, then podman info succeeds.

Maybe this points to another bug? I'm not sure. I'm unable to see how the dogfooding's che-owned DWOC is configured (don't have the correct priviledges)

Here's my custom DWOC, it only has persisten home disabled:

apiVersion: controller.devfile.io/v1alpha1
config:
  workspace:
    persistUserHome:
      enabled: true
kind: DevWorkspaceOperatorConfig
  name: custom-dwoc
  namespace: aobuchow-che-1cac83

[dkwon17]

@AObuchow the custom DWOC should include:

config:
  workspace:
    containerSecurityContext:
      allowPrivilegeEscalation: true
      capabilities:
        add:
          - SETGID
          - SETUID

Podman build should be working after that

[AObuchow]

@dkwon17 thanks for the follow-up, sounds good :)