Run Theia Application as non-root User

Hey all,
We have been using the theia docker image. We were able to successfully start the theia docker container as a non-root user. But the theia application itself starts as a root user.

As you can see in the image, the terminal spawned off has been spawned as a root user. I need it to be spawned as a non-root user the same assigned to the container, say project-user. If anybody could help me out with this, it would be of great help. Thanks.

I am not using the docker images that often, but as I see, our reference docker image users the theia user.

Are you aware of the Theia apps repo? https://github.com/theia-ide/theia-apps

In the default docker image, we have these:

I did the following:

docker pull theiaide/theia:next \
&& docker run -it --init -p 3000:3000 -v "$(pwd):/home/project:cached" theiaide/theia:next

And I can see the theia user

1 Like

is this the same terminal spawned off through theia UI ? Hmm… I’'ll check into this. Thanks :smiley:

is this the same terminal spawned off through theia UI

Yes, on macOS.

Hey so i was using this particular image theiaide/theia-full
And its giving root access when i do sudo su
which i want to prevent

I can see the diff between the two images:

I could reproduce it with the full image:

But I do not know why we have two separate setups. Maybe @vince-fugnitto or @marcdumais-work can help. You can also open an issue directly in the theia-apps repo.

Yup…so ideally changing the docker config file with the SUDO NOPassword should fix it right ?

@BhuvanRohith the base image for the theia-ful-dockerl image is ubuntu which is different than that of theia-docker and in order to install the necessary dependencies and setup the enviroment sudo was needed. Please note that these images are mainly used as examples and for test purposes, if you require your own implementation or use-case then you can use them as reference. Are you somehow requesting that the theia-full image removes sudo access?

1 Like

To add a bit of context: in order to be generally useful for software development, the theia docker image examples will usually need to be customised to add project-specific dependencies.

There are a couple of ways I see to enable that. The easiest is to have sudo capability in the image and so permit the user to install/configure whatever they need, for their specific case. Some of our example docker image follow that idea, like theia-full.

In some environment, it’s not desirable/permitted to include sudo capability in docker images. e.g. one needs the image to have a non-privileged user so it can run in some cloud services. The way to customize such an image is by creating a project-specific docker image that "starts FROM" it. Then add and configure as per specific requirements in the derived image. Some of our example docker images follow that idea. e.g. theia-docker and theia-java both have non-privileged users and so can be used as the base image in this alternative.

I know the Gitpod service, that offers Theia-based development workspaces, uses this second strategy. See below the Gitpod docker config for the main Theia repo, that adds our project-specific Operating System-level dependencies to a new theia-project-specific docker image that derives from their gitpod/workspace-full-vnc:latest image (similar in concept to our theia-full image)