How exactly does CLion run a Docker toolchain?


I'm trying to set up fixuid as a solution for the user permission problem described in CPP-27415. I'm able to get fixuid to work as expected if I manually run a Docker image, but not when using that image as a CLion toolchain. I have a GitHub project that demonstrates this.

When fixuid runs, the Docker container user is modified to set its UID and GID to match the values the container is being run with. fixuid then modifies file permissions in the container to match the new UID and GID, and sets $HOME. fixuid also creates a touch file when it runs. The sample project application displays user information to verify that fixuid worked (or not). 

I cannot figure out how CLion is running a Docker a toolchain. The fixuid documentation suggests using an ENTRYPOINT to run the command, but it seems that CLion overrides this when it runs an image. The fixuid command can also be run in a container start-up script, so I placed this command in the toolchain environment script ( in the demo project). When I use this toolchain with CLion, fixuid is not working correctly. I can tell that it's being run as part of the start-up script because $HOME is being set correctly. However, the UID and GID of the container user are not being updated, and the fixuid touch file is not present.

As I said above, this all works as expected if I manually run a container (see docker-compose.yml in the sample project for the run settings). How does CLion run its toolchain containers?

Vasily Romanikhin
Comment actions Permalink

Hello Michael Klatt

We use special API to run docker containers, but in terms of command-line it similar to

docker run --entrypoint --rm --user=$(id -u):$(id -g) <contaner_name> <command>
Comment actions Permalink

Glenn Bitar

Even though CLion 2021.3.2 overwrites ENTRYPOINT, I should still be able to get fixuid to work by calling it as part of the toolchain environment script. The fixuid command in being called as expected when I run the toolchain in CLion, but the UID and GID of the container user are not being changed. If I manually try to reproduce how CLion is running the container, everything works as expected. So the "special API" that @... mentioned must work a little differently. This is probably some interactive/non-interactive login/non-login shell weirdness.


Please sign in to leave a comment.