Run the devcontainer under rootless Podman#396
Open
krokicki wants to merge 3 commits into
Open
Conversation
Make the devcontainer runtime-neutral so the same pixi tasks and devcontainer.json work with Docker/Colima on Mac and rootless Podman on Linux. Runtime is selected via FG_CONTAINER_RUNTIME (default: docker). - dc.sh: wrapper that passes --docker-path to the devcontainers CLI and, on the Podman path, routes through podman-shim and disables the CLI's uid-renumber step (--update-remote-user-uid-default never). - podman-shim/podman: upgrades the CLI's forced --userns=keep-id to keep-id:uid=1000,gid=1000 so the host user maps onto vscode (uid 1000), making bind mounts writable without an unsafe ~1M subuid range. - pyproject.toml: container-* tasks now invoke dc.sh. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Harden the rootless-Podman devcontainer so the agent (running as the unprivileged vscode user with approvals disabled) cannot loosen its own network constraints. - init-firewall.sh: pin DNS egress to the resolvers in /etc/resolv.conf instead of allowing port 53 to any host (closes arbitrary-resolver tunneling); drop the blanket outbound-22 rule (SSH to GitHub still works via the allowed-domains set, SSH to other hosts is blocked); drop the blanket host /24 allow (prevents lateral movement to neighbors). - post-create.sh: revoke vscode's passwordless sudo as the final setup step. Without root, vscode cannot touch iptables/ipset, so the egress allowlist can no longer be flushed from inside the container. NET_ADMIN/NET_RAW remain in the image but are inert without root. Maintenance root shell remains available from the host via `podman exec -u root` / `docker exec -u root`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
krokicki
changed the title
Contributor
|
Is rootless podman meant for usage similar to how we might use apptainer on HPC? |
Member
Author
|
This is meant to replace our use of Docker entirely, especially on Linux. Running agents inside of Docker is not safe because it effectively gives them root access to the system. On Mac we have other good options like Colima (though Podman also works there, for those who prefer it). |
Contributor
|
Yes, I understand why we are doing this. Those same attributes make it seem amenable to running as an unprivileged user on a cluster as well. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes the devcontainer runnable under rootless Podman on Linux while staying fully compatible with Docker/Colima on Mac, and hardens the egress firewall so the AI agent (which runs with approvals disabled) cannot loosen its own network constraints.
Runtime is selected with the
FG_CONTAINER_RUNTIMEenvironment variable (default:docker).devcontainer.jsonstays runtime-neutral; all Podman-specific behavior lives in a small wrapper and shim.Changes
Cross-platform runtime selection
pyproject.toml: the fourcontainer-*tasks now call.devcontainer/dc.sh..devcontainer/dc.sh(new): passes--docker-pathto the devcontainers CLI based onFG_CONTAINER_RUNTIME. On the Podman path it also routes through the shim and disables the CLI's uid-renumber step..devcontainer/podman-shim/podman(new): upgrades the CLI's forced--userns=keep-idtokeep-id:uid=1000,gid=1000so the host user maps onto the container'svscodeuser (uid 1000). This makes bind mounts writable using only a small subuid range, avoiding the unsafe ~1M-id range the CLI's renumber step would otherwise require on a shared LDAP host.Tamper-proof egress firewall
.devcontainer/init-firewall.sh: DNS egress is pinned to the resolvers in/etc/resolv.confinstead of allowing port 53 to any host; the blanket outbound-22 rule is removed (SSH to GitHub still works via the allowed-domains set, SSH to other hosts is blocked); the blanket host/24allow is removed..devcontainer/post-create.sh: revokes thevscodeuser's passwordless sudo as the final setup step. Without root, the agent cannot touch iptables/ipset, so the egress allowlist can no longer be flushed from inside the container.NET_ADMIN/NET_RAWremain in the image but are inert without root. A root shell is still available from the host viapodman exec -u root/docker exec -u root.Verification
Rebuilt under rootless Podman and confirmed on the running container:
vscodecan no longersudo, and bothiptables -Fandsudo iptables -Ffail./24.api.github.comreturns 200,example.comis blocked.vscodeand readable; Claude and Codex run.podman exec -u rootstill works for maintenance.Notes
devcontainer.json; Mac/Colima continues to use the default Docker path and never sees the shim.@StephanPreibisch @JaneliaSciComp/fileglancer