diff --git a/.github/workflows/test-devcontainer.yml b/.github/workflows/test-devcontainer.yml index dc9a319..6903300 100644 --- a/.github/workflows/test-devcontainer.yml +++ b/.github/workflows/test-devcontainer.yml @@ -6,6 +6,7 @@ on: pull_request: paths: - 'devenv/**' + - '.devcontainer/**' - 'common/.devcontainer/**' - '.github/workflows/test-devcontainer.yml' - 'Justfile' diff --git a/common/.devcontainer/devcontainer.json b/common/.devcontainer/devcontainer.json index 678171b..f1b43a8 100644 --- a/common/.devcontainer/devcontainer.json +++ b/common/.devcontainer/devcontainer.json @@ -1,30 +1,25 @@ { "name": "bootc-devenv-debian", - // TODO override this back to prod image "image": "ghcr.io/bootc-dev/devenv-debian", "customizations": { "vscode": { - // Abitrary, but most of our code is in one of these two + // Arbitrary, but most of our code is in one of these two "extensions": [ "rust-lang.rust-analyzer", "golang.Go" ] + }, + "devaipod": { + // When running under devaipod, use minimal capabilities + // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged. + "nestedContainers": true } }, "features": {}, - "runArgs": [ - // In general we hope that the outer environment has set up - // a user namespace to keep this secure. - "--cap-add=all", - // Required for mounting /proc in nested user namespace - "--security-opt", "label=disable", - // Allows access to /proc paths needed for nested containers - "--security-opt", "unmask=/proc/*", - // Device access for nested containers and VMs - "--device", "/dev/net/tun", - // I always want KVM - "--device", "/dev/kvm" - ], + // Use privileged mode for broad compatibility (Codespaces, Docker, + // stock devcontainer CLI). devaipod overrides this with tighter + // security via the nestedContainers customization above. + "privileged": true, "postCreateCommand": { // Our init script "devenv-init": "sudo /usr/local/bin/devenv-init.sh" @@ -33,4 +28,3 @@ "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin" } } -