cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon devcontainers

`runArgs` in Dev Containers image isn't shared to `.devcontainers.json` workspace

Open QuentinLeloire opened this issue 1 year ago • 4 comments

Hi, I tried to use runArgs in Dev Containers custom image but this field isn't shared to .devcontainers.json workspace

  • Logs :
  1. when runArgs is set in Dev Containers custom image :
$ docker inspect f | grep PidMode
            "PidMode": "",    # pid isn't set to host

$ docker inspect f | grep NetworkMode
            "NetworkMode": "bridge",    # network isn't set to host
  1. when runArgs is set in Dev Containers workspace that use the custom image :
$ docker inspect f | grep PidMode
            "PidMode": "host",    # pid is set to host

$ docker inspect f | grep NetworkMode
            "NetworkMode": "host",    # network is set to host

Steps to Reproduce :

  1. when runArgs is set in Dev Containers custom image :
// custom image configuration
{
	"name": "Custom image",
	"build": {
		"dockerfile": "Dockerfile",
		"args": {
			"devcontainercli": "true"
		}
	},
	"runArgs": [
		"--network=host",
		"--pid=host"
	],
	"capAdd": ["ALL"],
	"securityOpt": ["seccomp=unconfined"],
	"privileged": true,
        [...]
}

// devcontainer.json workspace configuration
{
	"name": "Dev Containers demo",
	"image": "registry.example.com/example/custom-image:version",
	[...]
}
  1. when runArgs is set in Dev Containers workspace that use the custom image :
// custom image configuration
{
	"name": "Custom image",
	"build": {
		"dockerfile": "Dockerfile",
		"args": {
			"devcontainercli": "true"
		}
	},
	"capAdd": ["ALL"],
	"securityOpt": ["seccomp=unconfined"],
	"privileged": true,
        [...]
}

// devcontainer.json workspace configuration
{
	"name": "Dev Containers demo",
	"image": "registry.example.com/example/custom-image:version",
	"runArgs": [
		"--network=host",
		"--pid=host"
	],
	[...]
}

Thank you !

QuentinLeloire avatar Jul 11 '24 08:07 QuentinLeloire

runArgs is not a field that can be inherited from base image , Take a look at the spec merge-logic : https://containers.dev/implementors/spec/#merge-logic

so you'll have to put runArgs in the devcontainer.json even though you use base prebuilt image.

AvishayHirsh avatar Jul 16 '24 07:07 AvishayHirsh

Oh okay, is it possible to claim support for network and pid flags like capAdd, privileged and securityOpt does ?

With an implementation like this for example :

{
	"name": "Custom image",
	"build": {
		"dockerfile": "Dockerfile",
		"args": {
			"devcontainercli": "true"
		}
	},
	"capAdd": ["ALL"],
	"securityOpt": ["seccomp=unconfined"],
	"privileged": true,
        "network": "host",
        "pid": "host",
        [...]
}

I think that should be interesting to handle it and can prevent code duplication

QuentinLeloire avatar Jul 16 '24 10:07 QuentinLeloire

Sounds like legit request .... i think you can put it in https://github.com/devcontainers/spec/discussions/categories/ideas

AvishayHirsh avatar Jul 17 '24 08:07 AvishayHirsh

https://github.com/devcontainers/spec/discussions/539

QuentinLeloire avatar Jan 10 '25 11:01 QuentinLeloire