-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Providing a single workspace per VM #59
Comments
Yes, you totally can do this. We should have a sample that does this... and ideally for every cloud. On GCP you can actually launch a VM with a container image, and that image could be envbuilder, which would replicate the Codespaces experience you mentioned. |
Envbuilder is very portable, so it can be used in really whatever way you want. It really just needs a filesystem and the ability to execute commands. |
Nice, I haven't had a chance to play with it yet, but I needed to know if it was feasible. Thank you |
We are tracking it in coder/coder#10735 |
I'm unsure if this issue belong to this repo or
coder/coder
. Tell me if I should move it.Currently
registry.coder.com
have only two examples of envbuilder/devcontainer (docker
andk8s
)Do you know if it will be possible to use envbuilder to provision a single workspace per VM ? (VM as isolation model)
The use-case I have in mind is to provide a secure way of using docker in the workspace.
The exact same way
codespaces
do by default with the featuredocker-in-docker
( related to #25 )The
docker-in-docker
feature is not secure as it allows to breakout the container and access the underlying host.But on
codespaces
that's totally fine because Azure VMs are not shared. (one workspace per VM)However, tell me if I'm wrong but envbuilder is mainly used with linux NS isolation (
k8s
,openshift
ordocker
with multiple workspaces on the same VM) .In that case providing docker would be a little tricky and seem there is only two solutions :
rootless docker
&slirp4netns
+several hacks
to make it work. (seem harder, less performant)sysbox
orenvbox
Envbuilder does not run in a sysbox container #50 (easier)(Note: for both solutions I doubt
docker-in-docker
feature can be used as is)The text was updated successfully, but these errors were encountered: