Adapt workspace image to DooD (host Docker socket)

chapterjason · claude · chapterjason · commit 0569a4deee03 · 2026-05-15T11:03:08.000Z
The template now bind-mounts /var/run/docker.sock instead of running an
inner dockerd under sysbox. Strip the engine + containerd from the image,
align the in-image docker group GID with the host socket at boot, drop
the docker.service systemd dependency from coder-agent, and refresh
docs/comments to describe the DooD + privileged setup.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -1,9 +1,9 @@
 # SoureCode Coder Workspace Template
 
 A Coder workspace template plus a family of workspace images with pre-installed
-dev tooling. Each workspace runs its own `dockerd` under
-[sysbox](https://github.com/nestybox/sysbox), so you can build and test your
-own `Dockerfile`s, run `docker compose` stacks, etc. inside the workspace.
+dev tooling. Each workspace gets the host's Docker socket bind-mounted in
+(Docker-out-of-Docker), so you can `docker build`, `docker compose up`, etc.
+from inside the workspace using the host daemon.
 
 One container per workspace — no nested devcontainer layer. IDEs (VS Code
 Desktop, JetBrains, code-server, web-shell) all attach to the single
@@ -15,7 +15,7 @@ Images are published to GHCR under `ghcr.io/sourecode/coder-workspace`.
 
 | Tag | Base | Adds |
 |---|---|---|
-| `base` | `debian:trixie-slim` | systemd + dockerd + `nvm` + `claude-code` + `rtk` + `web-shell` + `home-persist` + `jetbrains` |
+| `base` | `debian:trixie-slim` | systemd + docker CLI (DooD) + `nvm` + `claude-code` + `rtk` + `web-shell` + `home-persist` + `jetbrains` |
 | `node` | `:base` | named variant for future Node-specific tooling — currently identical to `base` (Node comes from nvm) |
 | `cpp`  | `:base` | `llvm` (clang + toolchain), `cmake`, `sccache`, `/etc/profile.d/llvm-env.sh` exporting `CC`/`CXX` |
 
@@ -43,21 +43,26 @@ goes through `home-persist`'s manifest system.
 ## Architecture
 
 ```
- host docker daemon  (sysbox-runc runtime registered)
+ host docker daemon
+ ├── /var/run/docker.sock  ─────────┐  (bind-mounted into every workspace)
  └── workspace container (ghcr.io/sourecode/coder-workspace:<tag>)
-     ├── systemd (PID 1)
-     ├── dockerd (for in-workspace docker build / docker compose)
+     ├── systemd (PID 1)            │
+     ├── docker CLI ────────────────┘  (Docker-out-of-Docker via host socket)
      └── coder-agent.service (runs /etc/coder/agent-init.sh as `coder`)
 ```
 
+The container runs `--privileged` and shares the host Docker socket. This is
+fine for a single-tenant box but means workspace root effectively equals host
+root — don't onboard untrusted users.
+
 ## Template files
 
-- `main.tf` — Coder template. Launches the workspace container under
-  `runtime = "sysbox-runc"`, injects `CODER_AGENT_TOKEN` via env, and uploads
-  the agent init script to `/etc/coder/agent-init.sh`. The
-  `coder-agent.service` systemd unit (baked into the image) runs that script
-  on boot.
-- `src/base/Dockerfile` — shared base: Debian trixie + systemd + dockerd +
+- `main.tf` — Coder template. Launches the workspace container with
+  `privileged = true`, bind-mounts `/var/run/docker.sock` from the host,
+  injects `CODER_AGENT_TOKEN` via env, and uploads the agent init script to
+  `/etc/coder/agent-init.sh`. The `coder-agent.service` systemd unit (baked
+  into the image) runs that script on boot.
+- `src/base/Dockerfile` — shared base: Debian trixie + systemd + docker CLI +
   `coder` user + dev-kit scripts.
 - `src/node/Dockerfile`, `src/cpp/Dockerfile` — stack variants (`FROM :base`).
 - `scripts/<name>/install.sh` — bound into each Dockerfile at build time via
@@ -66,51 +71,13 @@ goes through `home-persist`'s manifest system.
 
 ## Prerequisites (on the Docker host)
 
-1. Linux kernel >= 5.12 (>= 6.3 ideal, avoids shiftfs entirely)
-2. Native Docker (not the snap) at `/usr/bin/docker`
-3. Sysbox installed (see below)
-4. An existing Coder server (this template was developed against a
+1. Native Docker (not the snap) at `/usr/bin/docker`
+2. An existing Coder server (this template was developed against a
    docker-compose-deployed Coder)
 
-## Install sysbox
-
-Zero-container-deletion install, tolerates a single `dockerd` restart.
-
-```bash
-# 1. pre-populate /etc/docker/daemon.json so sysbox's post-install step
-#    doesn't need to touch the network config itself
-sudo tee /etc/docker/daemon.json >/dev/null <<'JSON'
-{
-  "bip": "172.24.0.1/16",
-  "default-address-pools": [
-    { "base": "172.31.0.0/16", "size": 24 }
-  ]
-}
-JSON
-
-# Pick CIDRs free of your existing networks:
-#   docker network inspect $(docker network ls -q) | grep -i subnet
-
-# 2. one controlled restart so dockerd loads the keys
-sudo systemctl restart docker
-
-# 3. install sysbox (Ubuntu/Debian amd64)
-wget https://downloads.nestybox.com/sysbox/releases/v0.7.0/sysbox-ce_0.7.0-0.linux_amd64.deb
-sudo apt-get install -y jq fuse3 ./sysbox-ce_0.7.0-0.linux_amd64.deb
-
-# 4. verify
-docker info | grep -i runtime                # should list sysbox-runc
-systemctl status sysbox --no-pager
-```
-
-Smoke test that nested Docker works under sysbox:
-
-```bash
-CID=$(docker run -d --rm --runtime=sysbox-runc nestybox/ubuntu-noble-systemd-docker)
-sleep 15
-docker exec "$CID" docker run --rm hello-world   # should print the hello-world greeting
-docker stop "$CID"
-```
+No sysbox or special runtime is required — workspaces run under the default
+runc with `--privileged` and the host's `/var/run/docker.sock` bind-mounted
+in.
 
 ## Build the workspace images
 
@@ -162,29 +129,42 @@ pushing a new version, either:
   container exited instead of running systemd. Check:
   ```bash
   CID=$(docker ps -a --filter "name=coder-" -q | head -1)
-  docker inspect "$CID" --format '{{.HostConfig.Runtime}} {{.Config.Image}} {{.State.Status}}'
+  docker inspect "$CID" --format '{{.Config.Image}} {{.State.Status}}'
   docker logs "$CID" | tail -50
   ```
-  Runtime must be `sysbox-runc`. Image should match whatever the template's
-  `workspace_image` parameter resolved to.
+  Image should match whatever the template's `workspace_image` parameter
+  resolved to.
 
 - **Agent up but nothing connects** — inspect systemd and the agent unit:
   ```bash
   docker exec "$CID" systemctl is-system-running
-  docker exec "$CID" systemctl status docker coder-agent --no-pager
+  docker exec "$CID" systemctl status coder-agent --no-pager
   docker exec "$CID" journalctl -u coder-agent --no-pager -n 100
   docker exec "$CID" ls -la /etc/coder/      # expect agent-init.sh present + executable
   docker exec "$CID" bash -lc "tr '\0' '\n' < /proc/1/environ | grep CODER_AGENT_TOKEN"
   ```
 
-## Why sysbox
+- **`docker` from inside the workspace says "permission denied"** — the
+  bind-mounted host socket has the host's `docker` group GID, which may not
+  match the in-image `docker` group. The entrypoint aligns them at boot;
+  if it didn't run (or you exec'd a fresh shell before it finished), check:
+  ```bash
+  docker exec "$CID" stat -c '%g' /var/run/docker.sock
+  docker exec "$CID" getent group docker
+  ```
+  The two GIDs must match for `coder` to use the socket without sudo.
+
+## Why DooD (and not DinD or sysbox)
 
-The workspace bakes `dockerd` in so you can `docker build`, `docker compose up`,
-or run a project's own Dockerfile straight from inside your workspace without
-going through the host daemon. Running an inner dockerd safely inside a
-container is exactly what sysbox provides — plain `runc` would require
-`--privileged` and you'd still fight shared-kernel artefacts. Sysbox handles
-it with proper namespace isolation.
+Bind-mounting the host socket lets `docker build`, `docker compose up`, and
+project Dockerfiles run from inside the workspace without nesting a second
+Docker engine. The previous setup ran an inner `dockerd` under sysbox for
+isolation; we dropped it because the maintenance cost (sysbox install,
+persistent `/var/lib/docker` volume per workspace, dockerd shutdown
+ordering) outweighed the benefit on a single-tenant deployment. The trade
+is that workspaces share image cache and network namespace with the host
+daemon, and `--privileged` means workspace root can reach host root — only
+do this where you trust every workspace owner.
 
 ## Developing on this repo
 
@@ -205,7 +185,7 @@ scripts/
   sccache/install.sh
   web-shell/install.sh
 src/
-  base/Dockerfile                    # debian-trixie + systemd + dockerd + dev-kit
+  base/Dockerfile                    # debian-trixie + systemd + docker CLI + dev-kit
   cpp/Dockerfile                     # FROM :base + llvm/cmake/sccache
   node/Dockerfile                    # FROM :base
 main.tf                              # Coder template
diff --git a/docs/persistence.md b/docs/persistence.md
@@ -20,7 +20,7 @@ opt in.
 ## The three moving parts
 
 1. **The volume + mount.** `main.tf` declares `docker_volume.home_persist`
-   (per-owner, lives in the host dockerd) and mounts it into every workspace
+   (per-owner, lives in the host Docker daemon) and mounts it into every workspace
    container at `/mnt/home-persist`:
 
    ```hcl
@@ -92,7 +92,7 @@ opt in.
 
 ```
 ┌─────────────────────────────────────────────────────────────────┐
-│ host dockerd                                                    │
+│ host Docker daemon                                                    │
 │                                                                 │
 │   docker volume: coder-<owner>-home-persist  ◄── one per owner  │
 │     │                                                           │
@@ -110,7 +110,7 @@ opt in.
 └─────────────────────────────────────────────────────────────────┘
 ```
 
-The volume lives in the **host** dockerd, above any individual workspace.
+The volume lives in the **host** Docker daemon, above any individual workspace.
 Declared in `main.tf` as `docker_volume "home_persist"`, scoped by
 `coder_workspace_owner.me.name`, and bind-mounted into the workspace
 container at `/mnt/home-persist`.
diff --git a/main.tf b/main.tf
@@ -440,8 +440,11 @@ removed {
   }
 }
 
-# docker_data volume is no longer managed — workspace DinD now uses the host
-# Docker socket. Volume is retained to avoid data loss.
+# docker_data volume is no longer managed — the workspace now runs
+# Docker-out-of-Docker against the host daemon (host /var/run/docker.sock is
+# bind-mounted in), so there is no in-container /var/lib/docker to persist.
+# Volume is retained to avoid data loss for any workspace that still has
+# images/cache in it from the sysbox era.
 removed {
   from = docker_volume.docker_data
   lifecycle {
@@ -499,10 +502,9 @@ resource "docker_container" "workspace" {
   name     = "coder-${data.coder_workspace_owner.me.name}-${lower(data.coder_workspace.me.name)}"
   hostname = data.coder_workspace.me.name
 
-  # Give systemd enough time to shut dockerd down cleanly on stop. The
-  # default (10s) causes SIGKILL mid-flush, which corrupts the persistent
-  # /var/lib/docker volume on the next start.
-  stop_timeout = 120
+  # PID 1 is systemd; give it a few seconds beyond the default to drain
+  # units cleanly on stop.
+  stop_timeout = 30
   privileged   = true
 
   # PID 1 is /sbin/init (systemd). coder-agent.service (baked into the image)
diff --git a/src/base/Dockerfile b/src/base/Dockerfile
@@ -28,7 +28,7 @@ RUN install -m 0755 -d /etc/apt/keyrings && \
 # Baseline packages + Docker engine.
 RUN apt-get update && \
     apt-get install -y --no-install-recommends --no-install-suggests \
-        bash bash-completion build-essential ca-certificates containerd.io curl docker-ce docker-ce-cli \
+        bash bash-completion build-essential ca-certificates curl docker-ce-cli \
         docker-buildx-plugin docker-compose-plugin dtach file git gnupg \
         htop iproute2 iputils-ping jq less locales lsb-release lsof \
         man-db openssh-client pipx pkg-config procps python3 python3-pip rsync strace \
@@ -42,14 +42,9 @@ RUN apt-get update && \
 RUN ssh-keyscan -t rsa,ecdsa,ed25519 github.com gitlab.com bitbucket.org \
         >> /etc/ssh/ssh_known_hosts 2>/dev/null
 
-# Disable containerd-snapshotter so image/layer data stays under
-# /var/lib/docker (classic overlay2) instead of /var/lib/containerd — the
-# persistent devcontainer cache volume only covers /var/lib/docker.
-RUN mkdir -p /etc/docker && \
-    printf '{\n  "features": { "containerd-snapshotter": false }\n}\n' \
-        > /etc/docker/daemon.json
-
-RUN systemctl enable docker
+# Workspace runs Docker-out-of-Docker: the host's /var/run/docker.sock is
+# bind-mounted in. Only the docker CLI + plugins are installed (no engine,
+# no containerd), so there's no in-image daemon to mask.
 
 # Classic `docker-compose` name → the compose plugin binary.
 RUN ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose
@@ -126,8 +121,9 @@ RUN printf '\nif [ -d /etc/profile.d ]; then\n  for i in /etc/profile.d/*.sh; do
         >> /etc/bash.bashrc
 
 # Coder agent: systemd unit runs /etc/coder/agent-init.sh as the workspace
-# user after dockerd is up. The script itself is uploaded at container-create
-# time by the Terraform template (kreuzwerker/docker `upload` block).
+# user after the network is up. The script itself is uploaded at
+# container-create time by the Terraform template (kreuzwerker/docker
+# `upload` block).
 RUN mkdir -p /etc/coder
 COPY src/base/coder-agent.service /etc/systemd/system/coder-agent.service
 COPY src/base/web-shell.service /etc/systemd/system/web-shell.service
diff --git a/src/base/coder-agent.service b/src/base/coder-agent.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Coder Agent
-After=docker.service network-online.target
-Wants=network-online.target docker.service
+After=network-online.target
+Wants=network-online.target
 ConditionPathExists=/etc/coder/agent-init.sh
 
 [Service]
diff --git a/src/base/entrypoint.sh b/src/base/entrypoint.sh
@@ -3,10 +3,9 @@
 #
 # Fresh Docker named volumes mount as root:root the first time they're
 # attached, even though the underlying image path is owned by the workspace
-# user (docker's "copy-up" doesn't reliably apply under sysbox-runc). Claim
-# the mountpoints here so coder-agent.service — which starts later under
-# systemd — sees correctly-owned mounts. Idempotent: chown/chmod are no-ops
-# when values already match.
+# user. Claim the mountpoints here so coder-agent.service — which starts
+# later under systemd — sees correctly-owned mounts. Idempotent: chown/chmod
+# are no-ops when values already match.
 set -eo pipefail
 
 USERNAME="${USERNAME:-coder}"
@@ -24,4 +23,21 @@ if [ -d /mnt/shared ]; then
   chmod 0777 /mnt/shared
 fi
 
+# DooD: align the in-image `docker` group GID with the host socket's GID so
+# the workspace user (member of `docker` in the image) can talk to the
+# bind-mounted host daemon without a chmod 666 on the socket.
+if [ -S /var/run/docker.sock ]; then
+  sock_gid=$(stat -c '%g' /var/run/docker.sock)
+  cur_gid=$(getent group docker | cut -d: -f3 || true)
+  if [ -n "$sock_gid" ] && [ "$sock_gid" != "$cur_gid" ]; then
+    # If another group already owns the target GID, rename it out of the way
+    # so groupmod can take it.
+    conflict=$(getent group "$sock_gid" | cut -d: -f1 || true)
+    if [ -n "$conflict" ] && [ "$conflict" != "docker" ]; then
+      groupmod -n "${conflict}-host" "$conflict"
+    fi
+    groupmod -g "$sock_gid" docker
+  fi
+fi
+
 exec "$@"
