Add cross-owner shared volume auto-mounted into every devcontainer

chapterjason · claude · chapterjason · commit 1860452e13e4 · 2026-04-21T23:22:53.000Z
Introduces docker_volume.shared (fixed name, no per-owner suffix) mounted
at /mnt/shared on every workspace container with sticky-bit 1777 so any
user can drop files but only the owner can delete them. A shim in front
of @devcontainers/cli injects --mount for /mnt/shared on every up/build,
so projects pick up the drop box with zero devcontainer.json edits.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Dockerfile.workspace b/Dockerfile.workspace
@@ -57,7 +57,22 @@ RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
 
 # Pre-install @devcontainers/cli globally so the Coder module doesn't need
 # to (which fails for non-root users installing to /usr/lib/node_modules).
-RUN npm install -g @devcontainers/cli
+RUN npm install -g @devcontainers/cli && \
+    mv /usr/bin/devcontainer /usr/bin/devcontainer.real
+
+# Shim the devcontainer CLI to auto-inject deployment-wide mounts on every
+# `up` / `build`, so individual projects don't have to declare them in their
+# devcontainer.json. Currently injects /mnt/shared (see docker_volume.shared
+# in main.tf) — a cross-owner drop box mounted on every workspace container.
+RUN cat > /usr/bin/devcontainer <<'EOF' && chmod +x /usr/bin/devcontainer
+#!/bin/bash
+set -eu
+extra=()
+if [[ "${1:-}" == "up" || "${1:-}" == "build" ]]; then
+    extra+=(--mount "type=bind,source=/mnt/shared,target=/mnt/shared")
+fi
+exec /usr/bin/devcontainer.real "$@" "${extra[@]}"
+EOF
 
 # Pre-populate system known_hosts for common git forges so SSH clones don't
 # race the agent's ssh-keyscan startup step.
diff --git a/docs/persistence.md b/docs/persistence.md
@@ -11,6 +11,14 @@ Compared to a whole-home mount: narrower blast radius, no first-run skeleton
 seeding, no drift between the image's `/etc/skel` and the live `$HOME`, no
 cross-tool leakage between workspaces.
 
+> **Not persistence, but related — `/mnt/shared`.** A single deployment-wide
+> docker volume (`docker_volume.shared` in `main.tf`) is mounted at
+> `/mnt/shared` on every workspace and auto-injected into every devcontainer
+> by the `devcontainer` CLI shim in `Dockerfile.workspace`. No
+> `devcontainer.json` edits needed. Sticky-bit 1777 (like `/tmp`) — anyone
+> can drop files, only the owner can delete them. Use it as a cross-user
+> drop box, not for per-user state.
+
 ## The three moving parts
 
 1. **The volume + bind mount.** In `.devcontainer/devcontainer.json`:
diff --git a/main.tf b/main.tf
@@ -113,6 +113,13 @@ resource "coder_agent" "main" {
     # mounted the volume but keeps this idempotent if the mount path moves.
     sudo mkdir -p /mnt/home-persist
     sudo chown "$DEVCONTAINER_USER_UID:$DEVCONTAINER_USER_GID" /mnt/home-persist
+
+    # /mnt/shared is the deployment-wide shared volume (see docker_volume.shared).
+    # Single docker volume attached to every workspace, every owner — a drop box
+    # for moving files between users. Sticky-bit 1777 (like /tmp) so anyone can
+    # write but only the file's owner can delete it.
+    sudo mkdir -p /mnt/shared
+    sudo chmod 1777 /mnt/shared
   EOT
   shutdown_script = ""
   dir            = data.coder_parameter.directory.value
@@ -392,6 +399,17 @@ resource "docker_volume" "home_persist" {
   }
 }
 
+# Deployment-wide shared volume. A single docker volume — fixed name, no per-owner
+# or per-workspace suffix — attached to every workspace container. Acts as a drop
+# box for moving files between users. Mounted at /mnt/shared with sticky-bit 1777
+# (see startup_script) so anyone can write but only the file's owner can delete it.
+resource "docker_volume" "shared" {
+  name = "coder-shared"
+  lifecycle {
+    ignore_changes = all
+  }
+}
+
 resource "docker_volume" "home_volume" {
   name = "coder-${data.coder_workspace.me.id}-home"
   # Protect the volume from being deleted due to changes in attributes.
@@ -477,6 +495,13 @@ resource "docker_container" "workspace" {
     read_only      = false
   }
 
+  # Deployment-wide shared drop box. Same volume on every workspace, every owner.
+  volumes {
+    container_path = "/mnt/shared"
+    volume_name    = docker_volume.shared.name
+    read_only      = false
+  }
+
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
