Two devenv patches#96
Conversation
Summary of ChangesHello @cgwalters, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the development environment's capabilities by enabling nested containerization and virtual machine support within devcontainers without relying on the broad Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
cgwalters
force-pushed
the
two-devenv-patches
branch
from
118b8e5 to
e53ce79
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several improvements to the development environment setup. Key changes include replacing the --privileged flag with more granular security options for nested containers, which is a significant security enhancement. The devenv-init.sh script has been refactored from a shell script into a more robust and maintainable Python script (userns-setup). A new self-test script (devenv-selftest.sh) and a corresponding Justfile command have been added to validate the nested container setup. Additionally, the GitHub Action for setting up Ubuntu has been improved for more reliable package removal.
The changes are well-structured and improve the security and maintainability of the development environment. I have a couple of minor suggestions for the new Python script to improve its robustness and adherence to Python conventions.
cgwalters
force-pushed
the
two-devenv-patches
branch
5 times, most recently
from
05634de to
ffd7d42
Compare
cgwalters
force-pushed
the
two-devenv-patches
branch
from
ffd7d42 to
6b29dfa
Compare
When running inside a constrained UID namespace (e.g., devaipod's rootless podman), the container only has access to a limited UID range. The previous configuration only handled cgroups but not the subuid/subgid mappings, causing nested podman to fail with 'newuidmap: write to uid_map failed'. This adds a Python script at /usr/lib/devenv/userns-setup which: - Detects constrained UID namespaces by parsing /proc/self/uid_map - Configures /etc/subuid and /etc/subgid with the available UID range - Uses SUDO_USER to correctly configure for the target user when run via sudo - Resets podman storage if mappings change - Preserves other users' entries when updating subuid/subgid - Creates containers.conf with cgroups=disabled for constrained namespaces The devenv-init.sh becomes a thin wrapper calling the Python implementation. Also adds chmod u+s for newuidmap/newgidmap on C10s, as shadow-utils doesn't set setuid by default (unlike Debian's uidmap package). Also adds a GitHub Actions workflow and just target to test nested podman by pulling and running busybox in the devcontainer images. Tested by running bootc workspace inside devaipod and successfully pulling and running containers with nested podman. Assisted-by: OpenCode (Claude claude-opus-4-5@20251101) Signed-off-by: Colin Walters <walters@verbum.org>
The arm64 runners from Arm Limited don't have all the same packages as x86_64 runners (e.g. google-chrome-stable). This caused apt-get remove to fail with exit code 100. Fix by checking with dpkg -l before attempting removal. Also switch from regex patterns to globs since both apt and dpkg support fnmatch globs, avoiding the need for pattern conversion. Assisted-by: OpenCode (Claude claude-opus-4-5@20251101) Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
two-devenv-patches
branch
from
6b29dfa to
aa0fa05
Compare
|
OK, well the plus side of adding tests is it found out that the c10s devenv was broken. Man, figuring out that |
The test was pulling pre-built images from the registry, but those don't have the selftest script until this PR is merged. Build the image locally first using the existing just targets. Also switch from docker to podman for consistency with the build. Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
two-devenv-patches
branch
from
aa0fa05 to
41ff7f7
Compare
2 participants
No description provided.