Enable Docker-in-Sandbox via Modal's official alpha support

Switch from manual docker.io + background dockerd to Modal's
enable_docker experimental option with proper networking setup:
- ubuntu:22.04 base with Docker CE 27.5.0 from official repo
- runc v1.3.0 for reliable networking in gVisor
- iptables-legacy (gVisor lacks nftables support)
- Proper NAT/SNAT rules in start-dockerd.sh
- Wait-for-dockerd readiness before starting runner
- Adds test-docker.yml to validate Docker + services (postgres)

Author: manascb1344

.github/workflows/test-docker.yml

@@ -0,0 +1,71 @@
+name: Test Docker Support
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test-docker-basics:
+    name: Docker Basics
+    runs-on: [self-hosted, modal, "job-${{ github.run_id }}-${{ github.job }}"]
+    steps:
+      - name: Check Docker
+        run: |
+          docker version
+          docker info
+
+      - name: Run a container
+        run: |
+          docker run --rm hello-world
+
+      - name: Docker build
+        run: |
+          mkdir -p /tmp/test-build
+          cat > /tmp/test-build/Dockerfile <<'EOF'
+          FROM alpine:3.19
+          RUN echo "build works"
+          CMD ["echo", "hello from built image"]
+          EOF
+          docker build --network=host -t test-image /tmp/test-build
+          docker run --rm test-image
+
+  test-services:
+    name: Docker Services (Postgres)
+    runs-on: [self-hosted, modal, "job-${{ github.run_id }}-${{ github.job }}"]
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: test_user
+          POSTGRES_PASSWORD: test_password
+          POSTGRES_DB: test_db
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    steps:
+      - name: Install psql
+        run: |
+          apt-get update && apt-get install -y postgresql-client
+
+      - name: Test Postgres connection
+        env:
+          PGHOST: localhost
+          PGPORT: 5432
+          PGUSER: test_user
+          PGPASSWORD: test_password
+          PGDATABASE: test_db
+        run: |
+          psql -c "SELECT version();"
+          psql -c "CREATE TABLE test (id serial PRIMARY KEY, name varchar(100));"
+          psql -c "INSERT INTO test (name) VALUES ('modal-docker-works');"
+          psql -c "SELECT * FROM test;"
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Docker Services Test" >> "$GITHUB_STEP_SUMMARY"
+          echo "- Docker version: $(docker version --format '{{.Server.Version}}' 2>/dev/null || echo 'N/A')" >> "$GITHUB_STEP_SUMMARY"
+          echo "- Status: ${{ job.status }}" >> "$GITHUB_STEP_SUMMARY"

DEPLOY.md

@@ -87,7 +87,7 @@ This guide outlines the steps to deploy this project using Modal.
 
 ### ⚠️ Limitations
 
-*   **Docker-in-Docker:** Standard GitHub "Container Actions" (actions that run inside a Docker container) are not supported by default within Modal Sandboxes.
+*   **Docker-in-Docker:** Docker support is enabled via Modal's Alpha Docker-in-Sandbox feature (`experimental_options={"enable_docker": True}`). GitHub Actions `services:` and container actions should work, but this is an Alpha feature and may have edge cases.
 *   **Wiping State:** Every job runs in a fresh sandbox. Files saved outside the repository workspace will be lost after the job completes.
 
 ### How it Works

app.py

@@ -7,6 +7,7 @@
 import json
 import time
 import re
+import tempfile
 import asyncio
 from urllib.parse import urlparse
 from fastapi import Request, HTTPException
@@ -19,6 +20,10 @@
 # CONFIGURATION
 # =============================================================================
 
+# CRITICAL: Use 2025.06+ Image Builder for Docker-in-Sandbox support
+# https://modal.com/docs/guide/docker-in-sandboxes
+os.environ.setdefault("MODAL_IMAGE_BUILDER_VERSION", "2025.06")
+
 # Runner version - configurable via environment for security updates
 RUNNER_VERSION = os.environ.get("RUNNER_VERSION", "2.333.1")
 
@@ -67,16 +72,77 @@
 # - Consider using fine-grained PATs with minimal repository access
 # =============================================================================
 
-# Pinned dependency versions for reproducibility and supply chain security
+# start-dockerd.sh content for proper Docker networking inside Modal Sandbox
+# Sets up NAT/SNAT rules, forces iptables-legacy (gVisor lacks nftables support),
+# and starts dockerd with --iptables=false since we manage rules manually.
+# Ref: https://modal.com/docs/guide/docker-in-sandboxes
+START_DOCKERD_SH = r"""#!/bin/bash
+set -e -o pipefail
+
+dev=$(ip route show default 2>/dev/null | awk '/default/ {print $5}')
+if [ -n "$dev" ]; then
+    addr=$(ip addr show dev "$dev" | grep -w inet | awk '{print $2}' | cut -d/ -f1)
+    if [ -n "$addr" ]; then
+        echo 1 > /proc/sys/net/ipv4/ip_forward
+        iptables-legacy -t nat -A POSTROUTING -o "$dev" -j SNAT --to-source "$addr" -p tcp 2>/dev/null || true
+        iptables-legacy -t nat -A POSTROUTING -o "$dev" -j SNAT --to-source "$addr" -p udp 2>/dev/null || true
+    fi
+fi
+
+update-alternatives --set iptables /usr/sbin/iptables-legacy 2>/dev/null || true
+update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2>/dev/null || true
+
+exec /usr/bin/dockerd --iptables=false --ip6tables=false > /var/log/dockerd.log 2>&1
+"""
+
+_temp_dockerd_script = tempfile.NamedTemporaryFile(mode="w", suffix=".sh", delete=False)
+_temp_dockerd_script.write(START_DOCKERD_SH)
+_temp_dockerd_script.flush()
+os.chmod(_temp_dockerd_script.name, 0o755)
+_TEMP_DOCKERD_PATH = _temp_dockerd_script.name
+
 runner_image = (
-    modal.Image.debian_slim()
-    .apt_install("curl", "git", "ca-certificates", "sudo", "jq", "docker.io")
+    modal.Image.from_registry("ubuntu:22.04")
+    .env({"DEBIAN_FRONTEND": "noninteractive"})
+    .apt_install(
+        "wget",
+        "ca-certificates",
+        "curl",
+        "net-tools",
+        "iproute2",
+        "git",
+        "sudo",
+        "jq",
+    )
+    .run_commands(
+        "install -m 0755 -d /etc/apt/keyrings",
+        "curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc",
+        "chmod a+r /etc/apt/keyrings/docker.asc",
+        'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo \\"${UBUNTU_CODENAME:-$VERSION_CODENAME}\\") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null',
+    )
+    .apt_install(
+        "docker-ce=5:27.5.0-1~ubuntu.22.04~jammy",
+        "docker-ce-cli=5:27.5.0-1~ubuntu.22.04~jammy",
+        "containerd.io",
+        "docker-buildx-plugin",
+        "docker-compose-plugin",
+    )
+    .run_commands(
+        "rm -f $(which runc) || true",
+        "wget -q https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.amd64",
+        "chmod +x runc.amd64",
+        "mv runc.amd64 /usr/local/bin/runc",
+        "update-alternatives --set iptables /usr/sbin/iptables-legacy",
+        "update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy",
+    )
     .pip_install("fastapi==0.115.0", "httpx==0.27.0")
     .run_commands(
         "mkdir -p /actions-runner",
         f"curl -L https://github.com/actions/runner/releases/download/v{RUNNER_VERSION}/actions-runner-linux-x64-{RUNNER_VERSION}.tar.gz | tar -xz -C /actions-runner",
         "/actions-runner/bin/installdependencies.sh",
     )
+    .add_local_file(_TEMP_DOCKERD_PATH, "/start-dockerd.sh", copy=True)
+    .run_commands("chmod +x /start-dockerd.sh")
 )
 
 app = modal.App("modal-github-runner")
@@ -356,7 +422,14 @@ async def github_webhook(request: Request):
     logger.info(f"Spawning sandbox for job {job_id}...")
 
     try:
-        cmd = "dockerd > /dev/null 2>&1 & sleep 2 && cd /actions-runner && export RUNNER_ALLOW_RUNASROOT=1 && ./run.sh --jitconfig $GHA_JIT_CONFIG"
+        cmd = (
+            "bash -c '/start-dockerd.sh &'"
+            " && sleep 5"
+            " && until docker info > /dev/null 2>&1; do sleep 1; done"
+            " && cd /actions-runner"
+            " && export RUNNER_ALLOW_RUNASROOT=1"
+            " && exec ./run.sh --jitconfig $GHA_JIT_CONFIG"
+        )
 
         sandbox = modal.Sandbox.create(
             "bash",
@@ -366,6 +439,7 @@ async def github_webhook(request: Request):
             app=app,
             timeout=TIMEOUT_SECONDS,
             env={"GHA_JIT_CONFIG": jit_config},
+            experimental_options={"enable_docker": True},
         )
 
         sandbox.set_tags({"job_id": str(job_id)})