Open
Conversation
|
All contributors have signed the DCO ✍️ ✅ |
maxamillion
force-pushed
the
openshell-driver-podman
branch
from
0f2a733 to
2d7c0e3
Compare
maxamillion
force-pushed
the
openshell-driver-podman
branch
from
2d7c0e3 to
316f06d
Compare
Author
|
I have read the DCO document and I hereby sign the DCO. |
Author
|
recheck |
Adds openshell-driver-podman, a new compute driver that manages OpenShell sandboxes as rootless Podman containers via the Podman REST API over a Unix socket. Enables local workstation sandboxes without Kubernetes. Driver features: - Bridge networking with ephemeral host-port mapping for rootless SSH reachability - Named volumes for workspace storage, Podman native health checks, GPU via CDI - Supervisor binary sideloaded via image volume mount (BYOC-compatible) - SSH handshake secret injected via Podman secrets API (not plaintext env) - Typed ContainerSpec structs, input validation, and path-traversal guards - Cgroups v2 required; fails fast on v1 hosts - Bounded event stream buffer; watch stream reconnection handled by server watch_loop - Graceful shutdown and standalone driver binary with gRPC bridge Rootless-specific fixes: - Skip drop_privileges when user namespace lacks SETUID/SETGID/DAC_READ_SEARCH caps - Add /run/netns tmpfs mount for ip netns in rootless containers - Use secret_env map (not secrets array) for env-var injection in libpod API - Resolve SSH endpoint to 127.0.0.1:<host_port> instead of unreachable bridge IP Server/sandbox hardening: - Split loopback and link-local SSRF gates; Podman/VM drivers allow loopback - Close SSRF bypass in SSH tunnel Host path by resolving DNS before connecting - Prevent OPENSHELL_* env var override by user-supplied spec environment maps - Disable SQLite pool idle_timeout/max_lifetime for in-memory databases - Emit deleted_event on 404-during-inspect instead of regressing sandbox phase - Key delete cleanup by stable sandbox_id to survive container label drift CLI fixes: - Restore --name as a named flag on sandbox create (not positional) - Fix exec command arg parsing to not consume sandboxed-command flags - Propagate SSH verbosity via OPENSHELL_SSH_LOG_LEVEL Build tooling: - Add tasks/scripts/container-engine.sh: auto-detects Podman or Docker, exposes unified ce_* helpers; all build/cluster/VM scripts updated to use it - Add docker:build:supervisor mise task for standalone supervisor image - Add openshell-driver-podman to Dockerfile.images pre-fetch/build stages - Add e2e/rust/e2e-podman.sh and e2e:podman mise task for full lifecycle testing Signed-off-by: Adam Miller <admiller@redhat.com>
maxamillion
force-pushed
the
openshell-driver-podman
branch
from
316f06d to
d50420b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a Podman compute driver (
openshell-driver-podman) that runs sandboxes as rootless Podman containers on a local workstation. The driver communicates with the Podman REST API via a gRPC bridge, preserving the full OpenShell control-plane model while supporting Podman-native and rootless environments.Related Issue
Closes #882
Changes
crates/openshell-driver-podmancrate: Podman REST API client, container lifecycle management, event watcher, gRPC bridge, and driver binarytasks/scripts/container-engine.sh) to support both Docker and PodmanSETUID/SETGID/DAC_READ_SEARCHcaps, skipdrop_privilegesin SSHpre_exece2e/rust/e2e-podman.sh) covering full sandbox lifecycle against the Podman driverarchitecture/podman-driver.md) and update debug skillTesting
mise run pre-commitpassese2e/rust/e2e-podman.sh— full lifecycle: create, connect, exec, delete)Checklist
architecture/podman-driver.md)