feat(devcontainer): add codex-focused secure devcontainer setup

2026-05-02 12:21:26 +03:00 · 2026-02-02 15:44:38 -08:00
parent f50c8b2f81
commit fad8095c9e
6 changed files with 452 additions and 50 deletions
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -1,30 +1,63 @@
-# Containerized Development
+# Codex devcontainer

-We provide the following options to facilitate Codex development in a container. This is particularly useful for verifying the Linux build when working on a macOS host.
+This is a Codex-focused devcontainer setup adapted for this monorepo.

-## Docker
+## Core design choices

-To build the Docker image locally for x64 and then run it with the repo mounted under `/workspace`:
+- devcontainer schema + `init` + `updateRemoteUserUID`
+- `${devcontainerId}`-scoped named volumes for per-container persistence
+- read-only host `~/.gitconfig` mount with container-local `GIT_CONFIG_GLOBAL`
+- explicit `workspaceMount`/`workspaceFolder`
+- post-create bootstrap script (`post_install.py`) for idempotent setup

-```shell
-CODEX_DOCKER_IMAGE_NAME=codex-linux-dev
-docker build --platform=linux/amd64 -t "$CODEX_DOCKER_IMAGE_NAME" ./.devcontainer
-docker run --platform=linux/amd64 --rm -it -e CARGO_TARGET_DIR=/workspace/codex-rs/target-amd64 -v "$PWD":/workspace -w /workspace/codex-rs "$CODEX_DOCKER_IMAGE_NAME"
+## What is Codex-specific
+
+- Rust toolchain pinned to `1.93.0` with `clippy`, `rustfmt`, `rust-src`
+- musl targets: `x86_64-unknown-linux-musl`, `aarch64-unknown-linux-musl`
+- Node `22` + pnpm `10.28.2`
+- firewall setup that allowlists domains from `OPENAI_ALLOWED_DOMAINS`
+- persistent Cargo/Rustup volumes
+
+## Lifecycle hooks
+
+- `postCreateCommand`: `python3 /opt/post_install.py`
+  - configures history files
+  - fixes ownership on mounted dirs
+  - writes `/home/vscode/.gitconfig.local`
+- `postStartCommand`: `bash /opt/post_start.sh`
+  - applies firewall rules through `init-firewall.sh`
+  - optionally adds GitHub CIDR ranges from `api.github.com/meta`
+
+## Firewall modes
+
+- **Strict (default)**: `CODEX_ENABLE_FIREWALL=1` (or unset)
+- **Permissive**: `CODEX_ENABLE_FIREWALL=0`
+
+Optional strict-mode enhancement:
+
+- `CODEX_INCLUDE_GITHUB_META_RANGES=1` (default) hydrates GitHub CIDRs into the allowlist.
+
+To run in permissive mode during a session:
+
+```bash
+export CODEX_ENABLE_FIREWALL=0
 ```

-Note that `/workspace/target` will contain the binaries built for your host platform, so we include `-e CARGO_TARGET_DIR=/workspace/codex-rs/target-amd64` in the `docker run` command so that the binaries built inside your container are written to a separate directory.
+Then restart or rebuild the container.

-For arm64, specify `--platform=linux/amd64` instead for both `docker build` and `docker run`.
+## Persistent volumes

-Currently, the `Dockerfile` works for both x64 and arm64 Linux, though you need to run `rustup target add x86_64-unknown-linux-musl` yourself to install the musl toolchain for x64.
+- `/commandhistory`
+- `/home/vscode/.codex`
+- `/home/vscode/.config/gh`
+- `/home/vscode/.cargo/registry`
+- `/home/vscode/.cargo/git`
+- `/home/vscode/.rustup`

-## VS Code
+## Local Docker smoke build

-VS Code recognizes the `devcontainer.json` file and gives you the option to develop Codex in a container. Currently, `devcontainer.json` builds and runs the `arm64` flavor of the container.
-
-From the integrated terminal in VS Code, you can build either flavor of the `arm64` build (GNU or musl):
-
-```shell
-cargo build --target aarch64-unknown-linux-musl
-cargo build --target aarch64-unknown-linux-gnu
+```bash
+docker build -f .devcontainer/Dockerfile -t codex-devcontainer-test .
+docker run --rm -it --cap-add=NET_ADMIN --cap-add=NET_RAW \
+  -v "$PWD":/workspace -w /workspace codex-devcontainer-test zsh
 ```