Skip to content

feat: support docker as container runtime in container-run.sh#10368

Merged
nmattia merged 2 commits into
masterfrom
nm-container-run-docker
Jun 8, 2026
Merged

feat: support docker as container runtime in container-run.sh#10368
nmattia merged 2 commits into
masterfrom
nm-container-run-docker

Conversation

@nmattia

@nmattia nmattia commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Add an optional docker backend to ci/container/container-run.sh, selected via the CONTAINER_RUNTIME env var (defaults to podman, so existing behaviour is unchanged). The podman code paths are left identical with master.

When CONTAINER_RUNTIME is 'docker':

  • run unprivileged (no sudo) with the minimal isolation flags the nested rootless podman used by the IC-OS build needs: --device /dev/fuse, unconfined seccomp/apparmor, disabled labelling, systempaths=unconfined, --cap-add SYS_ADMIN and --network=host (much narrower than podman's --privileged);
  • use image inspect instead of podman's image exists;
  • treat /.dockerenv as a nested-container marker;
  • source the ict_testnets dir from the cache dir rather than host /tmp (some namespaced docker daemons can't bind-mount the host's /tmp).

A small entrypoint shim (ci/container/docker-init.sh) opens up /dev/fuse (docker exposes it 0600 root:root) and ensures /tmp/zig-cache exists, via the image's passwordless sudo.

@nmattia
feat: support docker as container runtime in container-run.sh
ef941b1 
Add an optional `docker` backend to ci/container/container-run.sh,
selected via the CONTAINER_RUNTIME env var (defaults to `podman`, so
existing behaviour is unchanged). The podman code paths are left
identical with master.

When CONTAINER_RUNTIME is 'docker':
  - run unprivileged (no `sudo`) with the minimal isolation flags the
    nested rootless podman used by the IC-OS build needs: --device
    /dev/fuse, unconfined seccomp/apparmor, disabled labelling,
    systempaths=unconfined, --cap-add SYS_ADMIN and --network=host
    (much narrower than podman's --privileged);
  - use `image inspect` instead of podman's `image exists`;
  - treat /.dockerenv as a nested-container marker;
  - source the ict_testnets dir from the cache dir rather than host /tmp
    (some namespaced docker daemons can't bind-mount the host's /tmp).

A small entrypoint shim (ci/container/docker-init.sh) opens up /dev/fuse
(docker exposes it 0600 root:root) and ensures /tmp/zig-cache exists, via
the image's passwordless sudo.
@github-actions github-actions Bot added the feat label Jun 2, 2026
nmattia
nmattia commented Jun 2, 2026
View reviewed changes
Comment thread ci/container/docker-init.sh
@nmattia nmattia requested a review from Copilot June 2, 2026 14:14
Copilot AI reviewed Jun 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds optional Docker support to the existing container development/build entrypoint (ci/container/container-run.sh) while keeping Podman as the default, and introduces a small Docker-specific entrypoint shim to adjust permissions/paths needed for nested rootless Podman use cases (IC-OS build).

Changes:

  • Add CONTAINER_RUNTIME selection (podman default, optional docker) and adjust runtime command selection and image existence checks.
  • Adjust bind-mount strategy for ict_testnets under Docker to avoid host /tmp bind-mount limitations.
  • Add ci/container/docker-init.sh entrypoint shim to fix /dev/fuse permissions and prepare /tmp/zig-cache.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
ci/container/container-run.sh Adds Docker runtime option, runtime-specific run args, and Docker-specific mount handling.
ci/container/docker-init.sh New Docker-only entrypoint shim to adjust /dev/fuse perms and ensure /tmp/zig-cache exists/is writable.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ci/container/container-run.sh
Comment thread ci/container/container-run.sh
Comment thread ci/container/container-run.sh
Comment thread ci/container/docker-init.sh
@nmattia nmattia marked this pull request as ready for review June 2, 2026 14:24
@nmattia nmattia requested a review from a team as a code owner June 2, 2026 14:24
@github-actions github-actions Bot added the @idx label Jun 2, 2026
nmattia
nmattia commented Jun 2, 2026
View reviewed changes
Comment thread ci/container/container-run.sh Outdated
@nmattia
Apply suggestions from code review
0f46270 
Co-authored-by: Nicolas Mattia <nicolas@nmattia.com>
@nmattia nmattia enabled auto-merge June 2, 2026 15:49
@nmattia nmattia added this pull request to the merge queue Jun 8, 2026
Merged via the queue into master with commit eed1b0c Jun 8, 2026
41 checks passed
@nmattia nmattia deleted the nm-container-run-docker branch June 8, 2026 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@basvandijk basvandijk basvandijk approved these changes

Assignees

No one assigned

Labels

feat @idx

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nmattia @basvandijk