89f835727b
* feat: use Nix profiles in sandbox Docker image Replace manual tool installs (rustup, nodesource, curl installers) in sandbox-image/Dockerfile.sandbox with a single `nix profile install .#sandbox`. All tools (Rust, Node, Bun, Deno, Go, gh, sqlx-cli, cargo-watch, Chromium, Playwright, etc.) are now managed declaratively via flake.nix. - Add `packages.sandbox` and `packages.sandbox-full` buildEnv outputs to flake.nix - Add `sandbox-env` helper script for browser tooling env vars - Update playwrightWrapper to export PLAYWRIGHT_BROWSERS_PATH - Rewrite Dockerfile.sandbox: Nix replaces ~50 lines of manual installs - Update entrypoint.sh to source Nix profile PATH - Delete deprecated root Dockerfile.sandbox Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: sandbox image runs as non-root user with wmdev - Rewrite entrypoint.sh to start PostgreSQL as current user (no chown/su needed), fixing "Operation not permitted" when wmdev runs containers with --user - Add chmod -R 777 /root and passwd entry for UID 1000 so non-root containers can access bashrc, nix-profile, and tool configs - Remove apt postgresql server (Nix profile provides it) - Fix bash history expansion errors from literal `!` in system prompt - Fix asciinema path reference (available on PATH, not hardcoded) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: wrap pkg-config in sandbox profiles to bake in Nix search path Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add openssh-client and sudo to sandbox image for full root access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: use useradd instead of manual passwd entry for sandbox agent user Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
47 lines
2.8 KiB
Docker
47 lines
2.8 KiB
Docker
FROM debian:bookworm-slim
|
|
|
|
# ── Minimal system deps ──────────────────────────────────────────────────────
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
ca-certificates curl git openssh-client sudo xz-utils \
|
|
# PostgreSQL client (server provided by Nix profile)
|
|
postgresql-client \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# ── Nix (single-user, Determinate installer) ────────────────────────────────
|
|
RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
|
|
sh -s -- install linux --no-confirm --init none
|
|
ENV PATH="/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:$PATH"
|
|
|
|
# ── Install default sandbox profile ─────────────────────────────────────────
|
|
COPY flake.nix flake.lock /tmp/flake/
|
|
RUN cd /tmp/flake && nix profile install .#sandbox \
|
|
&& rm -rf /tmp/flake
|
|
|
|
# ── Browser env (Puppeteer / Mermaid point to Nix Chromium) ─────────────────
|
|
ENV PUPPETEER_SKIP_DOWNLOAD="true"
|
|
RUN printf '{"args":["--no-sandbox","--disable-setuid-sandbox"],"executablePath":"%s"}\n' \
|
|
"$(readlink -f "$(which chromium)")" > /root/.puppeteerrc.json
|
|
|
|
# ── Claude Code ──────────────────────────────────────────────────────────────
|
|
RUN curl -fsSL https://claude.ai/install.sh | bash
|
|
ENV PATH="/root/.local/bin:$PATH"
|
|
|
|
# ── npm globals (install to /usr/local so bins land on PATH) ─────────────────
|
|
ENV NPM_CONFIG_PREFIX=/usr/local
|
|
RUN npm i -g @openai/codex
|
|
RUN PUPPETEER_SKIP_DOWNLOAD=true npm i -g @mermaid-js/mermaid-cli
|
|
|
|
# ── Runtime env ──────────────────────────────────────────────────────────────
|
|
ENV CARGO_HOME=/tmp/.cargo
|
|
|
|
# ── Allow non-root UID (--user) to access tools installed in /root ───────────
|
|
# Give UID 1000 a proper passwd entry, passwordless sudo, and full access to /root
|
|
RUN chmod -R 777 /root \
|
|
&& useradd -u 1000 -g 100 -d /root -s /bin/bash -M agent \
|
|
&& echo "agent ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/agent \
|
|
&& chmod 0440 /etc/sudoers.d/agent
|
|
|
|
# ── Entrypoint ───────────────────────────────────────────────────────────────
|
|
COPY sandbox-image/entrypoint.sh /usr/local/bin/entrypoint.sh
|
|
RUN chmod +x /usr/local/bin/entrypoint.sh
|