-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerFile
More file actions
89 lines (73 loc) · 3.55 KB
/
DockerFile
File metadata and controls
89 lines (73 loc) · 3.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# For pure JS environment
FROM alpine:latest
ARG AGENT_RUNTIMES=codex
ARG AGENT_DEFAULT_RUNTIME=codex
# --- Core tooling ---
RUN apk add --no-cache \
bash zsh npm file curl git ripgrep jq util-linux bubblewrap libgcc libstdc++
# --- Add user ---
RUN addgroup -S coder \
&& adduser -S -G coder -h /home/coder -s /bin/bash coder \
&& mkdir -p /home/coder/.codex /workdir \
&& chown -R coder:coder /home/coder /workdir
# Make sure HOME is correct for subsequent RUNs when we switch user
ENV HOME=/home/coder \
IMAGE_NAME=agent-plain
# Copy Codex default configuration and local model metadata config
COPY --chown=coder:coder config.toml local_models.json /home/coder/.codex/
COPY claude-settings.json /etc/claudectl/settings.json
COPY agentctl-path.sh /etc/profile.d/agentctl-path.sh
# Install the generic runtime launcher and runtime registry
COPY agent.sh /usr/local/bin/agent.sh
COPY runtimes /usr/local/lib/agentctl/runtimes
COPY runtimes.d /etc/agentctl/runtimes.d
COPY features /usr/local/lib/agentctl/features
COPY features.d /etc/agentctl/features.d
RUN chmod 0755 /usr/local/bin/agent.sh \
&& chmod 0644 /etc/profile.d/agentctl-path.sh /etc/claudectl/settings.json \
&& find /usr/local/lib/agentctl/runtimes -type f -name '*.sh' -exec chmod 0644 {} + \
&& find /usr/local/lib/agentctl/features -type f -name '*.sh' -exec chmod 0644 {} + \
&& mkdir -p /etc/agentctl
# --- Install the configured runtimes via agent.sh ---
RUN HOME=/home/coder \
XDG_CONFIG_HOME=/home/coder/.config \
AGENTCTL_SKIP_PREFERRED_SET=1 \
AGENT_RUNTIMES="$AGENT_RUNTIMES" \
AGENT_DEFAULT_RUNTIME="$AGENT_DEFAULT_RUNTIME" \
bash -lc 'set -euo pipefail; IFS="," read -r -a runtimes <<<"$AGENT_RUNTIMES"; [ "${#runtimes[@]}" -gt 0 ] || { echo "No runtimes configured for image build" >&2; exit 1; }; for runtime in "${runtimes[@]}"; do bash /usr/local/bin/agent.sh runtime install "$runtime"; done; printf "%s\n" "$AGENT_DEFAULT_RUNTIME" > /etc/agentctl/preferred-runtime' \
&& chown -R coder:coder /home/coder /workdir
RUN mkdir -p /etc/codexctl /etc/agentctl \
&& cp /home/coder/.codex/config.toml /home/coder/.codex/local_models.json /etc/codexctl/ \
&& cp /home/coder/.codex/config.toml /home/coder/.codex/local_models.json /etc/agentctl/ \
&& BUILD_TIME="$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
&& cat > /etc/codexctl/image.md <<EOF
You are running inside the \`agent-plain\` default image.
Environment:
- containerized Alpine Linux (package manager \`apk\`)
- running as the non-root user \`coder\`
- shared host workspace at \`/workdir\`
- architecture: check with \`uname -m\` if needed
Image metadata:
- image: \`agent-plain\`
- built_at_utc: \`${BUILD_TIME}\`
Built-in CLI tools:
- base tools: \`bash\`, \`zsh\`, \`git\`, \`curl\`, \`file\`, \`jq\`, \`rg\`, \`bwrap\`
- control tools: \`agent.sh\`
- programming tools: \`node\`, \`npm\`
Programming environments:
- Node.js with npm
Use this image for general shell work, Git operations, repository maintenance, and light scripting.
EOF
RUN ln -sf /etc/codexctl/image.md /etc/agentctl/image.md
RUN ln -sf /etc/codexctl/image.md /home/coder/.codex/AGENTS.md
# From here on, run as coder so swiftly writes user-owned files
USER coder
WORKDIR /workdir
# Configure git
RUN git config --global user.email "codex@localhost" \
&& git config --global user.name "Codex CLI" \
&& git config --global init.defaultBranch "main" \
&& git config --global --add safe.directory /workdir
# Hardened entrypoint
ENTRYPOINT ["setpriv","--inh-caps=-all","--ambient-caps=-all","--bounding-set=-all","--no-new-privs","--"]
CMD ["/usr/local/bin/agent.sh","run"]