{"id":18581883,"url":"https://github.com/coder/envbox","last_synced_at":"2025-04-10T11:35:34.350Z","repository":{"id":161681790,"uuid":"611939852","full_name":"coder/envbox","owner":"coder","description":"envbox is an image that enables creating non-privileged containers capable of running system-level software (e.g. dockerd, systemd, etc) in Kubernetes.","archived":false,"fork":false,"pushed_at":"2025-04-09T21:09:39.000Z","size":421,"stargazers_count":45,"open_issues_count":11,"forks_count":10,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-09T22:19:44.829Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coder.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-09T21:23:35.000Z","updated_at":"2025-04-09T21:09:39.000Z","dependencies_parsed_at":null,"dependency_job_id":"23e4c302-6a9b-4da4-bebb-025205394a7a","html_url":"https://github.com/coder/envbox","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fenvbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fenvbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fenvbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fenvbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coder","download_url":"https://codeload.github.com/coder/envbox/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248208688,"owners_count":21065205,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T00:08:03.527Z","updated_at":"2025-04-10T11:35:29.335Z","avatar_url":"https://github.com/coder.png","language":"Go","readme":"# envbox\n\n## Introduction\n\n`envbox` is an image that enables creating non-privileged containers capable of running system-level software (e.g. `dockerd`, `systemd`, etc) in Kubernetes.\n\nIt mainly acts as a wrapper for the excellent [sysbox runtime](https://github.com/nestybox/sysbox/) developed by [Nestybox](https://www.nestybox.com/). For more details on the security of `sysbox` containers see sysbox's [official documentation](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/security.md).\n\n## Envbox Configuration\n\nThe environment variables can be used to configure various aspects of the inner and outer container.\n\n| env | usage | required |\n|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `CODER_INNER_IMAGE` | The image to use for the inner container. | True |\n| `CODER_INNER_USERNAME` | The username to use for the inner container. | True |\n| `CODER_AGENT_TOKEN` | The [Coder Agent](https://coder.com/docs/v2/latest/about/architecture#agents) token to pass to the inner container. | True |\n| `CODER_INNER_ENVS` | The environment variables to pass to the inner container. A wildcard can be used to match a prefix. Ex: `CODER_INNER_ENVS=KUBERNETES_*,MY_ENV,MY_OTHER_ENV` | false |\n| `CODER_INNER_HOSTNAME` | The hostname to use for the inner container. | false |\n| `CODER_IMAGE_PULL_SECRET` | The docker credentials to use when pulling the inner container. The recommended way to do this is to create an [Image Pull Secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line) and then reference the secret using an [environment variable](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data). See below for example. | false |\n| `CODER_DOCKER_BRIDGE_CIDR` | The bridge CIDR to start the Docker daemon with. | false |\n| `CODER_MOUNTS` | A list of mounts to mount into the inner container. Mounts default to `rw`. Ex: `CODER_MOUNTS=/home/coder:/home/coder,/var/run/mysecret:/var/run/mysecret:ro` | false |\n| `CODER_USR_LIB_DIR` | The mountpoint of the host `/usr/lib` directory. Only required when using GPUs. | false |\n| `CODER_ADD_TUN` | If `CODER_ADD_TUN=true` add a TUN device to the inner container. | false |\n| `CODER_ADD_FUSE` | If `CODER_ADD_FUSE=true` add a FUSE device to the inner container. | false |\n| `CODER_ADD_GPU` | If `CODER_ADD_GPU=true` add detected GPUs and related files to the inner container. Requires setting `CODER_USR_LIB_DIR` and mounting in the hosts `/usr/lib/` directory. | false |\n| `CODER_CPUS` | Dictates the number of CPUs to allocate the inner container. It is recommended to set this using the Kubernetes [Downward API](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables). | false |\n| `CODER_MEMORY` | Dictates the max memory (in bytes) to allocate the inner container. It is recommended to set this using the Kubernetes [Downward API](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables). | false |\n| `CODER_DISABLE_IDMAPPED_MOUNT` | Disables idmapped mounts in sysbox. For more information, see the [Sysbox Documentation](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/configuration.md#disabling-id-mapped-mounts-on-sysbox). | false |\n| `CODER_EXTRA_CERTS_PATH` | A path to a file or directory containing CA certificates that should be made when communicating to external services (e.g. the Coder control plane or a Docker registry) | false |\n\n## Coder Template\n\nA [Coder Template](https://github.com/coder/coder/tree/main/examples/templates/envbox) can be found in the [coder/coder](https://github.com/coder/coder) repo to provide a starting point for customizing an envbox container.\n\nTo learn more about Coder Templates refer to the [docs](https://coder.com/docs/v2/latest/templates).\n\n## Development\n\nIt is not possible to develop `envbox` effectively using a containerized environment (includes developing `envbox` using `envbox`). A VM, personal machine, or similar environment is required to run the [integration](./integration/) test suite.\n\n## CODER_IMAGE_PULL_SECRET Kubernetes Example\n\nIf a login is required to pull images from a private repository, create a secret following the instructions from the [Kubernetes Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line) as such:\n\n```\nkubectl -n \u003ccoder namespace\u003e create secret docker-registry regcred \\\n --docker-server=\u003cyour-registry-server\u003e \\\n --docker-username=\u003cyour-name\u003e \\\n --docker-password=\u003cyour-pword\u003e \\\n --docker-email=\u003cyour-email\u003e\n```\n\nThen reference the secret in your template as such:\n\n```\nenv {\n name = \"CODER_IMAGE_PULL_SECRET\"\n value_from {\n secret_key_ref {\n name = \"regcred\"\n key = \".dockerconfigjson\"\n }\n }\n}\n```\n\n\u003e **Note:**\n\u003e\n\u003e If you use external tooling to generate the secret, ensure that it is generated with the same fields as `kubectl create secret docker-registry`. You can check this with the following command:\n\u003e\n\u003e ```console\n\u003e kubectl create secret docker-registry example --docker-server=registry.domain.tld --docker-username=username --docker-password=password --dry-run=client --output=json | jq -r '.data[\".dockerconfigjson\"]' | base64 -d | jq\n\u003e ```\n\u003e\n\u003e Sample output:\n\u003e\n\u003e ```json\n\u003e {\n\u003e \"auths\": {\n\u003e \"registry.domain.tld\": {\n\u003e \"username\": \"username\",\n\u003e \"password\": \"password\",\n\u003e \"auth\": \"dXNlcm5hbWU6cGFzc3dvcmQ=\" // base64(username:password)\n\u003e }\n\u003e }\n\u003e }\n\u003e ```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoder%2Fenvbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoder%2Fenvbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoder%2Fenvbox/lists"}