MCPcopy Index your code
hub / github.com/coder/envbox

github.com/coder/envbox @0.6.7

Chat with this repo
repository ↗ · DeepWiki ↗ · release 0.6.7 ↗ · + Follow
378 symbols 1,195 edges 68 files 83 documented · 22%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

envbox

Introduction

envbox is an image that enables creating non-privileged containers capable of running system-level software (e.g. dockerd, systemd, etc) in Kubernetes.

It mainly acts as a wrapper for the excellent sysbox runtime developed by Nestybox. For more details on the security of sysbox containers see sysbox's official documentation.

Envbox Configuration

The environment variables can be used to configure various aspects of the inner and outer container.

env usage required
CODER_INNER_IMAGE The image to use for the inner container. True
CODER_INNER_USERNAME The username to use for the inner container. True
CODER_AGENT_TOKEN The Coder Agent token to pass to the inner container. True
CODER_INNER_ENVS The environment variables to pass to the inner container. A wildcard can be used to match a prefix. Ex: CODER_INNER_ENVS=KUBERNETES_*,MY_ENV,MY_OTHER_ENV false
CODER_INNER_HOSTNAME The hostname to use for the inner container. false
CODER_IMAGE_PULL_SECRET The docker credentials to use when pulling the inner container. The recommended way to do this is to create an Image Pull Secret and then reference the secret using an environment variable. See below for example. false
CODER_DOCKER_BRIDGE_CIDR The bridge CIDR to start the Docker daemon with. false
CODER_BOOTSTRAP_SCRIPT The script to use to bootstrap the container. This should typically install and start the agent. false
CODER_MOUNTS A list of mounts to mount into the inner container. Mounts default to rw. Ex: CODER_MOUNTS=/home/coder:/home/coder,/var/run/mysecret:/var/run/mysecret:ro false
CODER_USR_LIB_DIR The mountpoint of the host /usr/lib directory. Only required when using GPUs. false
CODER_INNER_USR_LIB_DIR The inner /usr/lib mountpoint. This is automatically detected based on /etc/os-release in the inner image, but may optionally be overridden. false
CODER_ADD_TUN If CODER_ADD_TUN=true add a TUN device to the inner container. false
CODER_ADD_FUSE If CODER_ADD_FUSE=true add a FUSE device to the inner container. false
CODER_ADD_GPU If CODER_ADD_GPU=true add detected GPUs and related files to the inner container. Requires setting CODER_USR_LIB_DIR and mounting in the hosts /usr/lib/ directory. false
CODER_CPUS Dictates the number of CPUs to allocate the inner container. It is recommended to set this using the Kubernetes Downward API. false
CODER_MEMORY Dictates the max memory (in bytes) to allocate the inner container. It is recommended to set this using the Kubernetes Downward API. false
CODER_DISABLE_IDMAPPED_MOUNT Disables idmapped mounts in sysbox. For more information, see the Sysbox Documentation. false
CODER_EXTRA_CERTS_PATH A path to a file or directory containing CA certificates that should be made when communicating to external services (e.g. the Coder control plane or a Docker registry) false

Coder Template

A Coder Template can be found in the coder/coder repo to provide a starting point for customizing an envbox container.

To learn more about Coder Templates refer to the docs.

Development

It is not possible to develop envbox effectively using a containerized environment (includes developing envbox using envbox). A VM, personal machine, or similar environment is required to run the integration test suite.

CODER_IMAGE_PULL_SECRET Kubernetes Example

If a login is required to pull images from a private repository, create a secret following the instructions from the Kubernetes Documentation as such:

kubectl -n <coder namespace> create secret docker-registry regcred \
        --docker-server=<your-registry-server> \
        --docker-username=<your-name> \
        --docker-password=<your-pword> \
        --docker-email=<your-email>

Then reference the secret in your template as such:

env {
  name = "CODER_IMAGE_PULL_SECRET"
  value_from {
    secret_key_ref {
      name = "regcred"
      key =  ".dockerconfigjson"
    }
  }
}

Note:

If you use external tooling to generate the secret, ensure that it is generated with the same fields as kubectl create secret docker-registry. You can check this with the following command:

console kubectl create secret docker-registry example --docker-server=registry.domain.tld --docker-username=username --docker-password=password --dry-run=client --output=json | jq -r '.data[".dockerconfigjson"]' | base64 -d | jq

Sample output:

json { "auths": { "registry.domain.tld": { "username": "username", "password": "password", "auth": "dXNlcm5hbWU6cGFzc3dvcmQ=" // base64(username:password) } } }

GPUs

When passing through GPUs to the inner container, you may end u

Extension points exported contracts — how you extend this code

Logger (Interface)
(no doc) [4 implementers]
buildlog/logger.go
Execer (Interface)
The code henceforth is copied straight and modified slightly from "k8s.io/utils/exec". Their interface doesn't allow fo [2 …
xunix/exec.go
CoderClient (Interface)
(no doc) [2 implementers]
buildlog/coder.go
FS (Interface)
(no doc) [2 implementers]
xunix/fs.go
ImagePullProgressFn (FuncType)
ImagePullProgressFn provides a way for a consumer to process image pull progress.
dockerutil/image.go
EnvironFn (FuncType)
(no doc)
xunix/env.go
Client (Interface)
(no doc)
dockerutil/client.go
Cmd (Interface)
(no doc) [1 implementers]
xunix/exec.go

Core symbols most depended-on inside this repo

Errorf
called by 154
buildlog/logger.go
Run
called by 66
xunix/exec.go
Error
called by 54
buildlog/logger.go
Info
called by 26
buildlog/logger.go
EnvVar
called by 24
integration/integrationtest/docker.go
Close
called by 24
buildlog/logger.go
String
called by 21
xunix/env.go
StringVarP
called by 19
cli/cliflag/cliflag.go

Shape

Function 167
Method 150
Struct 48
Interface 6
TypeAlias 5
FuncType 2

Languages

Go100%

Modules by API surface

dockerutil/dockerfake/client.go55 symbols
xunix/exec.go27 symbols
integration/integrationtest/docker.go27 symbols
buildlog/coder.go22 symbols
buildlog/logger.go21 symbols
dockerutil/image.go12 symbols
cli/cliflag/cliflag.go12 symbols
xunix/fs.go11 symbols
cli/docker.go11 symbols
background/process.go11 symbols
dockerutil/client.go10 symbols
buildlog/json.go9 symbols

For agents

$ claude mcp add envbox \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact