JetBrains CodeCanvas 2024.3 Help

Sysbox Configuration

In CodeCanvas, dev environments are managed by a worker application that runs inside a container in a Kubernetes pod. The application uses the Docker daemon to start dev environments in nested containers, a model known as Docker-in-Docker.

The Docker-in-Docker model requires the worker application to have additional permissions on the host system, such as access to the host's devices and filesystem. To grant these permissions, the host runs the worker application in the --privileged mode. This might pose a security risk, as the worker application has root access to the host node.

To avoid the risk, you can use Sysbox Container Runtime. Sysbox improves container isolation by running containers in a VM-like environment and eliminates the need for the --privileged mode.

To enable Sysbox for your installation

  1. Install Sysbox on your Kubernetes cluster. Follow the instructions for your cloud provider in the Sysbox documentation.

  2. Enable Sysbox in values.yaml:

    application: ... # other settings config: codecanvas: ... # other settings execution: k8s: worker: ... # other settings sysbox: enabled: true ... # other settings
  3. If you enable Sysbox for an existing CodeCanvas installation, apply the changes with helm upgrade.

Last modified: 16 September 2024