JetBrains CodeCanvas
 
2024.3

Sysbox Configuration

Last modified: 16 September 2024

In CodeCanvas, dev environments are managed by a worker application that runs inside a container in a Kubernetes pod. The application uses the Docker daemon to start dev environments in nested containers, a model known as Docker-in-Docker.

The Docker-in-Docker model requires the worker application to have additional permissions on the host system, such as access to the host's devices and filesystem. To grant these permissions, the host runs the worker application in the --privileged mode. This might pose a security risk, as the worker application has root access to the host node.

To avoid the risk, you can use Sysbox Container Runtime. Sysbox improves container isolation by running containers in a VM-like environment and eliminates the need for the --privileged mode.