Sysbox Configuration
In CodeCanvas, dev environments are managed by a worker application that runs inside a container in a Kubernetes pod. The application uses the Docker daemon to start dev environments in nested containers, a model known as Docker-in-Docker.
The Docker-in-Docker model requires the worker application to have additional permissions on the host system, such as access to the host's devices and filesystem. To grant these permissions, the host runs the worker application in the --privileged
mode. This might pose a security risk, as the worker application has root access to the host node.
To avoid the risk, you can use Sysbox Container Runtime. Sysbox improves container isolation by running containers in a VM-like environment and eliminates the need for the --privileged
mode.
To enable Sysbox for your installation
Install Sysbox on your Kubernetes cluster. Follow the instructions for your cloud provider in the Sysbox documentation.
Enable Sysbox in
values.yaml
:application: ... # other settings config: codecanvas: ... # other settings execution: k8s: worker: ... # other settings sysbox: enabled: true ... # other settingsIf you enable Sysbox for an existing CodeCanvas installation, apply the changes with
helm upgrade
.