Envbox
envbox is an image that enables creating non-privileged containers capable of running system-level software (e.g. dockerd, systemd, etc) in Kubernetes.
Install / Use
/learn @coder/EnvboxREADME
envbox
Introduction
envbox is an image that enables creating non-privileged containers capable of running system-level software (e.g. dockerd, systemd, etc) in Kubernetes.
It mainly acts as a wrapper for the excellent sysbox runtime developed by Nestybox. For more details on the security of sysbox containers see sysbox's official documentation.
Envbox Configuration
The environment variables can be used to configure various aspects of the inner and outer container.
| env | usage | required |
|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| CODER_INNER_IMAGE | The image to use for the inner container. | True |
| CODER_INNER_USERNAME | The username to use for the inner container. | True |
| CODER_AGENT_TOKEN | The Coder Agent token to pass to the inner container. | True |
| CODER_INNER_ENVS | The environment variables to pass to the inner container. A wildcard can be used to match a prefix. Ex: CODER_INNER_ENVS=KUBERNETES_*,MY_ENV,MY_OTHER_ENV | false |
| CODER_INNER_HOSTNAME | The hostname to use for the inner container. | false |
| CODER_IMAGE_PULL_SECRET | The docker credentials to use when pulling the inner container. The recommended way to do this is to create an Image Pull Secret and then reference the secret using an environment variable. See below for example. | false |
| CODER_DOCKER_BRIDGE_CIDR | The bridge CIDR to start the Docker daemon with. | false |
| CODER_BOOTSTRAP_SCRIPT | The script to use to bootstrap the container. This should typically install and start the agent. | false |
| CODER_MOUNTS | A list of mounts to mount into the inner container. Mounts default to rw. Ex: CODER_MOUNTS=/home/coder:/home/coder,/var/run/mysecret:/var/run/mysecret:ro | false |
| CODER_USR_LIB_DIR | The mountpoint of the host /usr/lib directory. Only required when using GPUs. | false |
| CODER_INNER_USR_LIB_DIR | The inner /usr/lib mountpoint. This is automatically detected based on /etc/os-release in the inner image, but may optionally be overridden. | false |
| CODER_ADD_TUN | If CODER_ADD_TUN=true add a TUN device to the inner container. | false |
| CODER_ADD_FUSE | If CODER_ADD_FUSE=true add a FUSE device to the inner container. | false |
| CODER_ADD_GPU | If CODER_ADD_GPU=true add detected GPUs and related files to the inner container. Requires setting CODER_USR_LIB_DIR and mounting in the hosts /usr/lib/ directory. | false |
| CODER_CPUS | Dictates the number of CPUs to allocate the inner container. It is recommended to set this using the Kubernetes Downward API.
