Skip to content

MAINT: Optimize devcontainer Dockerfile #1437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spencrr wants to merge 3 commits into
base: main
Choose a base branch
from
Open

MAINT: Optimize devcontainer Dockerfile #1437

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d08b6b
MAINT: Optimize devcontainer Dockerfile
spencrr Mar 6, 2026
06bb89e
remove shebang - all references use python
spencrr Mar 6, 2026
a772cd5
move azure cli to devcontainer feature
spencrr Mar 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 39 additions & 43 deletions .devcontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
FROM mcr.microsoft.com/devcontainers/python:3.11
FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm

# Makes installation faster
ENV UV_COMPILE_BYTECODE=1
ENV DEBIAN_FRONTEND=noninteractive

SHELL ["/bin/bash", "-c"]

Expand All @@ -11,66 +12,61 @@ USER root
RUN rm -f /etc/apt/sources.list.d/yarn.list 2>/dev/null || true

# Install required system packages + ODBC prerequisites
RUN apt-get update && apt-get install -y \
sudo \
unixodbc \
unixodbc-dev \
libgl1 \
git \
curl \
xdg-utils \
build-essential \
&& apt-get clean && rm -rf /var/lib/apt/lists/*
RUN --mount=type=cache,target=/var/cache/apt \
--mount=type=cache,target=/var/lib/apt \
apt-get update \
Comment on lines +15 to +17
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using --mount=type=cache for apt directories, concurrent builds can contend on apt lock files stored inside the shared cache (and occasionally corrupt the cache). It’s safer to set sharing=locked on these cache mounts (and mount the more specific .../apt/lists path) to avoid intermittent build failures when multiple builds run in parallel.

Copilot uses AI. Check for mistakes.
Comment on lines 1 to +17
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Dockerfile now relies on BuildKit-only RUN --mount=type=cache syntax. If BuildKit is disabled (or an older Dockerfile frontend is used), the build will fail parsing these RUN lines. Consider adding a # syntax=docker/dockerfile:<version> directive at the top (and/or ensuring the build entrypoints set DOCKER_BUILDKIT=1) so the devcontainer build works reliably across environments.

Copilot uses AI. Check for mistakes.
&& apt-get install -y --no-install-recommends \
sudo \
unixodbc \
unixodbc-dev \
libgl1 \
git \
curl \
xdg-utils \
build-essential

# Install the Azure CLI, Microsoft ODBC Driver 18 & SQL tools
# Install Microsoft ODBC Driver 18 & SQL tools
# Note: Debian Trixie's sqv rejects SHA1 signatures, so we use gpg directly to import the Microsoft key
RUN apt-get update && apt-get install -y \
apt-transport-https \
RUN --mount=type=cache,target=/var/cache/apt \
--mount=type=cache,target=/var/lib/apt \
apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
gnupg \
lsb-release \
&& curl -sL https://packages.microsoft.com/keys/microsoft.asc \
| gpg --dearmor \
> /usr/share/keyrings/microsoft-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/debian/12/prod bookworm main" \
> /etc/apt/sources.list.d/microsoft.list \
&& apt-get update \
&& ACCEPT_EULA=Y apt-get install -y msodbcsql18 mssql-tools18 \
&& apt-get install -y azure-cli \
&& echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> /etc/profile.d/sqltools.sh \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
&& ACCEPT_EULA=Y apt-get install -y --no-install-recommends \
msodbcsql18 \
mssql-tools18 \
&& echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> /etc/profile.d/sqltools.sh

# audio back-ends needed by Azure Speech SDK
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
RUN --mount=type=cache,target=/var/cache/apt \
--mount=type=cache,target=/var/lib/apt \
apt-get update \
&& apt-get install -y --no-install-recommends \
libasound2 \
libpulse0 \
&& rm -rf /var/lib/apt/lists/*
libpulse0

# Install Node.js 24.x LTS for frontend development
Copy link
Contributor

@romanlutz romanlutz Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching from 18 to 24 there could be a lot of changes. If that's absolutely needed right now I'd defer until later because it could significantly slow down ongoing front end work that was built with 18.

Copy link
Contributor Author

@spencrr spencrr Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@romanlutz I can pull this change out, but Node 20 is EOL April 2026

RUN --mount=type=cache,target=/var/cache/apt \
--mount=type=cache,target=/var/lib/apt \
curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
&& apt-get install -y --no-install-recommends nodejs
Comment on lines +56 to +59
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The curl -fsSL https://deb.nodesource.com/setup_24.x | bash - pattern downloads and executes a remote script as root without any integrity or authenticity verification, creating a supply-chain risk. If the NodeSource endpoint or DNS is compromised, an attacker could run arbitrary code during the image build and persist backdoored tooling into the devcontainer image. Replace this pipe-to-bash installer with a method that verifies a pinned script or package (e.g., manually configuring the APT repository with a GPG key or verifying a checksum/signature before execution).

Copilot uses AI. Check for mistakes.

# Install uv system-wide and create pyrit-dev venv
RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
&& mv /root/.local/bin/uv /usr/local/bin/uv \
&& rm -rf /opt/venv \
&& uv venv /opt/venv --python 3.11 --prompt pyrit-dev \
&& chown -R vscode:vscode /opt/venv \
&& ls -la /opt/venv/bin/activate
COPY --from=ghcr.io/astral-sh/uv:0.10.8 /uv /uvx /bin/
RUN uv venv /opt/venv --python 3.11 --prompt pyrit-dev \
&& chown -R vscode:vscode /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# vscode user already exists in the base image, just ensure sudo access
RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

# Install Node.js 20.x and npm for frontend development
RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
&& apt-get install -y nodejs \
&& npm install -g npm@latest \
&& npm install -g @github/copilot@0.0.421 \
&& npm cache clean --force \
&& rm -rf /root/.npm \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

# Pre-create common user caches and fix permissions
RUN mkdir -p /home/vscode/.cache/pre-commit \
&& mkdir -p /home/vscode/.vscode-server \
Expand All @@ -79,7 +75,7 @@ RUN mkdir -p /home/vscode/.cache/pre-commit \
&& mkdir -p /home/vscode/.cache/venv \
&& mkdir -p /home/vscode/.cache/pylance \
&& chown -R vscode:vscode /home/vscode/.cache /home/vscode/.vscode-server \
&& chmod -R 777 /home/vscode/.cache/pip /home/vscode/.cache/pylance /home/vscode/.cache/venv /home/vscode/.cache/uv\
&& chmod -R 755 /home/vscode/.cache/pip /home/vscode/.cache/pylance /home/vscode/.cache/venv /home/vscode/.cache/uv \
&& chmod -R 755 /home/vscode/.vscode-server

USER vscode
Expand All @@ -95,6 +91,6 @@ RUN git config --global core.preloadindex true \
&& git config --global status.showUntrackedFiles all \
&& git config --global core.fsmonitor true

# Set cache directories so they can be mounted
# Set cache directories so they can be mounted
ENV PIP_CACHE_DIR="/home/vscode/.cache/pip"
ENV UV_CACHE_DIR="/home/vscode/.cache/uv"
8 changes: 8 additions & 0 deletions .devcontainer/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,14 @@
]
}
},
"features": {
"ghcr.io/devcontainers/features/azure-cli:1": {
"version": "latest"
},
"ghcr.io/devcontainers/features/copilot-cli:1": {
"version": "latest"
}
Comment on lines +94 to +99
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using "version": "latest" for devcontainer features makes devcontainer builds non-reproducible and can introduce breaking changes without a PR. Pin these features to a specific, known-good version (or a semver range you’re comfortable with) to align with the PR’s reproducibility goals.

Suggested change
"ghcr.io/devcontainers/features/azure-cli:1": {
"version": "latest"
},
"ghcr.io/devcontainers/features/copilot-cli:1": {
"version": "latest"
}
"ghcr.io/devcontainers/features/azure-cli:1": {},
"ghcr.io/devcontainers/features/copilot-cli:1": {}

Copilot uses AI. Check for mistakes.
},
"postCreateCommand": "/bin/bash -i .devcontainer/devcontainer_setup.sh",
"forwardPorts": [3000, 4213, 5000, 8000, 8888]
}
6 changes: 3 additions & 3 deletions .devcontainer/devcontainer_setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ if [ ! -d "$MYPY_CACHE" ]; then
echo "Creating mypy cache directory..."
sudo mkdir -p $MYPY_CACHE
sudo chown vscode:vscode $MYPY_CACHE
sudo chmod 777 $MYPY_CACHE
sudo chmod 755 $MYPY_CACHE
else
# Check ownership
OWNER=$(stat -c '%U:%G' $MYPY_CACHE)
Expand All @@ -21,9 +21,9 @@ else
# Check permissions
PERMS=$(stat -c '%a' $MYPY_CACHE)

if [ "$PERMS" != "777" ]; then
if [ "$PERMS" != "755" ]; then
echo "Fixing mypy cache directory permissions..."
sudo chmod -R 777 $MYPY_CACHE
sudo chmod -R 755 $MYPY_CACHE
fi
fi

Expand Down
3 changes: 1 addition & 2 deletions build_scripts/prepare_package.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
#!/usr/bin/env python3
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT license.

Expand Down Expand Up @@ -33,7 +32,7 @@ def build_frontend(frontend_dir: Path) -> bool:
print(f"Found npm version: {result.stdout.strip()}")
except (subprocess.CalledProcessError, FileNotFoundError):
print("ERROR: npm is not installed or not in PATH")
print("Please install Node.js 20.x and npm from https://nodejs.org/")
print("Please install Node.js 24.x and npm from https://nodejs.org/")
return False

# Check if package.json exists
Expand Down
1 change: 0 additions & 1 deletion docker/build_pyrit_docker.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
#!/usr/bin/env python3
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT license.

Expand Down
1 change: 0 additions & 1 deletion docker/run_pyrit_docker.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
#!/usr/bin/env python3
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT license.

Expand Down