Conversation
|
Hello, thank you for your contribution. I'm glad you found Code Container useful! Supporting other containerization tools like Podman is something that I can look into in the future. However for the current use case, Docker is good enough and unless there's a specific deficiency in Docker, we most likely will stick to Docker only for now. Letting users customize their dev environment via a config file is definitely an interesting idea. However, installing a foreign tool like
I'm not really sure what you mean by this? By default, the setup script copies your entire On providers: I've been using Z.ai along with some other coding plans and I have also found it a bit annoying to switch providers in CC. My solution from a few months ago was to create a script that can be used for hotswapping API keys and base URLs in I appreciate the time you took to submit this contribution! My goal was to create a tool that everyone can use and customize and I'm happy to see all the ways that you've customized PS: A rewrite of |
- Mount /etc/machine-id and ~/.claude (rw) so Claude Code authenticates without prompting inside the container - Mount ~/.claude.json (rw) for full auth state sharing - Build container with host USERNAME via ARG; home at /container/$USER to avoid device ID mismatch that caused re-auth prompts - Add extra-tools.txt pattern: extra-tools.default.txt committed as template (bat, eza, lazygit, jq, ruff, etc.); extra-tools.txt gitignored as personal selection; first build prompts to copy from default - Background container stop so terminal returns immediately on exit - Remove copy-configs.sh from setup flow (direct $HOME mounts make it unnecessary) - Podman/Docker auto-detection; --userns=keep-id; --network host - Update README and AGENTS.md to reflect all changes vs upstream Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Drop --network host; container now gets its own network namespace - Add --cap-add NET_ADMIN to allow iptables inside container - New egress-firewall.sh: iptables whitelist (Anthropic, GitHub, npm, pip, mise) with default DROP on OUTPUT; accepts extra domain args - Z.AI API host from ~/.zai.json automatically added to whitelist - Host gateway always allowed (local service access preserved) - Flag file in /run/ ensures firewall applies once per session, not on every attach when another session is already running - --no-firewall flag for sessions that need unrestricted network access - Update README: Security section documents whitelist and --no-firewall Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- container.sh: mount ~/.config/<tool> for each tool in extra-tools.txt; uses a name-map for mismatches (neovim→nvim) and skips tools with no config dir; only active when extra-tools.txt exists (no fallback to default) - egress-firewall.sh: handle IPv6 addresses via ip6tables (iptables is IPv4-only); use getent ahosts for dual-stack resolution; add exit 0 to prevent false-failure warning when no domains fail to resolve Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Shows the firewall blocking direct curl to reddit.com while MCP server tools remain unaffected (they run outside the container network namespace). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Helps users choose between this project, Anthropic's official devcontainer, and Trail of Bits' security-auditing container based on their use case and threat model. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- install.sh: clones repo to ~/.local/share/code-container, symlinks container.sh into ~/.local/bin (if on PATH) or /usr/local/bin (via sudo); fully verbose showing every step - README: replace manual symlink instructions with curl | bash one-liner - AGENTS.md: update setup instructions to use installer, fix repo URL Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Removes symlink, cloned repo, and optionally all containers/image. Fully verbose like the installer, prompts before destructive cleanup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
I really don't have an expectation that you're going to want to merge this, but I feel like you might be interested in what I did after exploring your project, starting with using Podman instead of docker (in theory this supports both, but I haven't regression tested it).
NOTE: This is my first pass -- I'm positive there will be more changes. This is the first version where I think everything is mostly running.
First and foremost, it's running in user space and all the files are mounted as my user, not root.
Some of the features that this also has is the ability to use 1Password inside the container as well as my YubiKey.
As I'm writing this up just for your benefit, I'm also thinking about how each person might set up their own development environment. I think using Mise is perfect because rather than specifying each of the development tools that are needed, we can put all of that in the TOML file instead. So container will simply install whatever the user has already specified in their configuration.
Was there a reason that you didn't merge in your home
.claudefolder? I chose to do it with the exception of the authentication so that all of my session history would roll up, but I'm not sure if that's really ideal.My
--zaiparam is how I point cloud code at Z.ai's GLM models. I think this is something pretty specific to me, but might be of interest.LMK if you want to connect somewhere (discord, bluesky, etc) to chat about this.