Providing a single workspace per VM

[ggjulio]

I'm unsure if this issue belong to this repo or coder/coder. Tell me if I should move it.

Currently registry.coder.com have only two examples of envbuilder/devcontainer ( docker and k8s)
Do you know if it will be possible to use envbuilder to provision a single workspace per VM ? (VM as isolation model)

The use-case I have in mind is to provide a secure way of using docker in the workspace.
The exact same way codespaces do by default with the feature docker-in-docker ( related to #25 )

The docker-in-docker feature is not secure as it allows to breakout the container and access the underlying host.
But on codespaces that's totally fine because Azure VMs are not shared. (one workspace per VM)

However, tell me if I'm wrong but envbuilder is mainly used with linux NS isolation (k8s, openshift or docker with multiple workspaces on the same VM) .
In that case providing docker would be a little tricky and seem there is only two solutions :

• The gitpod solution : rootless docker & slirp4netns + several hacks to make it work. (seem harder, less performant)
• sysbox or envbox Envbuilder does not run in a sysbox container #50 (easier)
  (Note: for both solutions I doubt docker-in-docker feature can be used as is)

[kylecarbs]

Yes, you totally can do this.

We should have a sample that does this... and ideally for every cloud. On GCP you can actually launch a VM with a container image, and that image could be envbuilder, which would replicate the Codespaces experience you mentioned.

[kylecarbs]

Envbuilder is very portable, so it can be used in really whatever way you want. It really just needs a filesystem and the ability to execute commands.

[ggjulio]

Nice, I haven't had a chance to play with it yet, but I needed to know if it was feasible.
I'll close the issue.

Thank you

[matifali]

We are tracking it in coder/coder#10735