Multiplatform and sandboxing

Author: marvinsxtr

Dockerfile .devcontainer/DockerfileDockerfile renamed to .devcontainer/Dockerfile

@@ -1,11 +1,15 @@
-FROM --platform=linux/amd64 python:3.12-slim AS linux-base
+FROM nvidia/cuda:12.8.1-cudnn-runtime-ubuntu22.04 AS linux-base
+
+ARG TARGETARCH
 
 # Utilities
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends build-essential \
-    sudo curl git htop less rsync screen vim nano wget ca-certificates openssh-client zsh procps psmisc
+    sudo curl git htop less rsync screen vim nano wget ca-certificates openssh-client zsh procps psmisc \
+    iptables ipset iproute2 dnsutils aggregate jq
 
 # Download and install VS Code Server CLI
-RUN wget -O /tmp/vscode-server-cli.tar.gz "https://update.code.visualstudio.com/latest/cli-linux-x64/stable" && \
+RUN ARCH="$TARGETARCH" && [ "$ARCH" = "amd64" ] && ARCH="x64"; \
+    wget -O /tmp/vscode-server-cli.tar.gz "https://update.code.visualstudio.com/latest/cli-linux-${ARCH}/stable" && \
     mkdir -p /usr/local/bin && \
     tar -xf /tmp/vscode-server-cli.tar.gz -C /usr/local/bin && \
     rm /tmp/vscode-server-cli.tar.gz
@@ -17,7 +21,8 @@ RUN COMMANDS="sacct sacctmgr salloc sattach sbatch sbcast scancel scontrol sdiag
     && chmod +x "/usr/local/bin/$CMD"; done
 
 # Install Claude Code
-RUN curl -fsSL https://nodejs.org/dist/v18.20.8/node-v18.20.8-linux-x64.tar.xz \
+RUN ARCH="$TARGETARCH" && [ "$ARCH" = "amd64" ] && ARCH="x64"; \
+    curl -fsSL https://nodejs.org/dist/v18.20.8/node-v18.20.8-linux-${ARCH}.tar.xz \
     | tar -xJ -C /usr/local --strip-components=1
 RUN npm install -g @anthropic-ai/claude-code
 
@@ -43,3 +48,15 @@ RUN --mount=type=cache,target=/root/.cache/uv \
     --mount=type=bind,source=uv.lock,target=uv.lock \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
     uv sync --frozen --no-install-project --all-groups
+
+# Non-root user
+RUN useradd -m -s /bin/bash devuser \
+    && echo 'alias claude="claude --dangerously-skip-permissions"' >> /home/devuser/.bashrc
+
+# Firewall init script
+COPY .devcontainer/init-firewall.sh /usr/local/bin/init-firewall.sh
+RUN chmod +x /usr/local/bin/init-firewall.sh \
+    && echo "devuser ALL=(root) NOPASSWD: /usr/local/bin/init-firewall.sh" > /etc/sudoers.d/devuser-firewall \
+    && chmod 0440 /etc/sudoers.d/devuser-firewall
+
+USER devuser

.devcontainer.json .devcontainer/devcontainer.json.devcontainer.json renamed to .devcontainer/devcontainer.json

@@ -1,7 +1,14 @@
 {
-    "dockerFile": "Dockerfile",
-    "build": {"args": {"BUILDPLATFORM": "linux/amd64"}},
-	"workspaceFolder": "/srv/repo",
+    "build": {
+        "dockerfile": "Dockerfile",
+        "context": ".."
+    },
+    "runArgs": [
+        "--cap-add=NET_ADMIN",
+        "--cap-add=NET_RAW"
+    ],
+    "postStartCommand": "sudo /usr/local/bin/init-firewall.sh",
+    "workspaceFolder": "/srv/repo",
     "workspaceMount": "source=${localWorkspaceFolder},target=/srv/repo,type=bind",
     "customizations": {
         "vscode": {
@@ -13,7 +20,7 @@
                 "tamasfe.even-better-toml",
                 "ms-azuretools.vscode-docker",
                 "ms-toolsai.jupyter",
-				"anthropic.claude-code"
+                "anthropic.claude-code"
             ],
             "settings": {
                 "[python]": {
@@ -26,4 +33,4 @@
             }
         }
     }
-}
+}

.devcontainer/init-firewall.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+# 1. Extract Docker DNS info BEFORE any flushing
+DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
+
+# Flush existing rules and delete existing ipsets
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+ipset destroy allowed-domains 2>/dev/null || true
+
+# 2. Selectively restore ONLY internal Docker DNS resolution
+if [ -n "$DOCKER_DNS_RULES" ]; then
+    echo "Restoring Docker DNS rules..."
+    iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
+    iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
+    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
+else
+    echo "No Docker DNS rules to restore"
+fi
+
+# Allow DNS, SSH, and loopback before any restrictions
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+iptables -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Create ipset with CIDR support
+ipset create allowed-domains hash:net
+
+# Fetch GitHub meta and add their IP ranges
+echo "Fetching GitHub IP ranges..."
+gh_ranges=$(curl -s https://api.github.com/meta)
+if [ -z "$gh_ranges" ]; then
+    echo "ERROR: Failed to fetch GitHub IP ranges"
+    exit 1
+fi
+if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
+    echo "ERROR: GitHub API response missing required fields"
+    exit 1
+fi
+echo "Processing GitHub IPs..."
+while read -r cidr; do
+    if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
+        echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
+        exit 1
+    fi
+    echo "Adding GitHub range $cidr"
+    ipset add allowed-domains "$cidr"
+done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q)
+
+# Resolve and add allowed domains
+for domain in \
+    "api.anthropic.com" \
+    "sentry.io" \
+    "statsig.anthropic.com" \
+    "statsig.com" \
+    "registry.npmjs.org" \
+    "pypi.org" \
+    "files.pythonhosted.org" \
+    "storage.googleapis.com" \
+    "oauth2.googleapis.com" \
+    "accounts.google.com" \
+    "dl.google.com"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
+    if [ -z "$ips" ]; then
+        echo "ERROR: Failed to resolve $domain"
+        exit 1
+    fi
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "ERROR: Invalid IP from DNS for $domain: $ip"
+            exit 1
+        fi
+        echo "Adding $ip for $domain"
+        ipset add allowed-domains "$ip" 2>/dev/null || true  # ignore duplicates
+    done < <(echo "$ips")
+done
+
+# Allow host network
+HOST_IP=$(ip route | grep default | cut -d" " -f3)
+if [ -z "$HOST_IP" ]; then
+    echo "ERROR: Failed to detect host IP"
+    exit 1
+fi
+HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
+echo "Host network detected as: $HOST_NETWORK"
+iptables -A INPUT  -s "$HOST_NETWORK" -j ACCEPT
+iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
+
+# Set default DROP policies
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+
+# Allow established/related connections
+iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allow outbound to whitelisted IPs
+iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
+
+# Reject everything else with feedback
+iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+
+echo "Firewall configuration complete"
+
+# Verify: blocked
+if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
+    echo "ERROR: Firewall verification failed - reached https://example.com"
+    exit 1
+else
+    echo "Firewall verification passed - example.com is blocked"
+fi
+
+# Verify: allowed
+if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
+    echo "ERROR: Firewall verification failed - cannot reach https://api.github.com"
+    exit 1
+else
+    echo "Firewall verification passed - api.github.com is reachable"
+fi

.dockerignore

@@ -1,4 +1,4 @@
 *
-!/Dockerfile
 !/pyproject.toml
 !/uv.lock
+!.devcontainer/init-firewall.sh

.github/copilot-instructions.md

@@ -1,32 +1,20 @@
 name: Docker
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
   push:
-    # Publish semver tags as releases.
     tags: [ 'v*.*.*' ]
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
-
 jobs:
   build:
 
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
 
     steps:
       - name: Checkout repository
@@ -35,22 +23,12 @@ jobs:
       - name: Clean up disk space
         uses: jlumbroso/free-disk-space@main
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
-        with:
-          cosign-release: 'v2.2.4'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -59,21 +37,19 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           context: .
+          file: .devcontainer/Dockerfile
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -96,13 +72,12 @@ jobs:
         run: |
           echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
 
-      # Build and push .sif files for Apptainer
       - name: Setup Apptainer
         uses: eWaterCycle/setup-apptainer@v2
       - name: Build and push Apptainer
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
         run: |
            echo ${{ secrets.GITHUB_TOKEN }} | apptainer registry login -u ${{ secrets.GHCR_USERNAME }} --password-stdin docker://ghcr.io
-           apptainer build container.sif docker://${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}:latest
+           apptainer build --arch amd64 container.sif docker://${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}:latest
            echo "${TAGS}" | xargs -I {} apptainer push container.sif oras://{}-sif