feat: replace kubedock with native container-in-container support

.config/dictionary.txt

@@ -10,9 +10,11 @@ antsibull
 arcname
 autoplay
 autouse
+buildah
 capsys
 collectonly
 confest
+crun
 devfile
 devspaces
 geckodriver
@@ -26,7 +28,10 @@ pinentry
 prek
 pylibssh
 seccomp
+setcap
+setgid
 signingkey
+skopeo
 unmarshal
 unmarshalling
 urandom

devfile.yaml

@@ -3,13 +3,22 @@ metadata:
   name: ansible-demo
 components:
   - name: tooling-container
+    attributes:
+      pod-overrides:
+        metadata:
+          annotations:
+            io.kubernetes.cri-o.Devices: "/dev/fuse,/dev/net/tun"
+        spec:
+          hostUsers: false
+      container-overrides:
+        securityContext:
+          procMount: Unmasked
     container:
       image: ghcr.io/ansible/ansible-devspaces:latest
       memoryRequest: 256M
       memoryLimit: 6Gi
       cpuRequest: 250m
       cpuLimit: 2000m
-      args: ["tail", "-f", "/dev/null"]
       env:
         - name: "ANSIBLE_COLLECTIONS_PATH"
           value: "~/.ansible/collections:/usr/share/ansible/collections:/projects/ansible-devspaces-demo/collections"
@@ -81,7 +90,8 @@ commands:
         if [ ! -d "$HOME/.cache/ansible-navigator" ]; then
           mkdir -p "$HOME/.cache/ansible-navigator"
         fi
-        cp /usr/local/lib/python3.11/site-packages/ansible_navigator/data/catalog_collections.py $HOME/.cache/ansible-navigator
+        NAVIGATOR_DATA=$(python3 -c "import ansible_navigator.data; import pathlib; print(pathlib.Path(ansible_navigator.data.__file__).parent)")
+        cp "${NAVIGATOR_DATA}/catalog_collections.py" "$HOME/.cache/ansible-navigator"
         ansible-navigator --ee false
       workingDir: ${PROJECTS_ROOT}/ansible-devspaces-demo
       component: tooling-container

devspaces/Containerfile

@@ -1,6 +1,6 @@
 FROM quay.io/devfile/base-developer-image:ubi9-latest
 
-ARG PYV=3.11
+ARG PYV=3.12
 
 LABEL org.opencontainers.image.source=https://github.com/ansible/ansible-dev-tools
 LABEL org.opencontainers.image.authors="Ansible DevTools"
@@ -11,8 +11,11 @@ LABEL org.opencontainers.image.description="An OpenShift Dev Spaces container im
 USER 0
 
 WORKDIR /context
-# install ansible-dev-tools specific packages and dependencies while avoiding
-# adding multiple layers to the image.
 RUN --mount=type=bind,target=. --mount=type=cache,dst=/var/cache/dnf --mount=type=cache,dst=/root/.cache/pip ./setup.sh
 
+ENV BUILDAH_ISOLATION=chroot
+
 USER 10001
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["tail", "-f", "/dev/null"]

devspaces/context/ansible-prompt.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Colored bash prompt for Ansible Dev Spaces, modeled after Fedora's
+# bash-color-prompt (https://github.com/juhp/bash-color-prompt).
+# Installed to /etc/profile.d/ for interactive login shells.
+# cspell: ignore COLORTERM
+
+# Only apply to interactive bash sessions
+[[ $- != *i* ]] && return
+
+# Respect NO_COLOR (https://no-color.org/)
+if [[ -n "${NO_COLOR:-}" && -z "${BASH_PROMPT_USE_COLOR:-}" ]]; then
+    return
+fi
+
+# Only activate on terminals that support color
+case "${TERM:-}" in
+    *color* | xterm* | screen* | tmux* | linux) ;;
+    *)
+        [[ -z "${COLORTERM:-}" ]] && return
+        ;;
+esac
+
+_adt_git_branch() {
+    local branch
+    branch=$(git symbolic-ref --short HEAD 2>/dev/null) || \
+        branch=$(git rev-parse --short HEAD 2>/dev/null)
+    [[ -z "$branch" ]] && return
+
+    local dirty
+    dirty=$(git status --porcelain --untracked-files=no --ignore-submodules=dirty 2>/dev/null | head -n1)
+    if [[ -n "$dirty" ]]; then
+        printf ' \001\e[33m\002(%s*)\001\e[0m\002' "$branch"
+    else
+        printf ' \001\e[32m\002(%s)\001\e[0m\002' "$branch"
+    fi
+}
+
+_adt_build_prompt() {
+    local last_exit=$?
+    local red='\[\e[31m\]'
+    local green='\[\e[32m\]'
+    local blue='\[\e[34m\]'
+    local bold='\[\e[1m\]'
+    local reset='\[\e[0m\]'
+
+    local prefix=""
+    if [[ -n "${container:-}" ]]; then
+        prefix="⬢ "
+    fi
+
+    local status_indicator=""
+    if [[ $last_exit -ne 0 ]]; then
+        status_indicator="${red}[${last_exit}]${reset} "
+    fi
+
+    PS1="${status_indicator}${prefix}${bold}${green}\u@\h${reset}:${bold}${blue}\w${reset}\$(_adt_git_branch)\$ "
+}
+
+# Preserve any existing PROMPT_COMMAND hooks
+if [[ -n "${PROMPT_COMMAND:-}" ]]; then
+    PROMPT_COMMAND="_adt_build_prompt;${PROMPT_COMMAND}"
+else
+    PROMPT_COMMAND="_adt_build_prompt"
+fi

devspaces/context/entrypoint.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Entrypoint for the Ansible Dev Spaces container image.
+# Sets up the dynamic UID mapping required for rootless podman
+# with user namespaces (container-in-container without kubedock).
+# cspell: ignore subuid subgid catatonit
+set -euo pipefail
+
+if [ ! -d "${HOME}" ]; then
+    mkdir -p "${HOME}"
+fi
+
+if ! whoami &>/dev/null; then
+    if [ -w /etc/passwd ]; then
+        echo "${USER_NAME:-user}:x:$(id -u):0:${USER_NAME:-user} user:${HOME}:/bin/bash" >>/etc/passwd
+        echo "${USER_NAME:-user}:x:$(id -u):0:" >>/etc/group
+    else
+        echo "ERROR: Cannot resolve user and /etc/passwd is not writable" >&2
+        exit 1
+    fi
+fi
+
+USER=$(whoami)
+CURRENT_UID=$(id -u)
+START_ID=$(( CURRENT_UID + 1 ))
+
+# Derive the available UID/GID range from the namespace mapping
+# rather than assuming a fixed 65536 window.
+if [ -r /proc/self/uid_map ]; then
+    NAMESPACE_SIZE=$(awk '{print $3}' /proc/self/uid_map | head -n1)
+else
+    NAMESPACE_SIZE=65536
+fi
+
+SUB_ID_COUNT=$(( NAMESPACE_SIZE - START_ID ))
+if [ "${SUB_ID_COUNT}" -le 0 ]; then
+    echo "ERROR: No subordinate IDs available (uid=${CURRENT_UID}, namespace=${NAMESPACE_SIZE})" >&2
+    exit 1
+fi
+
+for f in /etc/subuid /etc/subgid; do
+    if [ ! -w "$f" ]; then
+        echo "ERROR: ${f} is not writable, cannot configure rootless podman" >&2
+        exit 1
+    fi
+done
+
+echo "${USER}:${START_ID}:${SUB_ID_COUNT}" >/etc/subuid
+echo "${USER}:${START_ID}:${SUB_ID_COUNT}" >/etc/subgid
+
+exec /usr/libexec/podman/catatonit -- "$@"

devspaces/context/setup.sh

@@ -1,5 +1,5 @@
 #!/bin/bash -e
-# cspell: ignore makecache overlayfs libssh chgrp noplugins
+# cspell: ignore makecache overlayfs libssh chgrp noplugins newuidmap newgidmap subuid subgid
 set -eux pipefail
 
 DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
@@ -9,6 +9,8 @@ dnf install -y -q iptables-nft
 dnf -y -q makecache
 dnf -y -q update
 dnf install -y -q \
+    buildah \
+    crun \
     dumb-init \
     fuse-overlayfs \
     gcc \
@@ -23,25 +25,40 @@ dnf install -y -q \
     "python${PYV}-pip" \
     "python${PYV}-pyyaml" \
     "python${PYV}-wheel" \
+    skopeo \
     tar \
     util-linux-user \
     which \
     zsh \
     pinentry \
     --exclude container-selinux
-#     python${PYV}-ruamel-yaml \
 dnf -y -q clean all
 
+# Set python3/pip3 alternatives so they work with or without version suffix
+alternatives --install /usr/bin/python3 python3 "/usr/bin/python${PYV}" 100
+alternatives --set python3 "/usr/bin/python${PYV}"
+alternatives --install /usr/bin/pip3 pip3 "/usr/bin/pip${PYV}" 100
+alternatives --set pip3 "/usr/bin/pip${PYV}"
+
 "/usr/bin/python${PYV}" -m pip install --only-binary :all: --root-user-action=ignore "$(ls -1 ./*.whl)[server]" -r requirements.txt
 
 ansible-galaxy collection install -r requirements.yml
 
-chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home
+# Setup for rootless podman with user namespaces (container-in-container)
+setcap cap_setuid+ep /usr/bin/newuidmap
+setcap cap_setgid+ep /usr/bin/newgidmap
+touch /etc/subgid /etc/subuid
+chown 0:0 /etc/subgid /etc/subuid
+
+chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /etc/subuid /etc/subgid /home
+
+# Install the colored bash prompt
+cp ansible-prompt.sh /etc/profile.d/ansible-prompt.sh
+chmod +r /etc/profile.d/ansible-prompt.sh
 
-# Configure the podman wrapper
-cp podman.py /usr/bin/podman.wrapper
-chown 0:0 /usr/bin/podman.wrapper
-chmod +x /usr/bin/podman.wrapper
+# Install the entrypoint for rootless podman UID mapping
+cp entrypoint.sh /entrypoint.sh
+chmod +x /entrypoint.sh
 
 # shellcheck disable=SC1091
 source "$DIR/setup-image.sh"

tools/setup-image.sh

@@ -5,7 +5,7 @@
 set -exuo pipefail
 
 # Install oc client
-OC_VERSION=4.15
+OC_VERSION=4.17
 curl -s -L "https://mirror.openshift.com/pub/openshift-v4/$(arch)/clients/ocp/stable-${OC_VERSION}/openshift-client-linux.tar.gz" | tar -C /usr/local/bin -xz --no-same-owner
 chmod +x /usr/local/bin/oc
 oc version --client=true