Skip to content

[codex] Support bubblewrap in secure Docker devcontainer#17547

Merged
viyatb-oai merged 3 commits intomainfrom
codex/viyatb/devcontainer-bwrap-seccomp-docker
Apr 12, 2026
Merged

[codex] Support bubblewrap in secure Docker devcontainer#17547
viyatb-oai merged 3 commits intomainfrom
codex/viyatb/devcontainer-bwrap-seccomp-docker

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented Apr 12, 2026
edited
Loading

Summary

  • leave the default contributor devcontainer on its lightweight platform-only Docker runtime
  • install bubblewrap in setuid mode only in the secure devcontainer image for running Codex inside Docker
  • add Docker run args to the secure profile for bubblewrap's required capabilities
  • use explicit seccomp=unconfined and apparmor=unconfined in the secure profile instead of shipping a custom seccomp profile
  • document that the relaxed Docker security options are scoped to the secure profile

Why

Docker's default seccomp profile blocks bubblewrap with pivot_root: Operation not permitted, even when the container has CAP_SYS_ADMIN. Docker's default AppArmor profile also blocks bubblewrap with Failed to make / slave: Permission denied.

A custom seccomp profile works, but it is hard for customers to audit and understand. Using Docker's standard seccomp=unconfined option is clearer: the secure profile intentionally relaxes Docker's outer sandbox just enough for Codex to construct its own bubblewrap/seccomp sandbox inside the container. The default contributor profile does not get these expanded runtime settings.

Validation

  • sed '/\\/\\*/,/\\*\\//d' .devcontainer/devcontainer.json | jq empty
  • jq empty .devcontainer/devcontainer.secure.json
  • git diff --check
  • docker build --platform=linux/arm64 -t codex-devcontainer-bwrap-test-arm64 ./.devcontainer
  • docker build --platform=linux/arm64 -f .devcontainer/Dockerfile.secure -t codex-devcontainer-secure-bwrap-test-arm64 .
  • interactive docker run -it smoke tests:
    • verified non-root users ubuntu and vscode
    • verified secure image /usr/bin/bwrap is setuid
    • verified user/pid namespace, user/network namespace, and preserved-fd --ro-bind-data bwrap commands
  • reran secure-image smoke test with simplified seccomp=unconfined setup:
    • bwrap-basic-ok
    • bwrap-netns-ok
    • codex-ok
  • ran Codex inside the secure image:
    • codex --version -> codex-cli 0.120.0
    • codex sandbox linux --full-auto -- /bin/sh -lc '...' -> exited 0 and printed codex-inner-ok

Note: direct bwrap --proc /proc is still denied by this Docker runtime, and Codex's existing proc-mount preflight fallback handles that by retrying without --proc.

viyatb-oai and others added 3 commits April 12, 2026 10:29
@viyatb-oai @codex
fix(devcontainer): support bubblewrap inside docker
a3914c6 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix(devcontainer): scope bubblewrap setup to secure profile
995f1fe 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix(devcontainer): simplify docker seccomp setup
5cc7c33 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai viyatb-oai changed the title [codex] Support bubblewrap in Docker devcontainers [codex] Support bubblewrap in secure Docker devcontainer Apr 12, 2026
@viyatb-oai viyatb-oai marked this pull request as ready for review April 12, 2026 17:49
@viyatb-oai viyatb-oai merged commit 1288bb6 into main Apr 12, 2026
22 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/devcontainer-bwrap-seccomp-docker branch April 12, 2026 17:49
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@viyatb-oai