feat: replace kubedock with native container-in-container support#709
Merged
cidrblock merged 8 commits intoansible:mainfrom Mar 18, 2026
Merged
feat: replace kubedock with native container-in-container support#709cidrblock merged 8 commits intoansible:mainfrom
cidrblock merged 8 commits intoansible:mainfrom
Conversation
Switch the Dev Spaces image from kubedock-based container proxying to native rootless podman via user namespaces (OCP 4.17+ / Dev Spaces 3.20). - Remove kubedock podman.py wrapper - Add entrypoint.sh for dynamic UID/subuid/subgid mapping - Add pod-overrides and container-overrides to devfile for user namespace support (hostUsers: false, procMount: Unmasked, /dev/fuse and /dev/net/tun device access) - Add buildah, skopeo, and crun packages - Set BUILDAH_ISOLATION=chroot for nested user namespace compatibility - Set newuidmap/newgidmap capabilities for rootless podman - Update Python from 3.11 to 3.12 - Add python3/pip3 alternatives for version-agnostic invocation - Add colored bash prompt modeled after Fedora's bash-color-prompt - Fix hardcoded python3.11 path in ansible-navigator devfile command - Bump oc client from 4.15 to 4.17 Made-with: Cursor
- Add buildah, crun, skopeo, setcap, setgid to cspell dictionary - Remove unused cyan variable from ansible-prompt.sh (shellcheck SC2034) - Move entrypoint.sh install into setup.sh bind-mount RUN to avoid adding extra image layers (24 > 23 max) Made-with: Cursor
- entrypoint.sh: fail fast with error if /etc/passwd is not writable and user cannot be resolved - entrypoint.sh: derive subordinate ID range from /proc/self/uid_map instead of assuming a fixed 65536 window, and validate the range is positive before writing subuid/subgid - setup.sh: follow alternatives --install with --set to guarantee python3/pip3 resolve deterministically - ansible-prompt.sh: preserve existing PROMPT_COMMAND hooks instead of unconditionally overwriting Made-with: Cursor
- Fix /etc/group entry to include GID field (name:x:gid:members) - Add set -euo pipefail and explicit writable checks for /etc/subuid and /etc/subgid before writing - Rename END_ID to SUB_ID_COUNT to clarify it is a count, not an end Made-with: Cursor
cgruver
reviewed
Mar 17, 2026
cgruver
reviewed
Mar 17, 2026
Made-with: Cursor
- Remove pod-overrides and container-overrides from devfile.yaml; Dev Spaces operator injects the correct context on 3.25+/4.20+ - Bump oc client to 4.20 (container-in-container supported in 4.20) Made-with: Cursor
Only /etc/passwd is needed for whoami; user primary GID is 0 and group 0 (root) already exists in the image. Avoids invalid group-file format and GID mismatch (Copilot 2949320604). Made-with: Cursor
…sed for both subuid/subgid Made-with: Cursor
cidrblock
added a commit
to cidrblock/ansible-creator
that referenced
this pull request
Mar 17, 2026
…ntainer - Remove KUBEDOCK_ENABLED env; no longer needed with native container-in-container (Dev Spaces operator injects context). - Remove container args; ansible-devspaces image uses ENTRYPOINT/CMD. Aligns scaffolded devfile with ansible/ansible-dev-tools#709. Made-with: Cursor
2 tasks
shatakshiiii
approved these changes
Mar 18, 2026
cidrblock
added a commit
to ansible/ansible-creator
that referenced
this pull request
Mar 18, 2026
…ntainer (#540) * fix(devfile): align with OCP 4.20+ / Dev Spaces 3.25+ container-in-container - Remove KUBEDOCK_ENABLED env; no longer needed with native container-in-container (Dev Spaces operator injects context). - Remove container args; ansible-devspaces image uses ENTRYPOINT/CMD. Aligns scaffolded devfile with ansible/ansible-dev-tools#709. Made-with: Cursor * chore: remove KUBEDOCK from cspell dictionary (no longer used in devfile) Made-with: Cursor
github-project-automation
bot
moved this from Review
to Done
in 🧰 devtools project board
renovate bot
added a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 21, 2026
##### [\`26.3.1\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.3.1) #### Features - feat: replace kubedock with native container-in-container support ([#709](ansible/ansible-dev-tools#709)) [@cidrblock](https://github.com/cidrblock) --- ##### [\`26.3.0\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.3.0) #### Fixes - fix: update devtools tools to 26.3.0 ([#701](ansible/ansible-dev-tools#701)) [@ssbarnea](https://github.com/ssbarnea) - fix: entry point and pytest config ([#694](ansible/ansible-dev-tools#694)) [@ssbarnea](https://github.com/ssbarnea) - fix: compatibility with newer tox releases ([#700](ansible/ansible-dev-tools#700)) [@ssbarnea](https://github.com/ssbarnea) - fix: selenium container ([#698](ansible/ansible-dev-tools#698)) [@ssbarnea](https://github.com/ssbarnea) - fix: selenium container arm64 ([#695](ansible/ansible-dev-tools#695)) [@ssbarnea](https://github.com/ssbarnea) #### Maintenance - chore(deps): update pep621 ([#708](ansible/ansible-dev-tools#708)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps): update all dependencies ([#707](ansible/ansible-dev-tools#707)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps-dev): bump black from 26.3.0 to 26.3.1 in the uv group across 1 directory ([#705](ansible/ansible-dev-tools#705)) @[dependabot\[bot\]](https://github.com/apps/dependabot) - chore: update mkdocs ([#703](ansible/ansible-dev-tools#703)) [@ssbarnea](https://github.com/ssbarnea) - chore(deps): update all dependencies ([#702](ansible/ansible-dev-tools#702)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps): update all dependencies ([#696](ansible/ansible-dev-tools#696)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore: improve test robustness for devspaces environment ([#697](ansible/ansible-dev-tools#697)) [@VedantMadane](https://github.com/VedantMadane) - chore: add adt and python extension to selenium container ([#699](ansible/ansible-dev-tools#699)) [@ssbarnea](https://github.com/ssbarnea)
sdwilsh
pushed a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 21, 2026
##### [\`26.3.1\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.3.1) #### Features - feat: replace kubedock with native container-in-container support ([#709](ansible/ansible-dev-tools#709)) [@cidrblock](https://github.com/cidrblock) --- ##### [\`26.3.0\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.3.0) #### Fixes - fix: update devtools tools to 26.3.0 ([#701](ansible/ansible-dev-tools#701)) [@ssbarnea](https://github.com/ssbarnea) - fix: entry point and pytest config ([#694](ansible/ansible-dev-tools#694)) [@ssbarnea](https://github.com/ssbarnea) - fix: compatibility with newer tox releases ([#700](ansible/ansible-dev-tools#700)) [@ssbarnea](https://github.com/ssbarnea) - fix: selenium container ([#698](ansible/ansible-dev-tools#698)) [@ssbarnea](https://github.com/ssbarnea) - fix: selenium container arm64 ([#695](ansible/ansible-dev-tools#695)) [@ssbarnea](https://github.com/ssbarnea) #### Maintenance - chore(deps): update pep621 ([#708](ansible/ansible-dev-tools#708)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps): update all dependencies ([#707](ansible/ansible-dev-tools#707)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps-dev): bump black from 26.3.0 to 26.3.1 in the uv group across 1 directory ([#705](ansible/ansible-dev-tools#705)) @[dependabot\[bot\]](https://github.com/apps/dependabot) - chore: update mkdocs ([#703](ansible/ansible-dev-tools#703)) [@ssbarnea](https://github.com/ssbarnea) - chore(deps): update all dependencies ([#702](ansible/ansible-dev-tools#702)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore(deps): update all dependencies ([#696](ansible/ansible-dev-tools#696)) @[renovate\[bot\]](https://github.com/apps/renovate) - chore: improve test robustness for devspaces environment ([#697](ansible/ansible-dev-tools#697)) [@VedantMadane](https://github.com/VedantMadane) - chore: add adt and python extension to selenium container ([#699](ansible/ansible-dev-tools#699)) [@ssbarnea](https://github.com/ssbarnea)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the kubedock-based container proxying in the Dev Spaces image with native rootless podman via user namespaces, targeting OCP 4.20+ and Dev Spaces 3.25+.
Changes
Container image (
devspaces/)podman.pykubedock wrapper — no longer needed with native container-in-containerentrypoint.shfor dynamic UID/subuid/subgid mapping required by rootless podman in user namespacesbuildah,skopeo, andcrunpackages (design doc requirements, now functional with native containers)BUILDAH_ISOLATION=chrootto avoid nested user namespace issuescap_setuid/cap_setgidonnewuidmap/newgidmapfor rootless podmanpython3/pip3alternatives so commands work with or without version suffixansible-prompt.sh) modeled after Fedora'sbash-color-prompt, installed to/etc/profile.d/occlient from 4.15 to 4.20Devfile (
devfile.yaml)/usr/local/lib/python3.11/path in ansible-navigator command to use dynamic Python lookupBackground
With OCP 4.20+, containers can run nested containers natively via rootless podman without kubedock as an intermediary. This simplifies the architecture, removes the podman wrapper indirection, and enables
buildahandskopeoto work properly inside the workspace.Reference: Enable nested containers in OpenShift Dev Spaces with user namespaces
Cluster requirements
The target OCP cluster needs:
crunset as the default OCI runtimenested-podman-scc) withSETUID/SETGIDcapabilities andcontainer_engine_tSELinux typecontainerBuildConfiguration.openShiftSecurityContextConstraintpointing to the SCCTest plan
tools/devspaces.shpodman runworks inside the workspace (native, not via kubedock)buildahandskopeowork inside the workspacepython3 --versionreturns 3.12python3andpip3resolve without version suffix