Add dev container setup #318
Conversation
github-actions
bot
added
in-progress
There was a problem hiding this comment.
Pull request overview
This PR adds VS Code Dev Container support to the Iris project, enabling developers to use the "Remote - Containers" extension for a consistent development environment. The changes include dev container configuration files, SSH agent setup for Git operations, and necessary group permissions for GPU access.
Changes:
- Added
.devcontainer/devcontainer.jsonwith configuration for VS Code Dev Containers - Added
.devcontainer/ensure-ssh-agent.shscript to manage SSH agent on the host - Updated copyright year in
docker/Dockerfileto include 2026 - Added video and render group creation in the Dockerfile
- Modified
.gitignoreto explicitly include the devcontainer.json file
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
.devcontainer/devcontainer.json |
Configures VS Code Dev Container with GPU device access, SSH agent forwarding, and user setup |
.devcontainer/ensure-ssh-agent.sh |
Shell script to ensure SSH agent is running on host with stable socket for container mounting |
docker/Dockerfile |
Updated copyright year and added video/render group creation for GPU access |
.gitignore |
Added exception to allow tracking of devcontainer.json despite blanket *.json ignore |
| mkdir -p "${HOME}/.ssh" | ||
|
|
||
| if [[ -S "${SOCK}" ]]; then | ||
| exit 0 |
There was a problem hiding this comment.
The script exits successfully if the socket already exists (line 18), but it doesn't verify that the existing socket is actually functional or connected to a running ssh-agent. A stale socket file could exist from a previous crashed agent. Consider checking if the socket is functional by testing SSH_AUTH_SOCK before exiting early, or document this limitation.
| exit 0 | |
| # Socket exists; verify that an ssh-agent is actually responding on it. | |
| SSH_AUTH_SOCK="${SOCK}" ssh-add -l >/dev/null 2>&1 || status=$? | |
| # ssh-add -l exit codes: | |
| # 0: agent running, identities listed | |
| # 1: agent running, no identities | |
| # 2: agent not running / unreachable | |
| if [[ ${status:-0} -eq 0 || ${status:-0} -eq 1 ]]; then | |
| exit 0 | |
| fi |
|
|
||
| if [[ -f "${HOME}/.ssh/id_rsa" ]]; then | ||
| SSH_AUTH_SOCK="${SOCK}" ssh-add "${HOME}/.ssh/id_rsa" >/dev/null 2>&1 || true | ||
| fi | ||
|
|
||
| SSH_AUTH_SOCK="${SOCK}" ssh-add -l >/dev/null 2>&1 || true |
There was a problem hiding this comment.
The SSH_AUTH_SOCK environment variable is set inline for individual commands (lines 25, 28) rather than being exported once. While this works, it's less efficient and harder to maintain. Consider exporting SSH_AUTH_SOCK="${SOCK}" once after starting the agent and before the ssh-add commands for better readability and consistency.
| if [[ -f "${HOME}/.ssh/id_rsa" ]]; then | |
| SSH_AUTH_SOCK="${SOCK}" ssh-add "${HOME}/.ssh/id_rsa" >/dev/null 2>&1 || true | |
| fi | |
| SSH_AUTH_SOCK="${SOCK}" ssh-add -l >/dev/null 2>&1 || true | |
| export SSH_AUTH_SOCK="${SOCK}" | |
| if [[ -f "${HOME}/.ssh/id_rsa" ]]; then | |
| ssh-add "${HOME}/.ssh/id_rsa" >/dev/null 2>&1 || true | |
| fi | |
| ssh-add -l >/dev/null 2>&1 || true |
| SSH_AUTH_SOCK="${SOCK}" ssh-add "${HOME}/.ssh/id_rsa" >/dev/null 2>&1 || true | ||
| fi | ||
|
|
||
| SSH_AUTH_SOCK="${SOCK}" ssh-add -l >/dev/null 2>&1 || true |
There was a problem hiding this comment.
The script silently ignores errors when adding SSH keys with the || true operator. While this prevents the script from failing when keys are passphrase-protected, it also masks other potential errors (e.g., corrupt key files, permission issues). Consider logging a warning message when ssh-add fails to help users understand why their keys may not be loaded.
| SSH_AUTH_SOCK="${SOCK}" ssh-add "${HOME}/.ssh/id_rsa" >/dev/null 2>&1 || true | |
| fi | |
| SSH_AUTH_SOCK="${SOCK}" ssh-add -l >/dev/null 2>&1 || true | |
| if ! SSH_AUTH_SOCK="${SOCK}" ssh-add "${HOME}/.ssh/id_rsa" >/dev/null 2>&1; then | |
| echo "Warning: Failed to add SSH key ${HOME}/.ssh/id_rsa to ssh-agent at ${SOCK}. The key may be passphrase-protected or there may be a problem with the key file or its permissions." >&2 | |
| fi | |
| fi | |
| if ! SSH_AUTH_SOCK="${SOCK}" ssh-add -l >/dev/null 2>&1; then | |
| echo "Warning: ssh-agent at ${SOCK} is running, but no keys are currently loaded or the agent is not responding as expected." >&2 | |
| fi |
| "--device=/dev/dri", | ||
| "--cap-add=SYS_PTRACE", | ||
| "--group-add=video", |
There was a problem hiding this comment.
The devcontainer configuration lacks inline comments explaining why certain security options are needed (e.g., --cap-add=SYS_PTRACE, --security-opt=seccomp=unconfined). These security-relaxing options could raise concerns during security reviews. Consider adding comments explaining that these are required for ROCm GPU debugging and profiling.
| "--device=/dev/dri", | |
| "--cap-add=SYS_PTRACE", | |
| "--group-add=video", | |
| "--device=/dev/dri", | |
| // Required for ROCm GPU debugging/profiling tools that rely on ptrace inside the container. | |
| "--cap-add=SYS_PTRACE", | |
| "--group-add=video", | |
| // ROCm debugging/profiling may use syscalls not allowed by the default seccomp profile; unconfined is needed for full ROCm GPU tooling support. |
| "--device=/dev/kfd", | ||
| "--device=/dev/dri", | ||
| "--cap-add=SYS_PTRACE", | ||
| "--group-add=video", |
There was a problem hiding this comment.
The runArgs include --group-add=video on line 17, but the Dockerfile creates both video and render groups (lines 27-28). The render group is not added in runArgs, which could cause permission issues when accessing render devices. Consider adding --group-add=render to the runArgs for consistency with the groups created in the Dockerfile.
| "--group-add=video", | |
| "--group-add=video", | |
| "--group-add=render", |
| "SSH_AUTH_SOCK": "/tmp/ssh-agent.sock" | ||
| }, | ||
| "remoteUser": "vscode", | ||
| "postStartCommand": "bash -lc 'set -e; if ! getent group video >/dev/null; then sudo groupadd -r video || true; fi; if ! getent group render >/dev/null; then sudo groupadd -r render || true; fi; sudo usermod -aG video,render vscode || true'", |
There was a problem hiding this comment.
The postStartCommand attempts to create video and render groups and add the vscode user to them. However, these groups are already created in the Dockerfile (lines 27-28). This creates redundancy and potential confusion. Consider removing the group creation from either the Dockerfile or the postStartCommand to maintain a single source of truth for group setup.
| "postStartCommand": "bash -lc 'set -e; if ! getent group video >/dev/null; then sudo groupadd -r video || true; fi; if ! getent group render >/dev/null; then sudo groupadd -r render || true; fi; sudo usermod -aG video,render vscode || true'", | |
| "postStartCommand": "bash -lc 'set -e; sudo usermod -aG video,render vscode || true'", |
| "source=${localEnv:HOME}/.ssh/ssh-agent.sock,target=/tmp/ssh-agent.sock,type=bind" | ||
| ], | ||
| "remoteEnv": { | ||
| "SSH_AUTH_SOCK": "/tmp/ssh-agent.sock" |
There was a problem hiding this comment.
The SSH agent socket mount relies on the ensure-ssh-agent.sh script to create the socket at ~/.ssh/ssh-agent.sock on the host. However, if the initializeCommand fails or the socket is not properly created, the container will attempt to mount a non-existent file, which could cause the container to fail to start. Consider adding error handling or verification that the socket exists before attempting to mount it.
| "source=${localEnv:HOME}/.ssh/ssh-agent.sock,target=/tmp/ssh-agent.sock,type=bind" | |
| ], | |
| "remoteEnv": { | |
| "SSH_AUTH_SOCK": "/tmp/ssh-agent.sock" | |
| "source=${localEnv:HOME}/.ssh,target=/tmp/ssh,type=bind" | |
| ], | |
| "remoteEnv": { | |
| "SSH_AUTH_SOCK": "/tmp/ssh/ssh-agent.sock" |
Motivation
Technical Details
Test Plan
Test Result
Submission Checklist