Fix devcontainer to work with noble

Author: graydon

.devcontainer/Dockerfile

@@ -31,51 +31,49 @@ RUN if [ ! -z "${APT_MIRROR}" ]; then \
     sed -i \
         -e "s|http://archive.ubuntu.com/ubuntu/|${APT_MIRROR}|" \
         -e "s|http://security.ubuntu.com/ubuntu/|${APT_MIRROR}|" \
-        /etc/apt/sources.list \
+        /etc/apt/sources.list.d/ubuntu.sources \
     ; fi \
-    ; grep "^[^#;]" /etc/apt/sources.list
+    ; grep "^[^#;]" /etc/apt/sources.list.d/ubuntu.sources
 
 # install base container packages and prep for VSCode
 RUN apt-get update \
     # Verify process tools, lsb-release (common in install instructions for CLIs) installed
     && apt-get -y install iproute2 procps lsb-release \
     #
     # Create a non-root user to use if preferred - see https://aka.ms/vscode-remote/containers/non-root-user.
-    && groupadd --gid $USER_GID $USERNAME \
-    && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME \
+    # If group/user with the specified GID/UID already exists, rename them to $USERNAME.
+    && if getent group $USER_GID > /dev/null 2>&1; then \
+           groupmod -n $USERNAME $(getent group $USER_GID | cut -d: -f1); \
+       else \
+           groupadd --gid $USER_GID $USERNAME; \
+       fi \
+    && if id -u $USER_UID > /dev/null 2>&1; then \
+           existing_user=$(getent passwd $USER_UID | cut -d: -f1); \
+           usermod -l $USERNAME -d /home/$USERNAME -m -s /bin/bash $existing_user; \
+       else \
+           useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME; \
+       fi \
     # [Optional] Add sudo support for the non-root user
     && apt-get install -y sudo \
     && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME\
     && chmod 0440 /etc/sudoers.d/$USERNAME
 
-# Add test tool chain
-# NOTE: newer version of the compilers are not
-#    provided by stock distributions
-#    and are provided by the /test toolchain
-# RUN apt-get -y install software-properties-common \
-#     && add-apt-repository ppa:ubuntu-toolchain-r/test \
-#    && apt-get update
+# Install build and dev requirements
+RUN apt-get update && \
+    apt-get -y install \
+    git build-essential pkg-config autoconf automake libtool bison flex sed perl \
+    libpq-dev parallel curl ccache bear \
+    cpp-14 gcc-14 g++-14 libstdc++-14-dev \
+    clang-20 llvm-20 libc++-20-dev clang-format-20 clangd-20 libc++abi-20-dev libclang-rt-20-dev \
+    postgresql
 
-# Install common compilation tools
-RUN apt-get -y install git build-essential pkg-config autoconf automake libtool bison flex sed perl libpq-dev parallel curl
-
-# Update compiler tools
-RUN apt-get -y install libstdc++-14-dev clang-format-20 ccache
-
-# gcc
-RUN apt-get -y install cpp-14 gcc-14 g++-14
-# clang
-RUN apt-get -y install clang-20 llvm-20
 # rust
 ENV PATH "/root/.cargo/bin:$PATH"
 
 # clang by default
 ENV CC=clang-20
 ENV CXX=clang++-20
 
-# Install postgresql to enable tests under make check
-RUN apt-get -y install postgresql
-
 # Set up locale
 RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen \
     && locale-gen

.devcontainer/devcontainer.json

@@ -1,7 +1,7 @@
 // For format details, see https://aka.ms/vscode-remote/devcontainer.json or the definition README at
-// https://github.com/microsoft/vscode-dev-containers/tree/master/containers/ubuntu-18.04-git
+// https://github.com/devcontainers/images/blob/main/README.md
 {
-	"name": "Ubuntu 20.04 & Git",
+	"name": "Ubuntu 24.04 & Git",
 	"dockerFile": "Dockerfile",
 	"build": {
 		"args": {
@@ -11,36 +11,44 @@
 	"onCreateCommand": "./install-rust.sh",
 	// The optional 'runArgs' property can be used to specify additional runtime arguments.
 	"runArgs": [
-		// Uncomment the line if you will use a ptrace-based debugger like C++, Go, and Rust.
-	    "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined",
+		// Uncomment these lines if you will use a ptrace-based debugger like C++, Go, and Rust.
+		// Note that these options have security implications and should be used with caution.
+		// We have them disabled currently because we don't want to allow copilot LLMs to use ptrace
+		// to escape the container sandbox.
+		// "--cap-add=SYS_PTRACE",
+		// "--security-opt",
+		// "seccomp=unconfined",
 
 		// Uncomment the next line to use a non-root user. On Linux, this will prevent
 		// new files getting created as root, but you may need to update the USER_UID
 		// and USER_GID in .devcontainer/Dockerfile to match your user if not 1000.
-		"-u", "vscode"
+		"-u",
+		"vscode"
 	],
 
-	// Use 'settings' to set *default* container specific settings.json values on container create. 
-	// You can edit these settings after create using File > Preferences > Settings > Remote.
-	"settings": { 
-		"terminal.integrated.shell.linux": "/bin/bash"
-	},
-
-	// Use 'features.docker-from-docker' to setup docker inside the container
-	// for building the Docker images inside GitHub Codespaces.
-	"features": {
-		"docker-from-docker": {
-			"version": "latest",
-			"moby": true
-		}
-	},
+	// We previously had `features.docker-from-docker` enabled here to allow
+	// running docker commands inside the container. However we now disable that
+	// as we are are using the devcontainers as a moderate-strength security
+	// boundary to sandbox the copilot LLMs. We don't want them running host
+	// docker commands -- that would violate the whole point of the sandbox.
 
 	// Uncomment the next line if you want to publish any ports.
 	// "appPort": [],
-
 	// Uncomment the next line to run commands after the container is created.
 	// "postCreateCommand": "uname -a",
-
-	// Add the IDs of extensions you want installed when the container is created in the array below.
-	"extensions": []
-}
+	"customizations": {
+		"vscode": {
+			"settings": {
+				"terminal.integrated.defaultProfile.linux": "bash",
+				"clangd.path": "/usr/bin/clangd-20"
+			},
+			"extensions": [
+				"llvm-vs-code-extensions.vscode-clangd",
+				"llvm-vs-code-extensions.lldb-dap",
+				"matepek.vscode-catch2-test-adapter",
+				"rust-lang.rust-analyzer",
+				"graydon.lsp-lm-tool"
+			]
+		}
+	}
+}