dave/storkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity
Files
4262af7faa5934d19a8a3e79778affd9b8b21fb6
storkit/docker/Dockerfile

133 lines
6.0 KiB
Docker
Raw Normal View History

storkit: create 329_spike_evaluate_docker_orbstack_for_agent_isolation_and_resource_limiting
2026-03-21 20:19:56 +00:00
# Story Kit single-container runtime
# All components (server, agents, web UI) run inside this container.
# The target project repo is bind-mounted at /workspace.
#
# Build: docker build -t storkit -f docker/Dockerfile .
# Run: docker compose -f docker/docker-compose.yml up
#
# Tested with: OrbStack (recommended on macOS), Docker Desktop (slower bind mounts)
FROM rust:1.90-bookworm AS base
Add clippy to Docker image Acceptance gates run cargo clippy but the component wasn't installed in the build stage. Agents were doing real work then failing every gate check because clippy wasn't available. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 21:43:09 +00:00
# Clippy is needed at runtime for acceptance gates (cargo clippy)
RUN rustup component add clippy
storkit: create 329_spike_evaluate_docker_orbstack_for_agent_isolation_and_resource_limiting
2026-03-21 20:19:56 +00:00
# ── System deps ──────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
curl \
ca-certificates \
build-essential \
pkg-config \
libssl-dev \
# cargo-nextest is a pre-built binary
&& rm -rf /var/lib/apt/lists/*
# ── Node.js 22.x (matches host) ─────────────────────────────────────
RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
&& apt-get install -y --no-install-recommends nodejs \
&& rm -rf /var/lib/apt/lists/*
# ── cargo-nextest (test runner) ──────────────────────────────────────
RUN curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C /usr/local/bin
# ── Claude Code CLI ──────────────────────────────────────────────────
# Claude Code is distributed as an npm global package.
# The CLI binary is `claude`.
RUN npm install -g @anthropic-ai/claude-code
# ── Working directory ────────────────────────────────────────────────
# /app holds the storkit source (copied in at build time for the binary).
# /workspace is where the target project repo gets bind-mounted at runtime.
WORKDIR /app
# ── Build the storkit server binary ─────────────────────────────────
# Copy the full project tree so `cargo build` and `npm run build` (via
# build.rs) can produce the release binary with embedded frontend assets.
COPY . .
# Build frontend deps first (better layer caching)
RUN cd frontend && npm ci
# Build the release binary (build.rs runs npm run build for the frontend)
RUN cargo build --release \
&& cp target/release/storkit /usr/local/bin/storkit
# ── Runtime stage (smaller image) ───────────────────────────────────
FROM debian:bookworm-slim AS runtime
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
curl \
ca-certificates \
libssl3 \
# build-essential (gcc/cc) needed at runtime for:
# - rebuild_and_restart (cargo build --release)
# - agent-driven cargo commands (clippy, test, build)
build-essential \
pkg-config \
libssl-dev \
fix: harden Docker environment so tests pass inside container - Add procps to runtime stage so `ps` is available for process management - Remove noexec from /tmp and /home/storkit tmpfs mounts so test scripts can be executed from tempdir - Update coder agent system_prompt to run clippy --all-targets --all-features matching what the server acceptance gate actually runs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 14:21:27 +00:00
# procps provides ps, needed by tests and process management
procps \
storkit: create 329_spike_evaluate_docker_orbstack_for_agent_isolation_and_resource_limiting
2026-03-21 20:19:56 +00:00
&& rm -rf /var/lib/apt/lists/*
# Node.js in runtime
RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
&& apt-get install -y --no-install-recommends nodejs \
&& rm -rf /var/lib/apt/lists/*
# Claude Code CLI in runtime
RUN npm install -g @anthropic-ai/claude-code
# Cargo and Rust toolchain needed at runtime for:
# - rebuild_and_restart (cargo build inside the container)
# - Agent-driven cargo commands (cargo clippy, cargo test, etc.)
COPY --from=base /usr/local/cargo /usr/local/cargo
COPY --from=base /usr/local/rustup /usr/local/rustup
ENV PATH="/usr/local/cargo/bin:${PATH}"
ENV RUSTUP_HOME="/usr/local/rustup"
ENV CARGO_HOME="/usr/local/cargo"
# cargo-nextest
COPY --from=base /usr/local/bin/cargo-nextest /usr/local/bin/cargo-nextest
# The storkit binary
COPY --from=base /usr/local/bin/storkit /usr/local/bin/storkit
# Copy the full source tree so rebuild_and_restart can do `cargo build`
# from the workspace root (CARGO_MANIFEST_DIR is baked into the binary).
# Alternative: mount the source as a volume.
COPY --from=base /app /app
Harden Docker container security Run as non-root user (fixes Claude Code refusing bypassPermissions as root, which caused all agent spawns to exit instantly with no session). Add read-only root filesystem, drop all capabilities, set no-new-privileges, bind port to localhost only, and require GIT_USER_NAME/GIT_USER_EMAIL env vars at startup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 20:33:50 +00:00
# ── Non-root user ────────────────────────────────────────────────────
# Claude Code refuses --dangerously-skip-permissions (bypassPermissions)
# when running as root. Create a dedicated user so agents can launch.
RUN groupadd -r storkit \
&& useradd -r -g storkit -m -d /home/storkit storkit \
&& mkdir -p /home/storkit/.claude \
&& chown -R storkit:storkit /home/storkit \
&& chown -R storkit:storkit /usr/local/cargo /usr/local/rustup \
Pre-create target dirs with storkit ownership in Dockerfile Docker named volumes inherit directory ownership when first created. By creating /workspace/target and /app/target as storkit-owned before the USER directive, the volumes will be writable by the storkit user. Without this, cargo build/test/clippy all fail with Permission Denied. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 16:59:32 +00:00
&& chown -R storkit:storkit /app \
&& mkdir -p /workspace/target /app/target \
&& chown storkit:storkit /workspace/target /app/target
Harden Docker container security Run as non-root user (fixes Claude Code refusing bypassPermissions as root, which caused all agent spawns to exit instantly with no session). Add read-only root filesystem, drop all capabilities, set no-new-privileges, bind port to localhost only, and require GIT_USER_NAME/GIT_USER_EMAIL env vars at startup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 20:33:50 +00:00
# ── Entrypoint ───────────────────────────────────────────────────────
# Validates required env vars (GIT_USER_NAME, GIT_USER_EMAIL) and
# configures git identity before starting the server.
COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
USER storkit
storkit: create 329_spike_evaluate_docker_orbstack_for_agent_isolation_and_resource_limiting
2026-03-21 20:19:56 +00:00
WORKDIR /workspace
# ── Ports ────────────────────────────────────────────────────────────
# Web UI + MCP server
EXPOSE 3001
# ── Volumes (defined in docker-compose.yml) ──────────────────────────
Harden Docker container security Run as non-root user (fixes Claude Code refusing bypassPermissions as root, which caused all agent spawns to exit instantly with no session). Add read-only root filesystem, drop all capabilities, set no-new-privileges, bind port to localhost only, and require GIT_USER_NAME/GIT_USER_EMAIL env vars at startup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 20:33:50 +00:00
# /workspace bind mount: target project repo
# /home/storkit/.claude named volume: Claude Code sessions/state
# /usr/local/cargo/registry named volume: cargo dependency cache
storkit: create 329_spike_evaluate_docker_orbstack_for_agent_isolation_and_resource_limiting
2026-03-21 20:19:56 +00:00
Harden Docker container security Run as non-root user (fixes Claude Code refusing bypassPermissions as root, which caused all agent spawns to exit instantly with no session). Add read-only root filesystem, drop all capabilities, set no-new-privileges, bind port to localhost only, and require GIT_USER_NAME/GIT_USER_EMAIL env vars at startup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 20:33:50 +00:00
ENTRYPOINT ["entrypoint.sh"]
storkit: create 329_spike_evaluate_docker_orbstack_for_agent_isolation_and_resource_limiting
2026-03-21 20:19:56 +00:00
CMD ["storkit", "/workspace"]
Reference in New Issue Copy Permalink