#!/bin/bash set -euo pipefail # secure_pip_setup.sh - Idempotent setup for ephemeral Podman-in-Podman container # This script creates a secure PiP container for CI operations with no network exposure # Configuration PIP_CONTAINER_NAME="ci-pip" SOCKET_DIR="${XDG_RUNTIME_DIR}/podman-host" SOCKET_PATH="${SOCKET_DIR}/podman.sock" PODMAN_IMAGE="quay.io/podman/stable:latest" # Clean up any existing container and socket echo "๐Ÿงน Cleaning up any existing PiP container and socket..." podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true rm -f "${SOCKET_PATH}" rm -rf "${SOCKET_DIR}" # Create secure socket directory echo "๐Ÿ“ Creating secure socket directory..." mkdir -p "${SOCKET_DIR}" chmod 700 "${SOCKET_DIR}" # Start host Podman service on UNIX socket (background) echo "๐Ÿ”ง Starting host Podman service on UNIX socket..." podman system service --time=0 "unix://${SOCKET_PATH}" & HOST_PODMAN_PID=$! sleep 2 # Verify socket was created if [[ ! -S "${SOCKET_PATH}" ]]; then echo "โŒ ERROR: Podman socket not created at ${SOCKET_PATH}" kill ${HOST_PODMAN_PID} 2>/dev/null || true exit 1 fi # Set secure permissions on socket echo "๐Ÿ”’ Setting secure socket permissions..." chmod 660 "${SOCKET_PATH}" # Create ephemeral PiP container with maximum security echo "๐Ÿณ Creating secure PiP container..." podman run -d \ --name "${PIP_CONTAINER_NAME}" \ --security-opt=no-new-privileges \ --cap-drop=ALL \ --read-only \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ -v "${SOCKET_PATH}:/var/run/podman.sock" \ "${PODMAN_IMAGE}" \ podman system service --time=0 unix:///var/run/podman.sock # Wait for container to start echo "โณ Waiting for PiP container to start..." sleep 5 # Verify container is running if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then echo "โŒ ERROR: PiP container failed to start" podman logs "${PIP_CONTAINER_NAME}" || true kill ${HOST_PODMAN_PID} 2>/dev/null || true exit 1 fi # Kill the background host service (PiP container now handles requests) echo "๐Ÿ”„ Switching to PiP container for Podman operations..." kill ${HOST_PODMAN_PID} 2>/dev/null || true # Test PiP connectivity echo "โœ… Testing PiP connectivity..." if ! podman exec "${PIP_CONTAINER_NAME}" podman version >/dev/null 2>&1; then echo "โŒ ERROR: PiP container not responding to Podman commands" podman logs "${PIP_CONTAINER_NAME}" || true exit 1 fi echo "๐ŸŽ‰ Secure PiP container setup complete!" echo " Container: ${PIP_CONTAINER_NAME}" echo " Socket: ${SOCKET_PATH}" echo " Security: No network, no capabilities, read-only rootfs"