#!/bin/bash set -euo pipefail # secure_pip_setup.sh - Secure PiP client container setup # Creates ephemeral PiP container that connects to host Podman via UNIX socket # Configuration RUN_ID="${GITHUB_RUN_ID:-local}" PIP_CONTAINER_NAME="ci-pip-${RUN_ID}" SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" SOCKET_PATH="${SOCKET_DIR}/podman.sock" PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890" WORKSPACE="${GITHUB_WORKSPACE:-$PWD}" # Clean up any existing container and socket for this run echo "๐Ÿงน Cleaning up any existing PiP container and socket for run ${RUN_ID}..." podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true # Kill any host service bound to this specific socket path if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" >/dev/null; then echo "๐Ÿ›‘ Stopping existing host service for this socket..." pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" | awk '{print $1}' | xargs -r kill || true fi # Remove existing socket directory rm -rf "${SOCKET_DIR}" 2>/dev/null || true # Create secure per-run socket directory echo "๐Ÿ“ Creating per-run socket directory..." mkdir -p "${SOCKET_DIR}" chmod 700 "${SOCKET_DIR}" # Start host Podman service on UNIX socket (background) echo "๐Ÿ”ง Starting host Podman service on UNIX socket..." podman system service --time=0 "unix://${SOCKET_PATH}" & HOST_PODMAN_PID=$! sleep 2 # Verify socket was created if [[ ! -S "${SOCKET_PATH}" ]]; then echo "โŒ ERROR: Podman socket not created at ${SOCKET_PATH}" kill ${HOST_PODMAN_PID} 2>/dev/null || true exit 1 fi # Set secure permissions on socket echo "๐Ÿ”’ Setting secure socket permissions..." chmod 660 "${SOCKET_PATH}" # Create ephemeral PiP container as client only (no inner daemon) echo "๐Ÿณ Creating secure PiP client container with workspace mount..." podman run -d \ --name "${PIP_CONTAINER_NAME}" \ --security-opt=no-new-privileges \ --cap-drop=ALL \ --read-only \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ -v "${SOCKET_PATH}:/var/run/podman.sock" \ -v "${WORKSPACE}:/workspace:rw" \ -e CONTAINER_HOST="unix:///var/run/podman.sock" \ "${PODMAN_IMAGE}" \ sleep infinity # Wait for container to start echo "โณ Waiting for PiP container to start..." sleep 3 # Verify container is running if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then echo "โŒ ERROR: PiP container failed to start" podman logs "${PIP_CONTAINER_NAME}" || true kill ${HOST_PODMAN_PID} 2>/dev/null || true exit 1 fi echo "๐ŸŽ‰ Secure PiP client container setup complete!" echo " Container: ${PIP_CONTAINER_NAME}" echo " Socket: ${SOCKET_PATH}" echo " Workspace: ${WORKSPACE} โ†’ /workspace" echo " Security: No network, no capabilities, read-only rootfs, client-only"