#!/bin/bash set -euo pipefail # secure_pip_setup.sh - Secure PiP client container setup # Creates ephemeral PiP container that connects to host Podman via UNIX socket # Configuration RUN_ID="${GITHUB_RUN_ID:-local}" PIP_CONTAINER_NAME="ci-pip-${RUN_ID}" SOCKET_PATH="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host/podman.sock" PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890" WORKSPACE="${GITHUB_WORKSPACE:-$PWD}" # Clean up any existing container for this run echo "๐Ÿงน Cleaning up any existing PiP container for run ${RUN_ID}..." podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true # Verify the systemd-managed socket exists echo "๐Ÿ” Checking for systemd-managed Podman socket..." if [[ ! -S "${SOCKET_PATH}" ]]; then echo "โŒ ERROR: Podman socket not found at ${SOCKET_PATH}" echo " Ensure the podman-host-socket.service is running:" echo " sudo -u ci-service systemctl --user enable --now podman-host-socket.service" exit 1 fi # Set secure permissions on socket (in case they were reset) echo "๐Ÿ”’ Setting secure socket permissions..." chmod 660 "${SOCKET_PATH}" 2>/dev/null || true # Create ephemeral PiP container as client only (no inner daemon) echo "๐Ÿณ Creating secure PiP client container with workspace mount..." podman run -d \ --name "${PIP_CONTAINER_NAME}" \ --security-opt=no-new-privileges \ --cap-drop=ALL \ --read-only \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ -v "${SOCKET_PATH}:/var/run/podman.sock" \ -v "${WORKSPACE}:/workspace:rw" \ -e CONTAINER_HOST="unix:///var/run/podman.sock" \ "${PODMAN_IMAGE}" \ sleep infinity # Wait for container to start echo "โณ Waiting for PiP container to start..." sleep 3 # Verify container is running if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then echo "โŒ ERROR: PiP container failed to start" podman logs "${PIP_CONTAINER_NAME}" || true kill ${HOST_PODMAN_PID} 2>/dev/null || true exit 1 fi echo "๐ŸŽ‰ Secure PiP client container setup complete!" echo " Container: ${PIP_CONTAINER_NAME}" echo " Socket: ${SOCKET_PATH}" echo " Workspace: ${WORKSPACE} โ†’ /workspace" echo " Security: No network, no capabilities, read-only rootfs, client-only"