sharenet/secure_pip_setup.sh

#!/bin/bash
set -euo pipefail

# secure_pip_setup.sh - Secure PiP client container setup
# Creates ephemeral PiP container that connects to host Podman via UNIX socket

# Configuration
RUN_ID="${GITHUB_RUN_ID:-local}"
PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
SOCKET_PATH="${SOCKET_DIR}/podman.sock"
PODMAN_IMAGE="quay.io/podman/stable:latest"
WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"

# Clean up any existing container and socket for this run
echo "🧹 Cleaning up any existing PiP container and socket for run ${RUN_ID}..."
podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true

# Kill any host service bound to this specific socket path
if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" >/dev/null; then
    echo "🛑 Stopping existing host service for this socket..."
    pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" | awk '{print $1}' | xargs -r kill || true
fi

# Remove existing socket directory
rm -rf "${SOCKET_DIR}" 2>/dev/null || true

# Create secure per-run socket directory
echo "📁 Creating per-run socket directory..."
mkdir -p "${SOCKET_DIR}"
chmod 700 "${SOCKET_DIR}"

# Start host Podman service on UNIX socket (background)
echo "🔧 Starting host Podman service on UNIX socket..."
podman system service --time=0 "unix://${SOCKET_PATH}" &
HOST_PODMAN_PID=$!
sleep 2

# Verify socket was created
if [[ ! -S "${SOCKET_PATH}" ]]; then
    echo "❌ ERROR: Podman socket not created at ${SOCKET_PATH}"
    kill ${HOST_PODMAN_PID} 2>/dev/null || true
    exit 1
fi

# Set secure permissions on socket
echo "🔒 Setting secure socket permissions..."
chmod 660 "${SOCKET_PATH}"

# Create ephemeral PiP container as client only (no inner daemon)
echo "🐳 Creating secure PiP client container with workspace mount..."
podman run -d \
  --name "${PIP_CONTAINER_NAME}" \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --read-only \
  --network=none \
  --tmpfs /run:rw,size=64M \
  --tmpfs /tmp:rw,size=256M \
  -v "${SOCKET_PATH}:/var/run/podman.sock:z" \
  -v "${WORKSPACE}:/workspace:rw,z" \
  -e CONTAINER_HOST="unix:///var/run/podman.sock" \
  "${PODMAN_IMAGE}" \
  sleep infinity

# Wait for container to start
echo "⏳ Waiting for PiP container to start..."
sleep 3

# Verify container is running
if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then
    echo "❌ ERROR: PiP container failed to start"
    podman logs "${PIP_CONTAINER_NAME}" || true
    kill ${HOST_PODMAN_PID} 2>/dev/null || true
    exit 1
fi

echo "🎉 Secure PiP client container setup complete!"
echo "   Container: ${PIP_CONTAINER_NAME}"
echo "   Socket: ${SOCKET_PATH}"
echo "   Workspace: ${WORKSPACE} → /workspace"
echo "   Security: No network, no capabilities, read-only rootfs, client-only"