Skip to content

feat(cli): add --enable-dind flag to opt-in to Docker socket access#1276

Merged
Mossaka merged 1 commit intomainfrom
feat/116-enable-dind
Mar 13, 2026
Merged

feat(cli): add --enable-dind flag to opt-in to Docker socket access#1276
Mossaka merged 1 commit intomainfrom
feat/116-enable-dind

Conversation

@Mossaka
Copy link
Collaborator

@Mossaka Mossaka commented Mar 13, 2026

Summary

  • Adds --enable-dind CLI flag that exposes the host Docker socket to the agent container
  • By default, the Docker socket remains hidden (mounted as /dev/null) for security
  • When enabled, mounts /var/run/docker.sock and /run/docker.sock as read-write into the chroot

Fixes #116

Test plan

  • Unit test: verify Docker socket hidden by default (should hide Docker socket by default)
  • Unit test: verify Docker socket exposed when enableDind: true (should expose Docker socket when enableDind is true)
  • Build passes
  • All 954 tests pass
  • Lint passes (0 errors)

🤖 Generated with Claude Code

@Mossaka @claude
feat(cli): add --enable-dind flag to opt-in to Docker socket access
5fd4c4d 
Add --enable-dind flag that exposes the host Docker socket to the agent
container, enabling Docker-in-Docker workflows. By default, the socket
remains hidden (mounted as /dev/null) for security.

Closes #116

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 13, 2026 00:46
@Mossaka Mossaka enabled auto-merge (squash) March 13, 2026 00:46
@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 84.33% 84.50% 📈 +0.17%
Statements 84.27% 84.44% 📈 +0.17%
Functions 84.44% 84.44% ➡️ +0.00%
Branches 77.08% 77.20% 📈 +0.12%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/docker-manager.ts 86.9% → 87.6% (+0.65%) 86.2% → 86.9% (+0.63%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an opt-in CLI/config switch to allow Docker-in-Docker style workflows by exposing the host Docker socket to the agent container, while keeping the default behavior secure (socket hidden via /dev/null).

Changes:

  • Extend WrapperConfig with enableDind?: boolean.
  • Update Docker Compose generation to either hide or expose the host Docker socket based on enableDind.
  • Add CLI flag --enable-dind and unit tests covering default/opt-in behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/types.ts Adds enableDind config field with security warning docs.
src/docker-manager.ts Gates Docker socket volume mounts on config.enableDind.
src/docker-manager.test.ts Adds unit coverage for default hide vs opt-in expose behavior.
src/cli.ts Adds --enable-dind flag and wires it into WrapperConfig.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/types.ts
Comment on lines +392 to +399
* When true, the host's Docker socket (/var/run/docker.sock) is mounted
* into the agent container, allowing the agent to run Docker commands.
*
* WARNING: This allows the agent to bypass firewall restrictions by
* spawning new containers without network restrictions.
*
* @default false
*/
src/docker-manager.ts
Comment on lines +728 to +730
agentVolumes.push(`${dockerSocketPath}:/host${dockerSocketPath}:rw`);
// Also expose the /run/docker.sock symlink if it exists
agentVolumes.push('/run/docker.sock:/host/run/docker.sock:rw');
src/docker-manager.test.ts
Comment on lines +689 to +701
it('should expose Docker socket when enableDind is true', () => {
const dindConfig = { ...mockConfig, enableDind: true };
const result = generateDockerCompose(dindConfig, mockNetworkConfig);
const agent = result.services.agent;
const volumes = agent.volumes as string[];

// Docker socket should be mounted read-write, not hidden
expect(volumes).toContain('/var/run/docker.sock:/host/var/run/docker.sock:rw');
expect(volumes).toContain('/run/docker.sock:/host/run/docker.sock:rw');
// Should NOT have /dev/null mounts
expect(volumes).not.toContain('/dev/null:/host/var/run/docker.sock:ro');
expect(volumes).not.toContain('/dev/null:/host/run/docker.sock:ro');
});
@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

Smoke Test Results — PASS ✅

Test Result
GitHub MCP (last 2 merged PRs) #1272 feat(ci): add weekly performance monitoring workflow, #1271 fix(squid): run Squid container as non-root proxy user
Playwright (github.com title) ✅ "GitHub · Change is constant. GitHub keeps you ahead."
File writing /tmp/gh-aw/agent/smoke-test-copilot-23030944668.txt created
Bash tool ✅ File verified via cat

Overall: PASS@Mossaka

📰 BREAKING: Report filed by Smoke Copilot for issue #1276

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

Smoke Test Results

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1276

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.14.0 v20.20.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Result: FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1276

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1276 ·

@Mossaka Mossaka merged commit b551d43 into main Mar 13, 2026
61 of 62 checks passed
@Mossaka Mossaka deleted the feat/116-enable-dind branch March 13, 2026 01:17
This was referenced Mar 13, 2026
Open
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

build-test smoke-claude smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

A new mode that disallow docker-in-docker

2 participants

@Mossaka