refactor: update devcontainer

[ryanolson]

Summary by CodeRabbit

• Chores
  • Updated development container setup to use a custom Dockerfile and simplified configuration.
  • Improved Python and Rust toolchain paths and settings for a smoother development experience.
  • Streamlined environment variables and mount settings for easier container management.
  • Added "common-utils" feature to the devcontainer for enhanced utility support.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Walkthrough

A new Dockerfile was added to the .devcontainer directory to define a custom development container image, including the installation of LLVM and configuration for passwordless sudo. The devcontainer.json was updated to build from this Dockerfile, simplify environment variables, adjust interpreter paths, update Rust analyzer settings, and modify feature and mount configurations.

Changes

File(s)	Change Summary
.devcontainer/Dockerfile	Added a Dockerfile to build a custom devcontainer image, install packages, LLVM, and configure sudo settings.
.devcontainer/devcontainer.json	Updated to build from Dockerfile, adjusted interpreter and Rust settings, simplified env vars and mounts.

Estimated code review effort

2 (30–90 minutes)

Poem

In the warren of code, a Dockerfile new,
With LLVM and sudo, the build quickly grew.
The devcontainer hops with settings refined,
Rust and Python in harmony aligned.
As the carrots compile and the binaries run,
This rabbit declares: the setup is done! 🥕🐇

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.devcontainer/devcontainer.json (3)

70-71: Mounting host $HOME over container $HOME may clobber dot-files
Binding the entire host home directory onto /home/ubuntu wipes whatever the Dockerfile (or features) placed there and risks leaking local secrets (SSH keys, git creds) into the container image cache. Unless you absolutely need the whole home, mount only the specific sub-paths you care about (e.g., .ssh, .gitconfig).

---

43-45: Interpreter path assumes a pre-created venv
/home/ubuntu/.venv/bin/python will break on first open if the venv isn’t created in the Dockerfile or a postCreateCommand. Either create the venv during image build/post-create or switch to the system Python.

---

63-64: postCreateCommand commented out – build/install steps lost
The old image ran a post-create script to compile Rust and pip-install packages. With it disabled the workspace may open half-configured. Confirm that these steps are no longer needed or re-enable the command with the new path.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb6de94 and fdd72a3.

📒 Files selected for processing (2)

• .devcontainer/Dockerfile (1 hunks)
• .devcontainer/devcontainer.json (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

.devcontainer/devcontainer.json (1)

Learnt from: julienmancuso
PR: #1474
File: deploy/cloud/operator/internal/controller/dynamocomponent_controller.go:1302-1306
Timestamp: 2025-06-11T21:18:00.425Z
Learning: In the Dynamo operator, the project’s preferred security posture is to set a Pod-level PodSecurityContext with runAsUser, runAsGroup, and fsGroup all set to 1000, and then selectively override the user at the individual container level (e.g., RunAsUser: 0 for Kaniko) when root is required.

[coderabbitai]

⚠️ Potential issue

Malformed feature options – UID env var & boolean type
"${localEnv:UID-1000}" is not a valid environment-variable key (dash not allowed). This will resolve to an empty string and the feature will fail.
Also upgradePackages expects a JSONC boolean, not a string.

-            "userUid": "${localEnv:UID-1000}",
-            "userGid": "${localEnv:UID-1000}",
-            "upgradePackages": "false"
+            "userUid": "${localEnv:UID}",
+            "userGid": "${localEnv:UID}",
+            "upgradePackages": false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"features": {
	"ghcr.io/devcontainers/features/common-utils:2": {
	"userUid": "${localEnv:UID-1000}",
	"userGid": "${localEnv:UID-1000}",
	"upgradePackages": "false"
	}
	"features": {
	"ghcr.io/devcontainers/features/common-utils:2": {
	"userUid": "${localEnv:UID}",
	"userGid": "${localEnv:UID}",
	"upgradePackages": false
	}

🤖 Prompt for AI Agents

In .devcontainer/devcontainer.json around lines 72 to 77, the userUid and
userGid options use an invalid environment variable key with a dash, causing
them to resolve to empty strings; replace "${localEnv:UID-1000}" with a valid
key like "${localEnv:UID_1000}" or another valid environment variable without
dashes. Also, change the upgradePackages value from the string "false" to the
boolean false without quotes to match the expected JSONC boolean type.

[coderabbitai]

🛠️ Refactor suggestion

Slim down the image and harden sudo setup

1. Add --no-install-recommends to the apt-get install line – it cuts bloat by skipping docs and ancillary packages.
2. The comment says “Add all users to sudo group” but in reality you only relax /etc/sudoers; if the ubuntu user (or any other) is not already in the sudo group it will still lack sudo rights. Either ensure the user is added (usermod -aG sudo ubuntu) or re-phrase the comment.
3. Fetching a remote install script (llvm.sh) at build-time without pinning a checksum makes reproducibility brittle. At minimum, pin the expected SHA256 or an explicit LLVM version (LLVM_VERSION=17 bash …) so future upstream changes don’t silently break the build.

-    apt-get install -y sudo wget lsb-release software-properties-common gnupg ca-certificates && \
+    apt-get install -y --no-install-recommends \
+        sudo wget lsb-release software-properties-common gnupg ca-certificates && \
+    usermod -aG sudo ubuntu && \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN apt-get update && \
	apt-get install -y sudo wget lsb-release software-properties-common gnupg ca-certificates && \
	# Install latest stable LLVM using official script
	bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" && \
	apt-get clean && \
	rm -rf /var/lib/apt/lists/* && \
	# Add all users to sudo group and enable passwordless sudo
	echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
	RUN apt-get update && \
	apt-get install -y --no-install-recommends \
	sudo wget lsb-release software-properties-common gnupg ca-certificates && \
	usermod -aG sudo ubuntu && \
	# Install latest stable LLVM using official script
	bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" && \
	apt-get clean && \
	rm -rf /var/lib/apt/lists/* && \
	# Add all users to sudo group and enable passwordless sudo
	echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

🤖 Prompt for AI Agents

In .devcontainer/Dockerfile lines 4 to 11, add --no-install-recommends to the
apt-get install command to reduce image size by skipping unnecessary packages.
Ensure the user (e.g., ubuntu) is added to the sudo group with usermod -aG sudo
ubuntu or update the comment to accurately reflect that only sudoers file is
modified. Also, modify the llvm.sh installation to specify an explicit LLVM
version or verify the script's SHA256 checksum to improve build reproducibility
and security.

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This PR has been closed due to inactivity. If you believe this PR is still relevant, please feel free to reopen it with additional context or information.