Conversation
spencrr
force-pushed
the
spencrr/devcontainer-dockerfile-optimize
branch
from
e6bdaa7 to
98ffd93
Compare
spencrr
changed the title
devcontainer Dockerfile
spencrr
force-pushed
the
spencrr/devcontainer-dockerfile-optimize
branch
2 times, most recently
from
f5782c4 to
c76738c
Compare
spencrr
force-pushed
the
spencrr/devcontainer-dockerfile-optimize
branch
from
c76738c to
0d08b6b
Compare
There was a problem hiding this comment.
Pull request overview
This PR optimizes the development container and related tooling scripts to improve devcontainer build performance, reduce image size, and tighten default permissions while updating Node.js expectations.
Changes:
- Updated
.devcontainer/Dockerfileto use a pinned Bookworm base image, BuildKit apt cache mounts,--no-install-recommends, multi-stageuvinstall, and Node.js 24.x. - Tightened cache directory permissions (e.g., mypy cache, various
.cache/*directories) from777to755. - Moved CLI installs into devcontainer features and updated packaging guidance to expect Node.js 24.x.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.devcontainer/Dockerfile |
BuildKit caching, pinned base image, uv multi-stage install, Node.js 24.x, and permission tightening. |
.devcontainer/devcontainer.json |
Adds devcontainer features (Azure CLI, Copilot CLI). |
.devcontainer/devcontainer_setup.sh |
Tightens mypy cache permissions and keeps devcontainer setup behavior. |
build_scripts/prepare_package.py |
Removes shebang and updates Node.js version guidance in error output. |
docker/build_pyrit_docker.py |
Removes shebang (script intended to be run via python ...). |
docker/run_pyrit_docker.py |
Removes shebang (script intended to be run via python ...). |
You can also share your feedback on Copilot code review. Take the survey.
| RUN --mount=type=cache,target=/var/cache/apt \ | ||
| --mount=type=cache,target=/var/lib/apt \ | ||
| apt-get update \ |
There was a problem hiding this comment.
When using --mount=type=cache for apt directories, concurrent builds can contend on apt lock files stored inside the shared cache (and occasionally corrupt the cache). It’s safer to set sharing=locked on these cache mounts (and mount the more specific .../apt/lists path) to avoid intermittent build failures when multiple builds run in parallel.
| "ghcr.io/devcontainers/features/azure-cli:1": { | ||
| "version": "latest" | ||
| }, | ||
| "ghcr.io/devcontainers/features/copilot-cli:1": { | ||
| "version": "latest" | ||
| } |
There was a problem hiding this comment.
Using "version": "latest" for devcontainer features makes devcontainer builds non-reproducible and can introduce breaking changes without a PR. Pin these features to a specific, known-good version (or a semver range you’re comfortable with) to align with the PR’s reproducibility goals.
| "ghcr.io/devcontainers/features/azure-cli:1": { | |
| "version": "latest" | |
| }, | |
| "ghcr.io/devcontainers/features/copilot-cli:1": { | |
| "version": "latest" | |
| } | |
| "ghcr.io/devcontainers/features/azure-cli:1": {}, | |
| "ghcr.io/devcontainers/features/copilot-cli:1": {} |
| @@ -11,66 +12,61 @@ USER root | |||
| RUN rm -f /etc/apt/sources.list.d/yarn.list 2>/dev/null || true | |||
|
|
|||
| # Install required system packages + ODBC prerequisites | |||
| RUN apt-get update && apt-get install -y \ | |||
| sudo \ | |||
| unixodbc \ | |||
| unixodbc-dev \ | |||
| libgl1 \ | |||
| git \ | |||
| curl \ | |||
| xdg-utils \ | |||
| build-essential \ | |||
| && apt-get clean && rm -rf /var/lib/apt/lists/* | |||
| RUN --mount=type=cache,target=/var/cache/apt \ | |||
| --mount=type=cache,target=/var/lib/apt \ | |||
| apt-get update \ | |||
There was a problem hiding this comment.
This Dockerfile now relies on BuildKit-only RUN --mount=type=cache syntax. If BuildKit is disabled (or an older Dockerfile frontend is used), the build will fail parsing these RUN lines. Consider adding a # syntax=docker/dockerfile:<version> directive at the top (and/or ensuring the build entrypoints set DOCKER_BUILDKIT=1) so the devcontainer build works reliably across environments.
| RUN --mount=type=cache,target=/var/cache/apt \ | ||
| --mount=type=cache,target=/var/lib/apt \ | ||
| curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \ | ||
| && apt-get install -y --no-install-recommends nodejs |
There was a problem hiding this comment.
The curl -fsSL https://deb.nodesource.com/setup_24.x | bash - pattern downloads and executes a remote script as root without any integrity or authenticity verification, creating a supply-chain risk. If the NodeSource endpoint or DNS is compromised, an attacker could run arbitrary code during the image build and persist backdoored tooling into the devcontainer image. Replace this pipe-to-bash installer with a method that verifies a pinned script or package (e.g., manually configuring the APT repository with a GPG key or verifying a checksum/signature before execution).
| && rm -rf /var/lib/apt/lists/* | ||
| libpulse0 | ||
|
|
||
| # Install Node.js 24.x LTS for frontend development |
There was a problem hiding this comment.
Switching from 18 to 24 there could be a lot of changes. If that's absolutely needed right now I'd defer until later because it could significantly slow down ongoing front end work that was built with 18.
There was a problem hiding this comment.
@romanlutz I can pull this change out, but Node 20 is EOL April 2026
Description
Optimizes the devcontainer Dockerfile to improve build speed, reduce image size, and tighten permissions.
Key changes:
Build performance
--mount=type=cache) for allapt-getlayers instead ofapt-get clean && rm -rf /var/lib/apt/lists/*— cached packages persist across local rebuilds, so subsequent builds skip re-downloading unchanged packages. Note: these mounts only benefit local builds; in CI, GHA layer caching (cache-from: type=gha) handles caching at the layer level.uvviaCOPY --from=ghcr.io/astral-sh/uv:0.10.8multi-stage copy instead ofcurl | sh— avoids a network round-trip, shell pipe execution, and the extra cleanup of/root/.local/bin.Image size
--no-install-recommendsconsistently to allapt-get installinvocations (previously only used on the Speech SDK block) — prevents pulling in unnecessary Recommends dependencies (e.g., X11 libs, man pages).Reproducibility
python:3.11-bookworminstead ofpython:3.11— prevents silent shifts between Debian releases (e.g., Bookworm to Trixie) when the base image is updated. (and match existing bookworm apt repo call)uvto a specific version (0.10.8) via multi-stageCOPY --from— the previouscurl | shalways fetched the latest release, making builds non-deterministic.DEBIAN_FRONTEND=noninteractiveas a globalENVinstead of inline per-command — prevents anyapt-getinvocation from prompting for interactive input.Security hardening
chmod 777tochmod 755for all cache directories (pip, pylance, venv, uv, mypy) —777is unnecessarily permissive in a single-user devcontainer wherevscodeowns these directories.python script_name.pyto avoid precommit complaint.Dependency cleanup
apt-transport-httpsfrom explicit install — this is a transitional no-op package on Debian Bookworm (HTTPS support is built intoaptnatively). The base image already includes it.lsb-releasefrom explicit install — the base image already includes itrm -rf /opt/venvand debugls -la /opt/venv/bin/activatefrom the uv/venv setup step.Node.js
npm install -g @github/copilotto a devcontainer feature to remove unecessary tool from production builds.Minor cleanup
Tests and Documentation