Sync common files from infra repository

Synchronized from bootc-dev/infra@e15b9622fc. Signed-off-by: bootc-dev Bot <bot@bootc.dev>
2026-02-05 15:45:53 +01:00 · 2026-01-28 21:59:06 +00:00
parent 5c52b25ef9
commit c7c6d52e51
3 changed files with 16 additions and 7 deletions
--- a/.bootc-dev-infra-commit.txt
+++ b/.bootc-dev-infra-commit.txt
@@ -1 +1 @@
-5a0900533a2b015c83b81e21f1ef78c6f7ad6067
+e15b9622fcef58276464960124823108858dc646
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -13,9 +13,14 @@
  },
  "features": {},
  "runArgs": [
-    // Because we want to be able to run podman and also use e.g. /dev/kvm
-    // among other things
-    "--privileged"
+    // Minimal security options for nested podman (avoids --privileged):
+    // - label=disable: Required for mounting /proc in nested user namespace
+    // - unmask=/proc/*: Allows access to /proc paths needed for nested containers
+    "--security-opt", "label=disable",
+    "--security-opt", "unmask=/proc/*",
+    // Device access for nested containers and VMs
+    "--device", "/dev/net/tun",
+    "--device", "/dev/kvm"
  ],
  "postCreateCommand": {
    // Our init script
--- a/.github/actions/bootc-ubuntu-setup/action.yml
+++ b/.github/actions/bootc-ubuntu-setup/action.yml
@@ -14,7 +14,8 @@ runs:
      run: |
        set -xeuo pipefail
        sudo df -h
-        unwanted_pkgs=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*'
+        # Use globs for package patterns (apt and dpkg both support fnmatch globs)
+        unwanted_pkgs=('aspnetcore-*' 'dotnet-*' 'llvm-*' 'php*' 'mongodb-*' 'mysql-*'
                       azure-cli google-chrome-stable firefox mono-devel)
        unwanted_dirs=(/usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL)
        # Start background removal operations as systemd units; if this causes
@@ -30,9 +31,12 @@ runs:
        for x in ${unwanted_dirs[@]}; do
          runcleanup rm -rf "$x"
        done
-        # Apt removals in foreground, as we can't parallelize these
+        # Apt removals in foreground, as we can't parallelize these.
+        # Only attempt removal if matching packages are installed.
        for x in ${unwanted_pkgs[@]}; do
-          /bin/time -f '%E %C' sudo apt-get remove -y $x
+          if dpkg -l "$x" >/dev/null 2>&1; then
+            /bin/time -f '%E %C' sudo apt-get remove -y "$x"
+          fi
        done
    # We really want support for heredocs
    - name: Update podman and install just