Skip to content

Commit 54bc879

Browse files
committed
build/docs: use pipx for Poetry and clarify Codex sandboxing
1 parent 3bd98e9 commit 54bc879

4 files changed

Lines changed: 34 additions & 10 deletions

File tree

.env.dist

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ CODE_SERVER_EXTENSIONS="ms-python.python ms-pyright.pyright charliermarsh.ruff m
1616
PYTHON_VERSION=3.14
1717
PYTHONUNBUFFERED=1
1818
PIP_DEFAULT_TIMEOUT=300
19-
POETRY_VERSION=2.3.2
19+
POETRY_VERSION=2.3.4
2020
POETRY_OPTIONS_APP="--only main --compile"
2121
POETRY_OPTIONS_DEV="--no-root --with dev --compile"
2222
POETRY_NO_INTERACTION=1

Dockerfile

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ ARG MIRROR_LIST_COUNTRY=RU
88
ARG BUILD_PACKAGES="pyenv git gnupg sudo postgresql-libs mariadb-libs openmp"
99
ARG PYTHON_VERSION=3.14
1010
ARG PIP_DEFAULT_TIMEOUT=300
11-
ARG POETRY_VERSION=2.3.2
11+
ARG POETRY_VERSION=2.3.4
1212
RUN echo "* soft core 0" >> /etc/security/limits.conf && \
1313
echo "* hard core 0" >> /etc/security/limits.conf && \
1414
echo "* soft nofile 10000" >> /etc/security/limits.conf
@@ -53,15 +53,19 @@ RUN pyenv install --skip-existing $PYTHON_VERSION && \
5353
ENV PYTHONUNBUFFERED=1
5454
ENV PIP_DEFAULT_TIMEOUT=$PIP_DEFAULT_TIMEOUT
5555
ENV POETRY_NO_INTERACTION=1
56-
ENV POETRY_HOME=/opt/poetry
5756
ENV POETRY_CACHE_DIR=/var/cache/pypoetry
5857
ENV PIP_CACHE_DIR=/var/cache/pip
5958
ENV VIRTUAL_ENV=/opt/venv
6059
RUN python -m venv --copies $VIRTUAL_ENV
6160
ENV PATH=$VIRTUAL_ENV/bin:$PATH
6261
RUN pip install --upgrade pip
63-
RUN curl -sSL https://install.python-poetry.org | POETRY_VERSION=$POETRY_VERSION python -
64-
ENV PATH=$POETRY_HOME/bin:$PATH
62+
ENV TOOLS_VENV=/opt/tools-venv
63+
RUN python -m venv --copies $TOOLS_VENV && \
64+
$TOOLS_VENV/bin/pip install --no-cache-dir --upgrade pip pipx
65+
ENV PIPX_HOME=/opt/pipx
66+
ENV PIPX_BIN_DIR=/usr/local/bin
67+
RUN $TOOLS_VENV/bin/pipx install --python "$(command -v python)" "poetry==${POETRY_VERSION}" && \
68+
poetry --version
6569
ENV PYTHONPATH=/application/src
6670
ENV PROJECT_ROOT=/application
6771
ENV HOME=$DOCKER_USER_HOME

README.md

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -209,7 +209,8 @@ Set the `.env` values used by `compose.yaml` and the Docker build. Common ones:
209209

210210
* `TZ` — Container timezone (e.g. `Europe/Berlin`, `Asia/Vladivostok`).
211211
* `DOCKER_PLATFORM` — Target architecture (e.g. `linux/amd64`, `linux/arm64`).
212-
* `DOCKER_HOST_UID` / `DOCKER_HOST_GID` — Host user/group IDs for file ownership.
212+
* `DOCKER_HOST_UID` / `DOCKER_HOST_GID` — Host user/group IDs for file
213+
ownership.
213214
* `DOCKER_USER` / `DOCKER_USER_HOME` — Container user + home directory.
214215
* `MIRROR_LIST_COUNTRY` — Arch mirror country code for pacman.
215216
* `BUILD_PACKAGES` — System packages needed to build Python and runtime deps.
@@ -220,11 +221,13 @@ Set the `.env` values used by `compose.yaml` and the Docker build. Common ones:
220221
* `POETRY_OPTIONS_DEV` — Poetry install flags for the dev image.
221222
* `PIP_DEFAULT_TIMEOUT` — Pip network timeout (seconds).
222223
* `JUPYTER_TOKEN` — Token for JupyterLab login.
223-
* `CODE_SERVER_EXTENSIONS` — Space-separated extension IDs preinstalled in code-server.
224+
* `CODE_SERVER_EXTENSIONS` — Space-separated extension IDs preinstalled in
225+
code-server.
224226
* `CODE_SERVER_HOST` — Bind address for code-server (usually `0.0.0.0`).
225227
* `CODE_SERVER_PORT` — Port for code-server.
226228
* `CODE_SERVER_AUTH` — code-server auth mode (`password` or `none`).
227-
* `CODE_SERVER_PASSWORD` — Password used by code-server when auth is `password`.
229+
* `CODE_SERVER_PASSWORD` — Password used by code-server when auth is
230+
`password`.
228231
* `OPENAI_API_KEY` — API key for Codex.
229232
* `GEMINI_API_KEY` — API key for Gemini.
230233

@@ -317,7 +320,8 @@ docker compose run --rm dev ruff format --check
317320
This template includes a minimal GitHub Actions workflow in
318321
`.github/workflows/ci.yml` that:
319322

320-
* builds `dev`, `app`, `vim-ide`, `codex`, `gemini`, `jupyterlab`, and `code-server`
323+
* builds `dev`, `app`, `vim-ide`, `codex`, `gemini`, `jupyterlab`, and
324+
`code-server`
321325
* checks `vim`, `codex`, `gemini`, `jupyter-lab`, and `code-server` binaries
322326
* runs `ruff check .`
323327
* runs `ruff format --check .`
@@ -346,6 +350,16 @@ docker compose build codex
346350
docker compose run --rm codex
347351
```
348352

353+
If Codex asks for a less restricted sandbox while already running inside this
354+
container, rerun it with:
355+
356+
```bash
357+
docker compose run --rm codex -s danger-full-access
358+
```
359+
360+
Use this only when you want Codex to execute commands directly inside the
361+
container instead of using its own internal sandbox.
362+
349363
```bash
350364
docker compose build gemini
351365
docker compose run --rm gemini
@@ -504,6 +518,12 @@ Browser-based auth persists under `${DOCKER_USER_HOME}/.codex` and
504518
`${DOCKER_USER_HOME}/.gemini` via the `codex-auth` and `gemini-auth` Docker
505519
volumes.
506520

521+
`codex -s danger-full-access` disables Codex's internal command sandbox. It
522+
does not change Docker's seccomp profile and does not add Linux capabilities to
523+
the container. In this mode, Codex gets the same access as the container
524+
itself, including the bind-mounted `/application` workspace, available network
525+
access, and the persisted auth volume under `${DOCKER_USER_HOME}/.codex`.
526+
507527
## 🧠 Vim IDE Features
508528

509529
This template comes with a thoughtfully configured Vim environment that

compose.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ x-default-args: &default-args
1717
CODE_SERVER_EXTENSIONS: ${CODE_SERVER_EXTENSIONS:-ms-python.python ms-pyright.pyright charliermarsh.ruff ms-toolsai.jupyter}
1818
PYTHON_VERSION: ${PYTHON_VERSION:-3.14}
1919
PIP_DEFAULT_TIMEOUT: ${PIP_DEFAULT_TIMEOUT:-300}
20-
POETRY_VERSION: ${POETRY_VERSION:-2.3.2}
20+
POETRY_VERSION: ${POETRY_VERSION:-2.3.4}
2121
POETRY_OPTIONS_APP: ${POETRY_OPTIONS_APP:---only main --compile}
2222
POETRY_OPTIONS_DEV: ${POETRY_OPTIONS_DEV:---no-root --with dev --compile}
2323

0 commit comments

Comments
 (0)