-
Notifications
You must be signed in to change notification settings - Fork 33
Expand file tree
/
Copy pathdevcontainer.json
More file actions
117 lines (97 loc) · 5.42 KB
/
devcontainer.json
File metadata and controls
117 lines (97 loc) · 5.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{
// For format details, see https://aka.ms/devcontainer.json.
// This is the MINIMAL version of TRG's DevContainer - provides essential security hardening
// with a balanced approach between security and usability for Web3 development.
"name": "Minimal TRG's DevContainer",
// You can use image or directly use a Dockerfile or Docker Compose file.
// More info: https://containers.dev/guide/dockerfile
// https://github.com/devcontainers/images/tree/main/src/base-alpine
// "image": "mcr.microsoft.com/devcontainers/base:debian",
"build": {
"dockerfile": "./Dockerfile"
},
// In this case this is redundant, because we are using the default user.
// The vscode user is the default in VS Code DevContainers
//"remoteUser": "vscode",
// Features to add to the dev container. More info: https://containers.dev/features.
// Currently no additional features are enabled for minimal configuration
"features": {
// "ghcr.io/devcontainers/features/docker-in-docker:2": {
// "version": "latest",
// "moby": true
// }
},
// Mount copying host folder into container, no hardening.
"workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
"workspaceFolder": "/workspace",
// Docker run arguments for security hardening and resource management
"runArgs": [
// Read only filesystem except for explicitly writable volumes (check mounts)
// For a dev environment this is more a hussle than a feature.
// "--read-only",
// Temporary filesystem mounts with security restrictions
// These provide hardened, size-limited temporary storage
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory
"--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory
"--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory
// Security hardening - drop all Linux capabilities
// This reduces the attack surface by removing unnecessary privileges
"--cap-drop=ALL",
// Security options for container hardening
// A few security additions (AppArmor & no new privileges)
"--security-opt", "no-new-privileges", // Prevent privilege escalation
"--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile
// Use seccomp's default security profile
// seccomp provides system call filtering for additional security
// "--security-opt", "seccomp=default",
// Network security configuration
// If you really want to isolate it, just disconnect it from the internet.
// You should COPY your working files inside before, otherwise you'll have to mount them manually.
// "--network=none",
// IPv6 security - disable IPv6 to reduce attack surface
"--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 globally
"--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default
// Network capability restrictions
"--cap-drop=NET_RAW", // Disable raw packet access
"--network=bridge", // Use bridge networking
// DNS configuration for security and reliability
"--dns=1.1.1.1", // Primary DNS (Cloudflare)
"--dns=1.0.0.1", // Secondary DNS (Cloudflare)
// Resource limits for container performance and security
// Play a little bit with resources to prevent resource exhaustion
// "--memory=512m", // Memory limit (commented out)
// "--cpus=2" // CPU limit (commented out)
],
// Writable mounts in case you want to set --read-only above.
// Currently no additional mounts are configured
"mounts": [
],
// Configure tool-specific properties for VS Code
"customizations": {
// Configure properties specific to VS Code.
"vscode": {
"settings": {
// Security settings - killswitch for automated tasks
"task.autoDetect": "off", // Disable automatic task detection
"task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers
// Trust and security configuration
"security.workspace.trust.enabled": false, // Trust no one by default
// Privacy settings - killswitch for telemetry
"telemetry.telemetryLevel": "off", // Disable all telemetry collection
// Terminal configuration
"terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default
"terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } }
// Using bash might be more safe and stable, but zsh provides better features
},
"extensions": [
// Minimal set of essential extensions for Web3 development
"NomicFoundation.hardhat-solidity", // Hardhat Solidity support
"tintinweb.solidity-visual-auditor" // Solidity visual auditor
]
}
}
// Use 'postCreateCommand' to run commands after the container is created.
// "postCreateCommand": ""
// Use 'postAttachCommand' to attach a command after the container is opened.
// "postAttachCommand": "zsh"
}