IDEs

This section explains how we are running IDEs on Conveyor.

While using IDEs, you might have noticed that you can use sudo, and that Docker is working inside the IDE.

We implemented IDEs by running containers on Kubernetes. In general, allowing the root user, and making Docker work requires granting the container all kinds of privileges that mean a container can be broken out of, giving it full access to the host. This is, of course, not desirable.

To make sure we can run IDEs safely on Conveyor, we use Sysbox. Sysbox is an open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker and Kubernetes; just like VMs.

This allows you to run as root inside your IDEs and run Docker, while making sure you cannot break out of the container and gain root access to the host.

Because IDEs need Sysbox, they are separated from the regular workloads running on Conveyor.