Investigation: Use Sysbox to provide sudo access inside workspace

MR: Pending

Description

Sysbox is a container runtime (a specialized "runc") that enhances containers in two key ways:

• Improves container isolation:
  • Linux user-namespace on all containers (i.e., root user in the container has zero privileges on the host).
  • Virtualizes portions of procfs & sysfs inside the container.
  • Hides host info inside the container.
  • Locks the container's initial mounts, and more.
• Enables containers to run same workloads as VMs:
  • With Sysbox, containers can run system-level software such as systemd, Docker, Kubernetes, K3s, buildx, legacy apps, and more seamlessly & securely.
  • This software can run inside Sysbox containers without modification and without using special versions of the software (e.g., rootless variants).
  • No privileged containers, no complex images, no tricky entrypoints, no special volume mounts, etc.

As a user or stakeholder, I want to use Sysbox to enable sudo access inside a workspace.

This issue will be an investigation into this approach.

Here is a discussion about Sysbox.

Acceptance Criteria

• Decision if this is an acceptable/feasible solution.
• Steps required to provide support for this in our solution.
• Are there any nuances/challenges that the user should be aware about.

Technical Requirements

TODO: Fill out or delete (optional) [If applicable, please list out any technical requirements for this feature/enhancement.]

Design Requirements

TODO: Fill out or delete (optional) [If applicable, please provide a link to the design specifications for this feature/enhancement.]

Impact Assessment

TODO: Fill out or delete (optional) [Please describe the impact this feature/enhancement will have on the user experience and/or the product as a whole.]

User Story

TODO: Fill out or delete (optional) [Provide a user story to illustrate the use case for this feature/enhancement. Include examples to help communicate the intended functionality.]