sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
438959ca03527a6a1775f7c95a8f2e3e1ddce2d2
skz-sloptrap/AGENTS.md
Samuel Aubertin 438959ca03 Try to inject the parent image in slopslopstrap
2026-03-10 01:22:58 +01:00

4.3 KiB
Raw Blame History

skz-sloptrap

This workspace is the source code of sloptrap, eg. your own runtime. Your author, 'sk4nz', has ran the command sloptrap path/to/skz-sloptrap and you are living in your own reflection.

Recursive slopsloptrap

sloptrap can recurse.

If you need to prove it, spawn a child from this repo with sloptrap:

./sloptrap /workspace ...

This starts a child slopsloptrap. Use the child normally, as the end-user would.

Keep Memory

Future sloptrap instances should add short, useful, durable notes they learn during their session to this file.

Only add high-signal information that is likely to help later runs. Keep additions brief. Do not remove existing instructions unless they are outdated or wrong.

Session Memory

  • When you make changes that affect how the runtime behaves and cannot test it with recursion, you can ask sk4nz to restart you.
  • If recursion is blocked by the current session state and a restart is required, give sk4nz an exact prompt to paste into the next restarted session so it can continue from the current checkpoint.
  • Useful checks in the skz-sloptrap repo: shellcheck sloptrap bash tests/run_tests.sh (you can also run them separately)
  • Recursive nested-podman inside an already user-namespaced sloptrap needs subuid/subgid ranges derived from /proc/self/uid_map and /proc/self/gid_map; hardcoding 100000:65536 breaks newuidmap.
  • When running tests from inside sloptrap, inherited CODEX_HOME=/codex plus SLOPTRAP_PREFER_CODEX_HOME=1 can leak into host-style child launches; ignore that preference when HOME has been redirected elsewhere and the runtime hints still point into the inherited /codex tree.
  • For real recursive ./sloptrap launches, correct /proc/self/uid_map alone is not enough: if the current session still has stale read-only /etc/subuid and /etc/subgid mounts (for example sk4nz:100000:65536), the first nested podman launch still fails before child startup.
  • Forcing SLOPTRAP_CONTAINER_ENGINE=sloppodman inside sloptrap also needs TMPDIR under /workspace; otherwise its build-context path guard rejects the staged Dockerfile under /tmp before you reach the real subuid/subgid problem.
  • If a restarted session still inherits stale read-only /etc/subuid and /etc/subgid tmpfs mounts, an unprivileged agent cannot repair them in-place (umount says must be superuser to unmount); both podman and sloppodman stay blocked until the session starts without those mounts.
  • Outer sloptrap launches no longer need /etc/subuid or /etc/subgid bind mounts: nested-podman now disables read-only rootfs and the container entrypoint synthesizes container-local subid files from /proc/self/{uid,gid}_map before dropping privileges.
  • Even without stale /etc/subuid mounts, recursion still fails if the container-local subid files name sloptrap instead of the real dropped user (sk4nz here): podman info --debug warns no subuid ranges found for user "sk4nz" and the first inner build dies in newuidmap ... write to uid_map failed: Operation not permitted.
  • In this Debian 13 / podman 5.4.2 environment, exporting _CONTAINERS_USERNS_CONFIGURED=done for nested podman moves the failure past newuidmap, but the next blockers are inside Buildah: with BUILDAH_ISOLATION=chroot, recursive builds fail cannot set --network other than host with --isolation chroot; without chroot, podman build can segfault in network.defaultNetworkBackend.
  • Recursive preload now has a host-side path: the outer launcher saves $SLOPTRAP_IMAGE_NAME into capability state and mounts it into the container as SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/<image>.tar, and child build-if-missing tries sloppodman load -i before any inner build. A pre-existing session must be restarted to test that path because it cannot add the new preload mount/env to itself after startup.
  • With stale subid mounts gone, recursive ./sloptrap /workspace can still fail earlier during the inner image build: crun tries to open /proc/sys/net/ipv4/ping_group_range and gets Read-only file system while creating the build container.
  • In a fragile nested-podman session, podman system migrate can make things worse: a state that still answered podman info fell back to repeated newuidmap ... write to uid_map failed: Operation not permitted failures afterward.
Reference in New Issue View Git Blame Copy Permalink