chore: update dind examples to use onCreateCommand

docs/docker.md

@@ -9,6 +9,7 @@ from inside Envbuilder.
 > you may need to instead add the relevant content of the init script to your
 > agent startup script in your template.
 > For example:
+>
 > ```
 >   resource "coder_agent" "dev" {
 >     ...
@@ -43,7 +44,6 @@ docker run -it --rm \
     ghcr.io/coder/envbuilder:latest
 ```
 
-
 ## Docker-in-Docker (DinD)
 
 **Security:** Low
@@ -57,16 +57,16 @@ Example:
 
 > Note that due to a lack of init system, the Docker daemon
 > needs to be started separately inside the container. In this example, we
-> create a custom entrypoint to start the Docker daemon in the background and
-> call this entrypoint via `ENVBUILDER_INIT_SCRIPT`.
+> create a custom script to start the Docker daemon in the background and
+> call this entrypoint via the Devcontainer `onCreateCommand` lifecycle hook.
 
 ```console
 docker run -it --rm \
     --privileged \
     -v /tmp/envbuilder:/workspaces \
     -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \
     -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/02_dind \
-    -e ENVBUILDER_INIT_SCRIPT=/entrypoint.sh \
+    -e ENVBUILDER_INIT_SCRIPT=bash \
     ghcr.io/coder/envbuilder:latest
 ```
 
@@ -75,7 +75,7 @@ docker run -it --rm \
 The above can also be accomplished using the [`docker-in-docker` Devcontainer
 feature](https://github.com/devcontainers/features/tree/main/src/docker-in-docker).
 
-> Note: we still need the custom entrypoint to start the docker startup script.
+> Note: we still need `onCreateCommand` to start the docker startup script.
 > See https://github.com/devcontainers/features/blob/main/src/docker-in-docker/devcontainer-feature.json#L60
 
 Example:
@@ -86,7 +86,7 @@ docker run -it --rm \
     -v /tmp/envbuilder:/workspaces \
     -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \
     -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/03_dind_feature \
-    -e ENVBUILDER_INIT_SCRIPT=/entrypoint.sh \
+    -e ENVBUILDER_INIT_SCRIPT=bash \
     ghcr.io/coder/envbuilder:latest
 ```
 
@@ -95,7 +95,7 @@ docker run -it --rm \
 **Security:** Medium
 **Convenience:** Medium
 
-This approach runs a Docker daemon in *rootless* mode.
+This approach runs a Docker daemon in _rootless_ mode.
 While this still requires a privileged container, this allows you to restrict
 usage of the `root` user inside the container, as the Docker daemon will be run
 under a "fake" root user (via `rootlesskit`). The user inside the workspace can
@@ -129,6 +129,7 @@ including transparently enabling Docker inside workspaces. Most notably, it
 access inside their workspaces, if required.
 
 Example:
+
 ```console
 docker run -it --rm \
     -v /tmp/envbuilder:/workspaces \

examples/docker/02_dind/Dockerfile

@@ -1,6 +1,18 @@
 FROM ubuntu:noble
+# Install Docker using Docker's convenience script.
 RUN apt-get update && \
-  apt-get install -y curl apt-transport-https && \
-  curl -fsSL https://get.docker.com/ | sh -s -
-ADD entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+    apt-get install -y curl sudo apt-transport-https && \
+    curl -fsSL https://get.docker.com/ | sh -s -
+# Add a non-root user with sudo privileges and allow
+# passwordless sudo for the user.
+# Note: we chown /var/run/docker.sock to the non-root user
+# in the onCreateCommand script. Ideally you would add the
+# non-root user to the docker group, but in this scenario
+# this is a 'single-user' environment. It also avoids us
+# having to run `newgrp docker`.
+RUN useradd -m -s /bin/bash -G sudo coder && \
+    echo "coder ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder
+# Add our onCreateCommand script.
+ADD on-create.sh /on-create.sh
+# Switch to the non-root user.
+USER coder

examples/docker/02_dind/devcontainer.json

@@ -1,5 +1,6 @@
 {
   "build": {
     "dockerfile": "Dockerfile"
-  }
-}
+  },
+  "onCreateCommand": "/on-create.sh"
+}

examples/docker/02_dind/on-create.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Start Docker in the background
+sudo -u root /bin/sh -c 'nohup dockerd 2>&1 > /var/log/docker.log &'
+
+# Wait for Docker to start
+for attempt in $(seq 1 10); do
+  if [[ $attempt -eq 10 ]]; then
+    echo "Failed to start Docker"
+    exit 1
+  fi
+  if [[ ! -e /var/run/docker.sock ]]; then
+    sleep 1
+  else
+    break
+  fi
+done
+# Change the owner of the Docker socket so that the coder user can use it.
+# Using `newgrp docker` is kind of annoying.
+sudo chown coder:coder /var/run/docker.sock

examples/docker/03_dind_feature/Dockerfile

@@ -1,3 +1,18 @@
 FROM ubuntu:noble
-ADD entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+# Install some dependencies such as curl and sudo.
+# Also set up passwordless sudo for the ubuntu user.
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+      curl \
+      sudo \
+      apt-transport-https && \
+    echo "ubuntu ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu
+# Add our onCreateCommand script.
+ADD on-create.sh /on-create.sh
+# Switch to the non-root user.
+USER ubuntu
+# The devcontainer feature provides /usr/local/share/docker-init.sh
+# which will handle most of the steps of setting up Docker.
+# We can't put this in the entrypoint as it gets overridden, so
+# we call it in the on-create script.
+ENTRYPOINT ["bash"]

examples/docker/03_dind_feature/devcontainer.json

@@ -2,7 +2,8 @@
   "build": {
     "dockerfile": "Dockerfile"
   },
+  "onCreateCommand": "/on-create.sh",
   "features": {
     "ghcr.io/devcontainers/features/docker-in-docker:2": {}
   }
-}
+}

examples/docker/03_dind_feature/on-create.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Run the devcontainer init script. This needs to be
+# run as root.
+sudo /usr/local/share/docker-init.sh