From c9da48ded96c35a4a1cced4ec8ea3399ef09f4bf Mon Sep 17 00:00:00 2001
From: bootc-dev Bot <bot@bootc.dev>
Date: Mon, 2 Mar 2026 18:03:27 +0000
Subject: [PATCH] Sync common files from infra repository

Synchronized from bootc-dev/infra@1c2a5bc48c08d077982cbae3bb9cd03e2923683a.

Signed-off-by: bootc-dev Bot <bot@bootc.dev>
---
 .bootc-dev-infra-commit.txt     | 2 +-
 .devcontainer/devcontainer.json | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt
index d241aec..a23c9fc 100644
--- a/.bootc-dev-infra-commit.txt
+++ b/.bootc-dev-infra-commit.txt
@@ -1 +1 @@
-e15b9622fcef58276464960124823108858dc646
+1c2a5bc48c08d077982cbae3bb9cd03e2923683a
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 3916c02..678171b 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -13,13 +13,16 @@
   },
   "features": {},
   "runArgs": [
-    // Minimal security options for nested podman (avoids --privileged):
-    // - label=disable: Required for mounting /proc in nested user namespace
-    // - unmask=/proc/*: Allows access to /proc paths needed for nested containers
+    // In general we hope that the outer environment has set up
+    // a user namespace to keep this secure.
+    "--cap-add=all",
+    // Required for mounting /proc in nested user namespace
     "--security-opt", "label=disable",
+    // Allows access to /proc paths needed for nested containers
     "--security-opt", "unmask=/proc/*",
     // Device access for nested containers and VMs
     "--device", "/dev/net/tun",
+    // I always want KVM
     "--device", "/dev/kvm"
   ],
   "postCreateCommand": {