feat(service): add podman runtime support

[Mercccccc]

Summary

Closes #425
Add Podman as a third container runtime alongside Docker and Kubernetes.

Why: Docker Desktop requires a paid subscription for commercial use, which may be prohibited on corporate machines. Podman is daemonless, natively rootless, and fully open-source (Apache 2.0).

What:

• PodmanSandboxService inherits DockerSandboxService, reusing 2200+ lines of existing code via Podman's Docker-compatible API
• Overrides only 4 methods where Podman's compat layer diverges: client creation (base_url direct pass instead of os.environ mutation), label updates (no-op — Podman doesn't support runtime label changes), connection error hints (Podman-specific messaging), and
  socket detection (Linux/macOS/Windows)
• Extracts 3 methods from DockerSandboxService as overridable hooks (_supported_runtime_types, _connection_error_hint, _create_docker_client) — existing Docker behavior unchanged
• Patches transport adapter retry policy to handle Podman's idle connection resets on Windows named pipes
• Auto-detects Podman socket per platform; validates Windows named pipe existence via os.open()

Files changed: config.py, docker.py, factory.py, __init__.py, main.py, runtime_resolver.py
Files added: podman.py, test_podman_service.py

Known limitations vs Docker:

• Label persistence: if server restarts after renew_expiration, sandbox falls back to original expiration (in-memory tracking is authoritative at runtime)
• Rootless Podman: pause/unpause requires cgroups v2; egress sidecar sysctls may be restricted

Testing

• Unit tests (21 new tests covering init, label no-op, socket detection, retry adapter, factory, config validation)
• Integration tests (full lifecycle on Windows with Podman 5.8.1: CREATE → GET → LIST → RENEW → DELETE)
• e2e / manual verification (execd code execution inside Podman sandbox: echo, uname, file I/O, Python)
• Regression: 693 total tests passed, 0 failures

Breaking Changes

• None

Existing runtime.type = "docker" and runtime.type = "kubernetes" configurations are unaffected. The docker.py refactoring is a pure extract-method change with identical behavior.

Checklist

• Linked Issue or clearly described motivation
• Added/updated tests (if needed)
• Security impact considered (no os.environ mutation; socket auto-detection validates pipe existence; rootless-first default)
• Backward compatibility considered (zero changes to Docker/Kubernetes code paths; new [podman] config section is optional with defaults)
• Added/updated docs (if needed)

[CLAassistant]

All committers have signed the CLA.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 398b7102bf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Adds Podman as an additional container runtime option by introducing a PodmanSandboxService that reuses the existing Docker-backed sandbox implementation via Podman’s Docker-compatible API, plus configuration plumbing and tests.

Changes:

• Add PodmanSandboxService (inherits DockerSandboxService) with Podman socket auto-detection and a retry adapter tweak.
• Extend configuration and service factory/exports to support runtime.type = "podman".
• Expand secure runtime validation path and add a dedicated Podman unit test suite.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
server/opensandbox_server/config.py	Adds podman runtime type and PodmanConfig with socket_path; updates runtime block validation.
server/opensandbox_server/services/docker.py	Refactors Docker service init to use overridable hooks for client creation and connection hints.
server/opensandbox_server/services/podman.py	Implements Podman runtime via Docker SDK client base_url, socket detection, retry adapter patch, and label-update no-op.
server/opensandbox_server/services/factory.py	Registers podman runtime type -> PodmanSandboxService.
server/opensandbox_server/services/init.py	Exports PodmanSandboxService.
server/opensandbox_server/services/runtime_resolver.py	Routes podman through the docker-like secure runtime validation path.
server/opensandbox_server/main.py	Treats podman like docker for startup secure runtime validation client creation/logging.
server/tests/test_podman_service.py	Adds unit tests for Podman init, socket detection, retry adapter patching, config validation, and factory behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.