pi-agent container

Arch Linux based container image for the pi coding agent.

The image ships the basics an agent needs (git, base-devel, ripgrep, fd, jq, curl, python, nodejs, ...). It runs as the unprivileged user agent (UID 1000), which has passwordless sudo to install further packages on demand (sudo pacman -S <pkg>).

Build

podman build -t pi-agent .

Run

Add this function to your ~/.bashrc. It mounts the current directory into the container at /<current-dir> (e.g. ~/git/myproject shows up as /myproject) and starts the agent there:

pi() {
    local name
    name="$(basename "$PWD")"
    podman run --rm -it \
        --userns=keep-id:uid=1000,gid=1000 \
        --volume "$PWD:/$name" \
        --volume pi-agent-home:/home/agent \
        --workdir "/$name" \
        --env ANTHROPIC_API_KEY \
        --env OPENAI_API_KEY \
        pi-agent "$@"
}

Then, from any project directory:

cd ~/git/myproject
pi

Notes:

• --userns=keep-id:uid=1000,gid=1000 maps your host user onto the container's agent user, so files created in the mounted directory keep your ownership.
• sudo still works under keep-id: container root maps to your first subuid (e.g. 100000) on the host, so it has no real host privileges. Files the agent creates via sudo in the mounted directory show up owned by that subuid — fine inside the container, but reclaim them on the host with podman unshare chown -R 0:0 <file> if needed.
• The named volume pi-agent-home persists /home/agent (pi sessions, auth, config) across runs. Drop it with podman volume rm pi-agent-home.
• API keys are passed through from your environment; export ANTHROPIC_API_KEY (or whichever provider you use) before running.
• Packages installed via sudo pacman -S inside the container are gone when the container exits — add frequently needed ones to the Containerfile instead.