docker-compose.yml

Overview

The docker-compose.yml file defines and configures the Docker services, networks, and volumes necessary to orchestrate the sandbox executor manager environment. This file primarily facilitates the launching and management of the sandbox-executor-manager service, ensuring it runs with the correct environment variables, networking, resource limits, and health checks. It enables reproducible and streamlined deployment of the sandbox executor manager container, which is likely a core component for managing code execution sandboxes or isolated environments in the system.

Services

sandbox-executor-manager

Description

This service runs the sandbox executor manager container, which presumably manages the lifecycle and execution of sandboxed processes. The container is built from the local ./executor_manager directory using the specified Dockerfile, runs with elevated privileges, and communicates through port 9385. It also exposes a health check endpoint to monitor its status.

Configuration Details

• container_name: sandbox-executor-manager
  Specifies the container's name for easier reference.

• build:

  • context: ./executor_manager
    Directory containing the Dockerfile and build context.

  • dockerfile: Dockerfile
    Specifies the Dockerfile to use for building the image.

• image: sandbox-executor-manager:latest
  The image tag to use for the container.

• runtime: runc
  Specifies the runtime used for container execution.

• privileged: true
  Grants extended privileges to the container, necessary for operations requiring elevated permissions (e.g., interacting with Docker daemon).

• ports:

  • "${EXECUTOR_PORT:-9385}:9385"
    Maps the container port 9385 to the host port defined by the environment variable EXECUTOR_PORT or defaults to 9385.

• volumes:

  • /var/run/docker.sock:/var/run/docker.sock
    Mounts the Docker socket inside the container, enabling the container to communicate with the Docker daemon on the host.

• networks:

  • sandbox-network
    Connects the container to the custom bridge network named sandbox-network.

• restart: always
  Ensures the container automatically restarts if it crashes or the Docker daemon restarts.

• security_opt:

  • no-new-privileges:true
    Prevents the container processes from gaining new privileges, enhancing security.

• environment:
  Environment variables passed to configure runtime behavior:

  • SANDBOX_EXECUTOR_MANAGER_POOL_SIZE (default: 5)
    Controls the pool size for executor management.

  • SANDBOX_BASE_PYTHON_IMAGE (default: sandbox-base-python:latest)
    Base Python image for sandbox execution.

  • SANDBOX_BASE_NODEJS_IMAGE (default: sandbox-base-nodejs:latest)
    Base Node.js image for sandbox execution.

  • SANDBOX_ENABLE_SECCOMP (default: false)
    Enables or disables seccomp security profiles.

  • SANDBOX_MAX_MEMORY (default: 256m)
    Maximum memory allocation for sandboxed processes.

  • SANDBOX_TIMEOUT (default: 10s)
    Timeout duration for sandboxed execution.

• healthcheck:
  Defines a health check to monitor container health by sending an HTTP request to /healthz endpoint on port 9385:

  • test: Runs curl --fail http://localhost:9385/healthz || exit 1

  • interval: 10 seconds

  • timeout: 5 seconds

  • retries: 5 times before marking unhealthy

Networks

sandbox-network

• driver: bridge
  Defines a user-defined bridge network which isolates the sandbox-executor-manager container's network traffic within this scope and allows for controlled communication between containers that join this network.

Usage Example

To start the sandbox executor manager service using this compose file, run:

docker-compose up -d

This will build the image (if not already built), create the container, and start it in detached mode.

To view logs:

docker-compose logs sandbox-executor-manager

To stop the service:

docker-compose down

Important Implementation Details

• Privileged Container with Docker Socket Access:
  Mounting /var/run/docker.sock and running the container in privileged mode enables the container to control Docker on the host. This is essential for managing sandboxed containers dynamically but poses a security risk if not properly isolated.

• Security Enhancements:
  The no-new-privileges:true security option prevents privilege escalation inside the container, mitigating risks from the elevated privileges required to access the Docker socket.

• Dynamic Configuration via Environment Variables:
  Environment variables allow flexible tuning of executor pool size, base images, resource limits, and security features without modifying the compose file.

• Health Check Endpoint:
  The container exposes a health check on port 9385 to allow orchestrators or monitoring systems to verify that the service is healthy and responsive.

Interaction with Other System Components

• Executor Manager Build Context (./executor_manager):
  The build context indicates that the source code and Dockerfile for the sandbox executor manager reside in the executor_manager directory. Changes to the executor manager code require rebuilding the image.

• Sandbox Base Images:
  The environment variables refer to base images (sandbox-base-python, sandbox-base-nodejs) which are likely defined and maintained elsewhere in the system. These images form the foundation for sandboxed execution environments.

• Network Isolation:
  The custom sandbox-network isolates the executor manager container's network traffic from other Docker containers unless explicitly connected to the same network. This isolates sandbox execution traffic.

• Docker Daemon:
  Direct access to the Docker daemon enables the executor manager to spawn, monitor, and control sandboxed containers, making this file a central point for container orchestration in the sandbox environment.

Visual Diagram

flowchart TD
    A[sandbox-executor-manager Service] -->|Builds from| B[./executor_manager/Dockerfile]
    A -->|Exposes port| C[Host Port 9385]
    A -->|Mounts| D[/var/run/docker.sock]
    A -->|Attached to| E[sandbox-network (bridge)]
    A -->|Uses Env Vars| F[Configuration Parameters]
    A -->|Health Check| G[/healthz Endpoint]
    D -->|Allows| H[Control over Docker Daemon]
    H -->|Manages| I[Sandboxed Containers]
    F -->|Defines| J[Pool Size, Base Images, Memory, Timeout, Seccomp]

Summary

The docker-compose.yml file is a configuration manifest that defines the setup for the sandbox executor manager container within a Docker environment. It ensures the container runs with necessary permissions, resource constraints, and network isolation to manage sandboxed execution effectively. The file leverages environment variables for flexible configuration and includes health monitoring to maintain service reliability. Its integration with the Docker socket and custom base images ties it closely to the broader sandbox execution infrastructure within the system.