run

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 8, 2026 License: MIT Imports: 42 Imported by: 0

Documentation

Index

Constants

View Source 
const DockerSocketPath = "/var/run/docker.sock"

DockerSocketPath is the standard path for the Docker socket on Linux.

Variables

This section is empty.

Functions

func GetDockerDependency 

func GetDockerDependency(depList []deps.Dependency) *deps.Dependency

GetDockerDependency returns the docker dependency from the list, or nil if not present. This allows callers to access the DockerMode field.

func GetDockerSocketGID 

func GetDockerSocketGID() (uint32, error)

GetDockerSocketGID returns the GID of the Docker socket. This is needed to add the container user to the docker group so they can access the socket.

Returns an error if the socket doesn't exist or cannot be stat'd.

func HasDockerDependency 

func HasDockerDependency(depList []deps.Dependency) bool

HasDockerDependency checks if the dependency list includes the docker dependency. Returns true if docker dependency is present, false otherwise.

func ValidateDockerDependency 

func ValidateDockerDependency(runtimeType container.RuntimeType, mode deps.DockerMode) error

ValidateDockerDependency checks if the docker dependency can be used with the given runtime and mode.

Both docker modes require Docker runtime: - Host mode needs socket access (Apple containers cannot mount host socket) - Dind mode needs privileged mode (Apple containers don't support this)

Types

type BuildKitConfig 

type BuildKitConfig struct {
	Enabled      bool
	NetworkName  string
	NetworkID    string
	SidecarName  string
	SidecarImage string
}

BuildKitConfig holds configuration for BuildKit sidecar.

type DockerDependencyConfig 

type DockerDependencyConfig struct {
	// Mode is the docker access mode: "host" (socket mount) or "dind" (privileged).
	Mode deps.DockerMode

	// SocketMount is the mount configuration for the Docker socket.
	// Only set for host mode.
	SocketMount container.MountConfig

	// GroupID is the GID of the docker socket, as a string for GroupAdd.
	// Only set for host mode. Example: "999"
	GroupID string

	// Privileged indicates the container needs privileged mode.
	// Only set for dind mode.
	Privileged bool
}

DockerDependencyConfig holds the configuration needed to enable docker inside a container.

func ResolveDockerDependency 

func ResolveDockerDependency(depList []deps.Dependency, runtimeType container.RuntimeType) (*DockerDependencyConfig, error)

ResolveDockerDependency validates the docker dependency against the runtime and returns the configuration needed to enable docker in the container.

For host mode: 1. Validates that the runtime supports socket access (not Apple containers) 2. Gets the GID of the docker socket for group permissions 3. Returns the mount config and group ID

For dind mode: 1. Returns config indicating privileged mode is needed 2. No socket mount or GID needed (runs its own daemon)

Returns nil if docker dependency is not present in depList. Returns an error if validation fails or the socket cannot be accessed.

type ErrDockerDindRequiresDockerRuntime 

type ErrDockerDindRequiresDockerRuntime struct{}

ErrDockerDindRequiresDockerRuntime is returned when docker:dind mode is used with Apple containers runtime, which does not support privileged mode.

func (ErrDockerDindRequiresDockerRuntime) Error 

func (e ErrDockerDindRequiresDockerRuntime) Error() string

type ErrDockerHostRequiresDockerRuntime 

type ErrDockerHostRequiresDockerRuntime struct{}

ErrDockerHostRequiresDockerRuntime is returned when docker:host mode is used with Apple containers runtime, which cannot access the host Docker socket.

func (ErrDockerHostRequiresDockerRuntime) Error 

func (e ErrDockerHostRequiresDockerRuntime) Error() string

type ErrDockerRequiresDockerRuntime 

type ErrDockerRequiresDockerRuntime = ErrDockerHostRequiresDockerRuntime

ErrDockerRequiresDockerRuntime is an alias for backward compatibility. Deprecated: Use ErrDockerHostRequiresDockerRuntime instead.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager handles run lifecycle operations.

func NewManager 

func NewManager() (*Manager, error)

NewManager creates a new run manager with default options.

func NewManagerWithOptions 

func NewManagerWithOptions(opts ManagerOptions) (*Manager, error)

NewManagerWithOptions creates a new run manager with the given options.

func (*Manager) Attach 

func (m *Manager) Attach(ctx context.Context, runID string, stdin io.Reader, stdout, stderr io.Writer) error

Attach connects stdin/stdout/stderr to a running container.

func (*Manager) Close 

func (m *Manager) Close() error

Close releases manager resources.

func (*Manager) Create 

func (m *Manager) Create(ctx context.Context, opts Options) (*Run, error)

Create initializes a new run without starting it.

func (*Manager) Destroy 

func (m *Manager) Destroy(ctx context.Context, runID string) error

Destroy removes a run and its resources.

func (*Manager) FollowLogs 

func (m *Manager) FollowLogs(ctx context.Context, runID string, w io.Writer) error

FollowLogs streams container logs to the provided writer. This is more reliable than Attach for output-only mode on already-running containers.

func (*Manager) Get 

func (m *Manager) Get(runID string) (*Run, error)

Get retrieves a run by ID.

func (*Manager) List 

func (m *Manager) List() []*Run

List returns all runs.

func (*Manager) RecentLogs 

func (m *Manager) RecentLogs(runID string, lines int) (string, error)

RecentLogs returns the last n lines of container logs. Used to show context when re-attaching to a running container.

func (*Manager) ResizeTTY 

func (m *Manager) ResizeTTY(ctx context.Context, runID string, height, width uint) error

ResizeTTY resizes the container's TTY to the given dimensions.

func (*Manager) RuntimeType 

func (m *Manager) RuntimeType() string

RuntimeType returns the container runtime type (docker or apple).

func (*Manager) Start 

func (m *Manager) Start(ctx context.Context, runID string, opts StartOptions) error

Start begins execution of a run.

func (*Manager) StartAttached 

func (m *Manager) StartAttached(ctx context.Context, runID string, stdin io.Reader, stdout, stderr io.Writer) error

StartAttached starts a run with stdin/stdout/stderr attached from the beginning. This is required for TUI applications (like Codex CLI) that need the terminal connected before the process starts to properly detect terminal capabilities. Unlike Start + Attach, this ensures the TTY is ready when the container command begins.

func (*Manager) Stop 

func (m *Manager) Stop(ctx context.Context, runID string) error

Stop terminates a running run.

func (*Manager) Wait 

func (m *Manager) Wait(ctx context.Context, runID string) error

Wait blocks until the run completes.

type ManagerOptions 

type ManagerOptions struct {
	// NoSandbox disables gVisor sandbox for Docker containers.
	// If nil, uses platform-aware defaults (gVisor on Linux, standard on macOS/Windows).
	NoSandbox *bool
}

ManagerOptions configures the run manager.

type Options 

type Options struct {
	Name          string // Optional explicit name (--name flag or from config)
	Workspace     string
	Grants        []string
	Cmd           []string       // Command to run (default: /bin/bash)
	Config        *config.Config // Optional agent.yaml config
	Env           []string       // Additional environment variables (KEY=VALUE)
	Rebuild       bool           // Force rebuild of container image (ignores cache)
	KeepContainer bool           // If true, don't auto-remove container after run
	Interactive   bool           // Keep stdin open for interactive input
	TTY           bool           // Allocate a pseudo-TTY
}

Options configures a new run.

type Run 

type Run struct {
	ID             string
	Name           string // Human-friendly name (e.g., "myapp" or "fluffy-chicken")
	Workspace      string
	Grants         []string
	Agent          string         // Agent type from config (e.g., "claude-code", "codex")
	Image          string         // Container image used for this run
	Ports          map[string]int // endpoint name -> container port
	HostPorts      map[string]int // endpoint name -> host port (after binding)
	State          State
	ContainerID    string
	ProxyServer    *proxy.Server     // Auth proxy for credential injection
	SSHAgentServer *sshagent.Server  // SSH agent proxy for SSH key access
	Store          *storage.RunStore // Run data storage

	AuditStore    *audit.Store     // Tamper-proof audit log
	SnapEngine    *snapshot.Engine // Snapshot engine for workspace protection
	KeepContainer bool             // If true, don't auto-remove container after run
	Interactive   bool             // If true, run was started in interactive mode
	CreatedAt     time.Time
	StartedAt     time.Time
	StoppedAt     time.Time
	Error         string

	// Firewall settings (set when network.policy is strict)
	FirewallEnabled bool
	ProxyHost       string // Host address for proxy (for firewall rules)
	ProxyPort       int    // Port number for proxy (for firewall rules)
	ProxyAuthToken  string // Auth token for proxy (Apple containers only, empty for Docker)

	// ProviderCleanupPaths tracks paths to clean up for each provider when the run ends.
	// Keys are provider names, values are cleanup paths returned by ProviderSetup.ContainerMounts.
	ProviderCleanupPaths map[string]string

	// Snapshot settings
	DisablePreRunSnapshot bool // If true, skip pre-run snapshot creation

	// AWS credential provider (set when using aws grant)
	AWSCredentialProvider *proxy.AWSCredentialProvider

	// ClaudeConfigTempDir is the temporary directory containing Claude configuration files
	// (settings.json, .mcp.json) that are mounted into the container. This should be
	// cleaned up when the run is stopped or destroyed.
	ClaudeConfigTempDir string

	// CodexConfigTempDir is the temporary directory containing Codex configuration files
	// (config.toml, auth.json) that are mounted into the container. This should be
	// cleaned up when the run is stopped or destroyed.
	CodexConfigTempDir string

	// GeminiConfigTempDir is the temporary directory containing Gemini configuration files
	// (settings.json, oauth_creds.json) that are mounted into the container. This should be
	// cleaned up when the run is stopped or destroyed.
	GeminiConfigTempDir string

	// BuildKit sidecar fields (docker:dind only)
	BuildkitContainerID string
	NetworkID           string

	// ServiceContainers maps service name to container ID (e.g., "postgres" -> "abc123").
	ServiceContainers map[string]string
	// contains filtered or unexported fields
}

Run represents an agent execution environment.

func (*Run) GetState 

func (r *Run) GetState() State

GetState safely reads the run state (thread-safe).

func (*Run) SaveMetadata 

func (r *Run) SaveMetadata() error

SaveMetadata persists the run's current state to disk. This should be called after any state change.

func (*Run) SetState 

func (r *Run) SetState(state State)

SetState safely updates the run state (thread-safe).

func (*Run) SetStateWithError 

func (r *Run) SetStateWithError(state State, err string)

SetStateWithError safely updates the run state and error (thread-safe).

func (*Run) SetStateWithTime 

func (r *Run) SetStateWithTime(state State, timestamp time.Time)

SetStateWithTime safely updates the run state and timestamp (thread-safe).

type StartOptions 

type StartOptions struct {
	// StreamLogs controls whether container logs are streamed to stdout.
	// Set to false for interactive mode where attach handles I/O.
	StreamLogs bool
}

StartOptions configures how a run is started.

type State 

type State string

State represents the current state of a run. 

const (
	StateCreated  State = "created"
	StateStarting State = "starting"
	StateRunning  State = "running"
	StateStopping State = "stopping"
	StateStopped  State = "stopped"
	StateFailed   State = "failed"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.