container

package

v0.0.0-...-e5fa205 Latest Latest Go to latest Published: Mar 26, 2026 License: MIT Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/servusdei2018/sandbox

Links

Open Source Insights

Documentation ¶

Overview ¶

Package container provides Docker lifecycle management for sandbox containers.

Index ¶

func FilterEnv(hostEnv map[string]string, whitelist, blocklist []string, logger *zap.Logger) []string
func SelectImage(agentName string, imageMap map[string]string) string
type Config
type Manager
- func NewManager(logger *zap.Logger) (*Manager, error)
type SecurityOptions
- func BuildSecurityOptions(cfg config.SecurityConfig) (SecurityOptions, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func FilterEnv ¶

func FilterEnv(hostEnv map[string]string, whitelist, blocklist []string, logger *zap.Logger) []string

FilterEnv constructs the environment variable slice to be injected into the sandbox container. It applies the following logic in order:

Include any host env var whose name matches a whitelist entry (exact or wildcard glob like "LC_*").
Remove any entry whose name matches a blocklist entry (blocklist wins).

The returned slice has the "KEY=VALUE" format expected by the Docker API.

func SelectImage ¶

func SelectImage(agentName string, imageMap map[string]string) string

SelectImage chooses the best Docker image for the given agent name, using the imageMap (from config) as the first priority and falling back to DetectFromArgs. imageName is the 'images.<key>' config key, e.g. "python" or "claude".

Types ¶

type Config ¶

type Config struct {
	// Image is the Docker image to use, e.g. "alpine:latest".
	Image string

	// Cmd is the command (and args) to execute inside the container.
	Cmd []string

	// Entrypoint is the optional entrypoint override for the container.
	Entrypoint []string

	// WorkspaceDir is the host path that will be bind-mounted to /work.
	WorkspaceDir string

	// MountTarget is the path inside the container for the workspace mount.
	// Defaults to "/work" if empty.
	MountTarget string

	// Env is the filtered list of "KEY=VALUE" environment variables.
	Env []string

	// Timeout is the maximum duration the container may run.
	Timeout time.Duration

	// RemoveOnExit removes the container after it stops.
	RemoveOnExit bool

	// NetworkMode controls the Docker network mode (e.g. "bridge").
	NetworkMode string

	// Tty enables a TTY for the container.
	Tty bool

	// AttachStdin allows piping host stdin to the container.
	AttachStdin bool

	// Security holds confinement and resource-limit settings.
	Security config.SecurityConfig
}

Config holds parameters for creating and running a sandbox container.

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager wraps the Docker client and provides high-level container lifecycle operations needed by the sandbox CLI.

func NewManager ¶

func NewManager(logger *zap.Logger) (*Manager, error)

NewManager creates a Manager using the Docker daemon reachable from the environment (DOCKER_HOST, socket, etc.).

An error is returned if the client cannot be initialised — this typically means Docker is not running.

func (*Manager) Close ¶

func (m *Manager) Close() error

Close releases client resources.

func (*Manager) Create ¶

func (m *Manager) Create(ctx context.Context, cfg *Config) (string, error)

Create creates a new container using the provided config and returns the container ID on success.

func (*Manager) Inspect ¶

func (m *Manager) Inspect(ctx context.Context, containerID string) (container.InspectResponse, error)

Inspect returns the container's low-level state from the Docker daemon.

func (*Manager) Prune ¶

func (m *Manager) Prune(ctx context.Context) error

Prune removes all stopped sandbox containers (those with label sandbox=true).

func (*Manager) PullIfMissing ¶

func (m *Manager) PullIfMissing(ctx context.Context, imageName string) error

PullIfMissing pulls the image if it is not already present in the local daemon cache. Progress is streamed to a Zap debug logger.

func (*Manager) Remove ¶

func (m *Manager) Remove(ctx context.Context, containerID string) error

Remove removes the container (forcefully if necessary).

func (*Manager) Run ¶

func (m *Manager) Run(ctx context.Context, containerID string, tty bool) (int, error)

Run starts the container identified by containerID, streams its stdout and stderr to the current process, and returns the container's exit code.

func (*Manager) Stop ¶

func (m *Manager) Stop(ctx context.Context, containerID string) error

Stop stops the container with a 10-second grace period.

type SecurityOptions ¶

type SecurityOptions struct {
	// HostConfig fields
	CapDrop        strslice.StrSlice
	SecurityOpt    []string
	ReadonlyRootfs bool
	Tmpfs          map[string]string
	Resources      container.Resources

	// ContainerConfig fields
	User string
}

SecurityOptions is the partial HostConfig and ContainerConfig overlay that ApplySecurityConfig returns. Callers merge these into the full configs.

func BuildSecurityOptions ¶

func BuildSecurityOptions(cfg config.SecurityConfig) (SecurityOptions, error)

BuildSecurityOptions derives a SecurityOptions from the application's SecurityConfig. It loads (or generates) the seccomp profile, parses resource limits, and assembles the capability drop list.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL