7141ccff62
* fix: resolve pre-commit check failures - Change RuntimeError to TypeError for type validation in report/writer.py - Update pyupgrade to v3.21.2 for Python 3.14 compatibility * chore: add pytest test infrastructure Mirror the layout introduced on feature/438-token_budget: pytest + pytest-asyncio dev deps, asyncio_mode auto, a tests.* mypy override, and pytest in the mypy pre-commit hook deps so the tests/ package type-checks. * feat: add --mount and large-target pre-flight for local repos (#492) Large local targets were copied into the sandbox file-by-file via the SDK LocalDir entry, which stalls on big repos and could leave /workspace empty. - --mount <path> bind-mounts a host directory read-only at /workspace/<subdir> instead of copying it, bypassing the per-file stream. - A size pre-flight (STRIX_MAX_LOCAL_COPY_MB, default 1024) fails fast with a clear message suggesting --mount when a non-mounted local target is too big. * fix: reject empty --mount paths An empty or whitespace-only --mount value resolves to the current working directory and would silently bind-mount it into the sandbox. Reject it. * fix: dedupe local targets so a dir is never both copied and mounted If the same directory is passed via --target and --mount (or as duplicate values), it previously produced two targets — copied AND bind-mounted, and the copied one could trip the size pre-flight. Dedupe by resolved path, preferring the bind mount. * fix: treat non-positive STRIX_MAX_LOCAL_COPY_MB as disabled Previously a value of 0 (or negative) made every local target count as oversized, aborting all local scans. Now <= 0 disables the pre-flight. * fix: log unreadable subtrees during size pre-flight os.walk silently swallowed directory-listing errors, so a permission-denied subtree could make a large repo under-count and slip past the pre-flight. Surface such omissions via an onerror warning. * docs: document --mount and STRIX_MAX_LOCAL_COPY_MB Add CLI reference + example for --mount, document the size pre-flight env var, note the read-only-is-not-a-hard-boundary caveat and that remote repos are not size-checked, and clarify the backends docstring on when bind mounts apply. * Update strix/interface/main.py * Update strix/runtime/docker_client.py ---------
154 lines
6.2 KiB
Python
154 lines
6.2 KiB
Python
"""StrixDockerSandboxClient — preserves the image's ENTRYPOINT and adds
|
|
NET_ADMIN/NET_RAW capabilities + host-gateway.
|
|
|
|
The SDK's ``DockerSandboxClient._create_container`` does not expose a hook for
|
|
extending ``create_kwargs`` before ``containers.create`` is called. We subclass
|
|
and reimplement the method body verbatim from the SDK source, with three
|
|
deltas:
|
|
|
|
1. Drop the SDK's ``entrypoint=["tail"]`` override; supply ``["tail", "-f",
|
|
"/dev/null"]`` as ``command`` instead. This lets our image's
|
|
``docker-entrypoint.sh`` actually run — without it, ``caido-cli`` never
|
|
starts inside the container and ``bootstrap_caido`` retries against a
|
|
dead port.
|
|
2. Append NET_ADMIN/NET_RAW to ``cap_add`` (required by ``nmap -sS`` and
|
|
other raw-socket tools).
|
|
3. Add ``host.docker.internal`` → host-gateway to ``extra_hosts`` so the
|
|
agent can reach host-served apps.
|
|
|
|
Pinned to ``openai-agents==0.14.6``. Bumping the SDK requires
|
|
re-merging the parent body. Track upstream for an injection hook.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import contextlib
|
|
import logging
|
|
import uuid
|
|
from typing import Any
|
|
|
|
from agents.sandbox.manifest import Manifest
|
|
from agents.sandbox.sandboxes.docker import (
|
|
DockerSandboxClient,
|
|
_build_docker_volume_mounts,
|
|
_docker_port_key,
|
|
_manifest_requires_fuse,
|
|
_manifest_requires_sys_admin,
|
|
)
|
|
from agents.sandbox.session.sandbox_session import SandboxSession
|
|
from docker import errors as docker_errors # type: ignore[import-untyped, unused-ignore]
|
|
from docker.models.containers import Container # type: ignore[import-untyped, unused-ignore]
|
|
from docker.types import Mount as DockerSDKMount # type: ignore[import-untyped, unused-ignore]
|
|
from docker.utils import parse_repository_tag # type: ignore[import-untyped, unused-ignore]
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class StrixDockerSandboxClient(DockerSandboxClient):
|
|
# Host directories to bind-mount into the container, set by the docker
|
|
# backend before ``create()``. Each item is ``{source, target, read_only}``.
|
|
strix_bind_mounts: list[dict[str, Any]] = [] # overridden per-instance in backends.py
|
|
|
|
async def _create_container(
|
|
self,
|
|
image: str,
|
|
*,
|
|
manifest: Manifest | None = None,
|
|
exposed_ports: tuple[int, ...] = (),
|
|
session_id: uuid.UUID | None = None,
|
|
) -> Container:
|
|
# ----- BEGIN VERBATIM COPY of DockerSandboxClient._create_container -----
|
|
# SDK ref: src/agents/sandbox/sandboxes/docker.py:1434-1477 (v0.14.6).
|
|
if not self.image_exists(image):
|
|
repo, tag = parse_repository_tag(image)
|
|
self.docker_client.images.pull(repo, tag=tag or None, all_tags=False)
|
|
|
|
assert self.image_exists(image)
|
|
environment: dict[str, str] | None = None
|
|
if manifest:
|
|
environment = await manifest.environment.resolve()
|
|
# Strix delta from the SDK body: drop ``entrypoint`` override and
|
|
# supply ``tail -f /dev/null`` as ``command`` so the image's
|
|
# ENTRYPOINT (``docker-entrypoint.sh``) runs setup, then ``exec
|
|
# "$@"`` becomes ``exec tail -f /dev/null`` for the keep-alive.
|
|
# Without this, caido-cli + the in-container CA trust never get
|
|
# initialized.
|
|
create_kwargs: dict[str, Any] = {
|
|
"image": image,
|
|
"detach": True,
|
|
"command": ["tail", "-f", "/dev/null"],
|
|
"environment": environment,
|
|
}
|
|
if manifest is not None:
|
|
docker_mounts = _build_docker_volume_mounts(
|
|
manifest,
|
|
session_id=session_id,
|
|
)
|
|
if docker_mounts:
|
|
create_kwargs["mounts"] = docker_mounts
|
|
if _manifest_requires_fuse(manifest):
|
|
create_kwargs.update(
|
|
devices=["/dev/fuse"],
|
|
cap_add=["SYS_ADMIN"],
|
|
security_opt=["apparmor:unconfined"],
|
|
)
|
|
elif _manifest_requires_sys_admin(manifest):
|
|
create_kwargs.update(
|
|
cap_add=["SYS_ADMIN"],
|
|
security_opt=["apparmor:unconfined"],
|
|
)
|
|
if exposed_ports:
|
|
create_kwargs["ports"] = {
|
|
_docker_port_key(port): ("127.0.0.1", None) for port in exposed_ports
|
|
}
|
|
# ----- END VERBATIM COPY -----
|
|
|
|
# Strix injections — append, don't overwrite, so FUSE/SYS_ADMIN survives.
|
|
cap_add = create_kwargs.setdefault("cap_add", [])
|
|
if not isinstance(cap_add, list):
|
|
cap_add = list(cap_add)
|
|
create_kwargs["cap_add"] = cap_add
|
|
for cap in ("NET_ADMIN", "NET_RAW"):
|
|
if cap not in cap_add:
|
|
cap_add.append(cap)
|
|
|
|
extra_hosts = create_kwargs.setdefault("extra_hosts", {})
|
|
extra_hosts["host.docker.internal"] = "host-gateway"
|
|
|
|
# Strix injection: host bind mounts (e.g. large repos passed via --mount)
|
|
# that bypass the SDK's file-by-file LocalDir copy.
|
|
bind_mounts = getattr(self, "strix_bind_mounts", ())
|
|
if bind_mounts:
|
|
mounts = create_kwargs.setdefault("mounts", [])
|
|
for spec in bind_mounts:
|
|
mounts.append(
|
|
DockerSDKMount(
|
|
target=spec["target"],
|
|
source=spec["source"],
|
|
type="bind",
|
|
read_only=spec.get("read_only", True),
|
|
)
|
|
)
|
|
|
|
logger.debug(
|
|
"Creating sandbox container: image=%s caps=%s exposed_ports=%s",
|
|
image,
|
|
cap_add,
|
|
list(exposed_ports),
|
|
)
|
|
container = self.docker_client.containers.create(**create_kwargs)
|
|
logger.info(
|
|
"Sandbox container created: id=%s image=%s",
|
|
container.short_id if hasattr(container, "short_id") else "?",
|
|
image,
|
|
)
|
|
return container
|
|
|
|
async def delete(self, session: SandboxSession) -> SandboxSession:
|
|
container_id = getattr(getattr(session._inner, "state", None), "container_id", None)
|
|
if container_id:
|
|
with contextlib.suppress(docker_errors.NotFound, docker_errors.APIError):
|
|
self.docker_client.containers.get(container_id).kill()
|
|
return await super().delete(session)
|