caoqianming
|
55adfa17b4
|
deploy/sandbox: pip 镜像源可配 + timeout 60s 兜底 ReadTimeout
- Dockerfile 加 ARG PIP_INDEX_URL/PIP_TRUSTED_HOST,默 PyPI 官方;
build 时 --build-arg PIP_INDEX_URL=... 切换腾讯云/阿里云/清华源
- pip install --timeout 60s(默 15s 太短,境内抖动易撞)
- RUN.md 镜像构建段加 3 个常用源命令 + 故障兜底加 ReadTimeoutError 行
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
2026-05-26 21:10:50 +08:00 |
caoqianming
|
160e801ab0
|
Stage C Step 2: Docker per-user 容器池 + iptables blocklist 基底
- deploy/sandbox/Dockerfile: python:3.11-slim + tini + iptables + non-root uid via HOST_UID build-arg + 全套 requirements
- deploy/sandbox/init.sh: 6 段红线 IPv4 + ::1 + ZCBOT_PG_IPS 环境注入,任一规则失败 fail-fast
- core/sandbox/network.py: ensure_network() 创 --internal zcbot-sandbox-net
- core/sandbox/pool.py: SandboxPool 容器命名 zcbot-sandbox-<user_id>,per-user asyncio.Lock,
in-memory _last_active dict(Docker 23+ 移除 docker update --label-add),hardening flags
全套(read-only / tmpfs / cap-drop ALL + NET_ADMIN / no-new-privileges / pids/mem/cpu limit /
bind mount user_root → /workspace)
- core/sandbox/__init__.py: 公开 SandboxPool / container_name / setup_pool / NETWORK_NAME
Step 2 范围明确不含 AgentLoop 集成 / shell-run_python 切容器 / egress proxy / reaper task ——
pool 孤立 commit,Step 3 接入。本地 Windows 无 docker 走不动,Ubuntu 上 5 条 smoke 命令
(build / iptables 段 / non-root uid / read-only / 销毁)写进 RUN.md "Sandbox(Stage C,Ubuntu)" 段。
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
2026-05-26 10:44:34 +08:00 |