175 lines
5.6 KiB
Python
175 lines
5.6 KiB
Python
"""Docker container management for secure sandbox execution."""
|
|
|
|
import docker
|
|
import logging
|
|
from typing import Dict, List, Optional, Any
|
|
from docker.models.containers import Container
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class ContainerManager:
|
|
"""Manages Docker containers with security hardening for sandbox execution."""
|
|
|
|
def __init__(self):
|
|
"""Initialize Docker client."""
|
|
try:
|
|
self.client = docker.from_env()
|
|
self.client.ping()
|
|
except Exception as e:
|
|
logger.error(f"Failed to connect to Docker: {e}")
|
|
raise
|
|
|
|
def create_container(
|
|
self,
|
|
image: str = "python:3.11-slim",
|
|
runtime_configs: Optional[Dict[str, Any]] = None,
|
|
) -> Container:
|
|
"""
|
|
Create a secure Docker container with security hardening.
|
|
|
|
Args:
|
|
image: Docker image to use
|
|
runtime_configs: Additional runtime configuration
|
|
|
|
Returns:
|
|
Created container object
|
|
"""
|
|
configs = runtime_configs or {}
|
|
|
|
# Security hardening defaults
|
|
security_opts = configs.get("security_opt", ["no-new-privileges"])
|
|
cap_drop = configs.get("cap_drop", ["ALL"])
|
|
read_only = configs.get("read_only", True)
|
|
user = configs.get("user", "1000:1000") # Non-root user
|
|
network_mode = configs.get("network_mode", "none")
|
|
|
|
# Resource limits
|
|
mem_limit = configs.get("mem_limit", "1g")
|
|
cpu_count = configs.get("cpu_count", 2)
|
|
pids_limit = configs.get("pids_limit", 100)
|
|
|
|
container = self.client.containers.create(
|
|
image=image,
|
|
security_opt=security_opts,
|
|
cap_drop=cap_drop,
|
|
read_only=read_only,
|
|
user=user,
|
|
network_mode=network_mode,
|
|
mem_limit=mem_limit,
|
|
cpu_count=cpu_count,
|
|
pids_limit=pids_limit,
|
|
detach=True,
|
|
remove=False,
|
|
)
|
|
|
|
logger.info(f"Created secure container {container.id[:12]}")
|
|
return container
|
|
|
|
def run_command(
|
|
self, container: Container, command: List[str], timeout: Optional[int] = 120
|
|
) -> Dict[str, Any]:
|
|
"""
|
|
Execute command in container with timeout.
|
|
|
|
Args:
|
|
container: Container to run command in
|
|
command: Command to execute
|
|
timeout: Timeout in seconds
|
|
|
|
Returns:
|
|
Execution result with output and metadata
|
|
"""
|
|
try:
|
|
# Start container if not running
|
|
if container.status != "running":
|
|
container.start()
|
|
|
|
# Execute command
|
|
result = container.exec_run(cmd=command, timeout=timeout, demux=True)
|
|
|
|
return {
|
|
"exit_code": result.exit_code,
|
|
"stdout": result.output[0].decode("utf-8") if result.output[0] else "",
|
|
"stderr": result.output[1].decode("utf-8") if result.output[1] else "",
|
|
"exec_id": result.id,
|
|
}
|
|
|
|
except Exception as e:
|
|
logger.error(f"Command execution failed: {e}")
|
|
return {"exit_code": -1, "stdout": "", "stderr": str(e), "exec_id": None}
|
|
|
|
def get_container_stats(self, container: Container) -> Dict[str, Any]:
|
|
"""
|
|
Get real-time resource statistics for container.
|
|
|
|
Args:
|
|
container: Container to get stats for
|
|
|
|
Returns:
|
|
Resource usage statistics
|
|
"""
|
|
try:
|
|
stats = container.stats(stream=False)
|
|
|
|
# CPU usage calculation
|
|
cpu_delta = (
|
|
stats["cpu_stats"]["cpu_usage"]["total_usage"]
|
|
- stats["precpu_stats"]["cpu_usage"]["total_usage"]
|
|
)
|
|
system_cpu_delta = (
|
|
stats["cpu_stats"]["system_cpu_usage"]
|
|
- stats["precpu_stats"]["system_cpu_usage"]
|
|
)
|
|
cpu_count = len(stats["cpu_stats"]["cpu_usage"]["percpu_usage"])
|
|
cpu_percent = (cpu_delta / system_cpu_delta) * cpu_count * 100.0
|
|
|
|
# Memory usage
|
|
memory_usage = stats["memory_stats"]["usage"]
|
|
memory_limit = stats["memory_stats"]["limit"]
|
|
memory_percent = (memory_usage / memory_limit) * 100.0
|
|
|
|
return {
|
|
"cpu_percent": round(cpu_percent, 2),
|
|
"memory_usage_mb": round(memory_usage / (1024 * 1024), 2),
|
|
"memory_limit_mb": round(memory_limit / (1024 * 1024), 2),
|
|
"memory_percent": round(memory_percent, 2),
|
|
"pids_current": stats.get("pids_stats", {}).get("current", 0),
|
|
}
|
|
|
|
except Exception as e:
|
|
logger.error(f"Failed to get container stats: {e}")
|
|
return {}
|
|
|
|
def cleanup_container(self, container: Container) -> bool:
|
|
"""
|
|
Clean up container by stopping and removing it.
|
|
|
|
Args:
|
|
container: Container to cleanup
|
|
|
|
Returns:
|
|
True if cleanup successful
|
|
"""
|
|
try:
|
|
if container.status == "running":
|
|
container.stop(timeout=5)
|
|
container.remove(force=True)
|
|
logger.info(f"Cleaned up container {container.id[:12]}")
|
|
return True
|
|
except Exception as e:
|
|
logger.error(f"Failed to cleanup container {container.id[:12]}: {e}")
|
|
return False
|
|
|
|
def list_containers(self, all_containers: bool = False) -> List[Container]:
|
|
"""
|
|
List containers managed by this manager.
|
|
|
|
Args:
|
|
all_containers: Include stopped containers
|
|
|
|
Returns:
|
|
List of containers
|
|
"""
|
|
return self.client.containers.list(all=all_containers)
|