Phase 2: Implement Execution Environment Abstraction (v0.3.0)
This commit implements Phase 2 of the CHORUS Task Execution Engine development plan, providing a comprehensive execution environment abstraction layer with Docker container sandboxing support. ## New Features ### Core Sandbox Interface - Comprehensive ExecutionSandbox interface with isolated task execution - Support for command execution, file I/O, environment management - Resource usage monitoring and sandbox lifecycle management - Standardized error handling with SandboxError types and categories ### Docker Container Sandbox Implementation - Full Docker API integration with secure container creation - Transparent repository mounting with configurable read/write access - Advanced security policies with capability dropping and privilege controls - Comprehensive resource limits (CPU, memory, disk, processes, file handles) - Support for tmpfs mounts, masked paths, and read-only bind mounts - Container lifecycle management with proper cleanup and health monitoring ### Security & Resource Management - Configurable security policies with SELinux, AppArmor, and Seccomp support - Fine-grained capability management with secure defaults - Network isolation options with configurable DNS and proxy settings - Resource monitoring with real-time CPU, memory, and network usage tracking - Comprehensive ulimits configuration for process and file handle limits ### Repository Integration - Seamless repository mounting from local paths to container workspaces - Git configuration support with user credentials and global settings - File inclusion/exclusion patterns for selective repository access - Configurable permissions and ownership for mounted repositories ### Testing Infrastructure - Comprehensive test suite with 60+ test cases covering all functionality - Docker integration tests with Alpine Linux containers (skipped in short mode) - Mock sandbox implementation for unit testing without Docker dependencies - Security policy validation tests with read-only filesystem enforcement - Resource usage monitoring and cleanup verification tests ## Technical Details ### Dependencies Added - github.com/docker/docker v28.4.0+incompatible - Docker API client - github.com/docker/go-connections v0.6.0 - Docker connection utilities - github.com/docker/go-units v0.5.0 - Docker units and formatting - Associated Docker API dependencies for complete container management ### Architecture - Interface-driven design enabling multiple sandbox implementations - Comprehensive configuration structures for all sandbox aspects - Resource usage tracking with detailed metrics collection - Error handling with retryable error classification - Proper cleanup and resource management throughout sandbox lifecycle ### Compatibility - Maintains backward compatibility with existing CHORUS architecture - Designed for future integration with Phase 3 Core Task Execution Engine - Extensible design supporting additional sandbox implementations (VM, process) This Phase 2 implementation provides the foundation for secure, isolated task execution that will be integrated with the AI model providers from Phase 1 in the upcoming Phase 3 development. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
anthonyrawlins
94
vendor/go.opentelemetry.io/auto/sdk/limit.go
generated
vendored
Normal file
94
vendor/go.opentelemetry.io/auto/sdk/limit.go
generated
vendored
Normal file
@@ -0,0 +1,94 @@
|
||||
// Copyright The OpenTelemetry Authors
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package sdk
|
||||
|
||||
import (
|
||||
"log/slog"
|
||||
"os"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
// maxSpan are the span limits resolved during startup.
|
||||
var maxSpan = newSpanLimits()
|
||||
|
||||
type spanLimits struct {
|
||||
// Attrs is the number of allowed attributes for a span.
|
||||
//
|
||||
// This is resolved from the environment variable value for the
|
||||
// OTEL_SPAN_ATTRIBUTE_COUNT_LIMIT key if it exists. Otherwise, the
|
||||
// environment variable value for OTEL_ATTRIBUTE_COUNT_LIMIT, or 128 if
|
||||
// that is not set, is used.
|
||||
Attrs int
|
||||
// AttrValueLen is the maximum attribute value length allowed for a span.
|
||||
//
|
||||
// This is resolved from the environment variable value for the
|
||||
// OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT key if it exists. Otherwise, the
|
||||
// environment variable value for OTEL_ATTRIBUTE_VALUE_LENGTH_LIMIT, or -1
|
||||
// if that is not set, is used.
|
||||
AttrValueLen int
|
||||
// Events is the number of allowed events for a span.
|
||||
//
|
||||
// This is resolved from the environment variable value for the
|
||||
// OTEL_SPAN_EVENT_COUNT_LIMIT key, or 128 is used if that is not set.
|
||||
Events int
|
||||
// EventAttrs is the number of allowed attributes for a span event.
|
||||
//
|
||||
// The is resolved from the environment variable value for the
|
||||
// OTEL_EVENT_ATTRIBUTE_COUNT_LIMIT key, or 128 is used if that is not set.
|
||||
EventAttrs int
|
||||
// Links is the number of allowed Links for a span.
|
||||
//
|
||||
// This is resolved from the environment variable value for the
|
||||
// OTEL_SPAN_LINK_COUNT_LIMIT, or 128 is used if that is not set.
|
||||
Links int
|
||||
// LinkAttrs is the number of allowed attributes for a span link.
|
||||
//
|
||||
// This is resolved from the environment variable value for the
|
||||
// OTEL_LINK_ATTRIBUTE_COUNT_LIMIT, or 128 is used if that is not set.
|
||||
LinkAttrs int
|
||||
}
|
||||
|
||||
func newSpanLimits() spanLimits {
|
||||
return spanLimits{
|
||||
Attrs: firstEnv(
|
||||
128,
|
||||
"OTEL_SPAN_ATTRIBUTE_COUNT_LIMIT",
|
||||
"OTEL_ATTRIBUTE_COUNT_LIMIT",
|
||||
),
|
||||
AttrValueLen: firstEnv(
|
||||
-1, // Unlimited.
|
||||
"OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT",
|
||||
"OTEL_ATTRIBUTE_VALUE_LENGTH_LIMIT",
|
||||
),
|
||||
Events: firstEnv(128, "OTEL_SPAN_EVENT_COUNT_LIMIT"),
|
||||
EventAttrs: firstEnv(128, "OTEL_EVENT_ATTRIBUTE_COUNT_LIMIT"),
|
||||
Links: firstEnv(128, "OTEL_SPAN_LINK_COUNT_LIMIT"),
|
||||
LinkAttrs: firstEnv(128, "OTEL_LINK_ATTRIBUTE_COUNT_LIMIT"),
|
||||
}
|
||||
}
|
||||
|
||||
// firstEnv returns the parsed integer value of the first matching environment
|
||||
// variable from keys. The defaultVal is returned if the value is not an
|
||||
// integer or no match is found.
|
||||
func firstEnv(defaultVal int, keys ...string) int {
|
||||
for _, key := range keys {
|
||||
strV := os.Getenv(key)
|
||||
if strV == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
v, err := strconv.Atoi(strV)
|
||||
if err == nil {
|
||||
return v
|
||||
}
|
||||
slog.Warn(
|
||||
"invalid limit environment variable",
|
||||
"error", err,
|
||||
"key", key,
|
||||
"value", strV,
|
||||
)
|
||||
}
|
||||
|
||||
return defaultVal
|
||||
}
|
||||
Reference in New Issue
Block a user