Phase 2: Implement Execution Environment Abstraction (v0.3.0)
This commit implements Phase 2 of the CHORUS Task Execution Engine development plan, providing a comprehensive execution environment abstraction layer with Docker container sandboxing support. ## New Features ### Core Sandbox Interface - Comprehensive ExecutionSandbox interface with isolated task execution - Support for command execution, file I/O, environment management - Resource usage monitoring and sandbox lifecycle management - Standardized error handling with SandboxError types and categories ### Docker Container Sandbox Implementation - Full Docker API integration with secure container creation - Transparent repository mounting with configurable read/write access - Advanced security policies with capability dropping and privilege controls - Comprehensive resource limits (CPU, memory, disk, processes, file handles) - Support for tmpfs mounts, masked paths, and read-only bind mounts - Container lifecycle management with proper cleanup and health monitoring ### Security & Resource Management - Configurable security policies with SELinux, AppArmor, and Seccomp support - Fine-grained capability management with secure defaults - Network isolation options with configurable DNS and proxy settings - Resource monitoring with real-time CPU, memory, and network usage tracking - Comprehensive ulimits configuration for process and file handle limits ### Repository Integration - Seamless repository mounting from local paths to container workspaces - Git configuration support with user credentials and global settings - File inclusion/exclusion patterns for selective repository access - Configurable permissions and ownership for mounted repositories ### Testing Infrastructure - Comprehensive test suite with 60+ test cases covering all functionality - Docker integration tests with Alpine Linux containers (skipped in short mode) - Mock sandbox implementation for unit testing without Docker dependencies - Security policy validation tests with read-only filesystem enforcement - Resource usage monitoring and cleanup verification tests ## Technical Details ### Dependencies Added - github.com/docker/docker v28.4.0+incompatible - Docker API client - github.com/docker/go-connections v0.6.0 - Docker connection utilities - github.com/docker/go-units v0.5.0 - Docker units and formatting - Associated Docker API dependencies for complete container management ### Architecture - Interface-driven design enabling multiple sandbox implementations - Comprehensive configuration structures for all sandbox aspects - Resource usage tracking with detailed metrics collection - Error handling with retryable error classification - Proper cleanup and resource management throughout sandbox lifecycle ### Compatibility - Maintains backward compatibility with existing CHORUS architecture - Designed for future integration with Phase 3 Core Task Execution Engine - Extensible design supporting additional sandbox implementations (VM, process) This Phase 2 implementation provides the foundation for secure, isolated task execution that will be integrated with the AI model providers from Phase 1 in the upcoming Phase 3 development. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
anthonyrawlins
58
vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
generated
vendored
Normal file
58
vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
generated
vendored
Normal file
@@ -0,0 +1,58 @@
|
||||
// Copyright The OpenTelemetry Authors
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
|
||||
|
||||
import (
|
||||
"context"
|
||||
"sync"
|
||||
|
||||
"go.opentelemetry.io/otel/attribute"
|
||||
)
|
||||
|
||||
// Labeler is used to allow instrumented HTTP handlers to add custom attributes to
|
||||
// the metrics recorded by the net/http instrumentation.
|
||||
type Labeler struct {
|
||||
mu sync.Mutex
|
||||
attributes []attribute.KeyValue
|
||||
}
|
||||
|
||||
// Add attributes to a Labeler.
|
||||
func (l *Labeler) Add(ls ...attribute.KeyValue) {
|
||||
l.mu.Lock()
|
||||
defer l.mu.Unlock()
|
||||
l.attributes = append(l.attributes, ls...)
|
||||
}
|
||||
|
||||
// Get returns a copy of the attributes added to the Labeler.
|
||||
func (l *Labeler) Get() []attribute.KeyValue {
|
||||
l.mu.Lock()
|
||||
defer l.mu.Unlock()
|
||||
ret := make([]attribute.KeyValue, len(l.attributes))
|
||||
copy(ret, l.attributes)
|
||||
return ret
|
||||
}
|
||||
|
||||
type labelerContextKeyType int
|
||||
|
||||
const labelerContextKey labelerContextKeyType = 0
|
||||
|
||||
// ContextWithLabeler returns a new context with the provided Labeler instance.
|
||||
// Attributes added to the specified labeler will be injected into metrics
|
||||
// emitted by the instrumentation. Only one labeller can be injected into the
|
||||
// context. Injecting it multiple times will override the previous calls.
|
||||
func ContextWithLabeler(parent context.Context, l *Labeler) context.Context {
|
||||
return context.WithValue(parent, labelerContextKey, l)
|
||||
}
|
||||
|
||||
// LabelerFromContext retrieves a Labeler instance from the provided context if
|
||||
// one is available. If no Labeler was found in the provided context a new, empty
|
||||
// Labeler is returned and the second return value is false. In this case it is
|
||||
// safe to use the Labeler but any attributes added to it will not be used.
|
||||
func LabelerFromContext(ctx context.Context) (*Labeler, bool) {
|
||||
l, ok := ctx.Value(labelerContextKey).(*Labeler)
|
||||
if !ok {
|
||||
l = &Labeler{}
|
||||
}
|
||||
return l, ok
|
||||
}
|
||||
Reference in New Issue
Block a user