8d9b62daf3
This commit implements Phase 2 of the CHORUS Task Execution Engine development plan, providing a comprehensive execution environment abstraction layer with Docker container sandboxing support. ## New Features ### Core Sandbox Interface - Comprehensive ExecutionSandbox interface with isolated task execution - Support for command execution, file I/O, environment management - Resource usage monitoring and sandbox lifecycle management - Standardized error handling with SandboxError types and categories ### Docker Container Sandbox Implementation - Full Docker API integration with secure container creation - Transparent repository mounting with configurable read/write access - Advanced security policies with capability dropping and privilege controls - Comprehensive resource limits (CPU, memory, disk, processes, file handles) - Support for tmpfs mounts, masked paths, and read-only bind mounts - Container lifecycle management with proper cleanup and health monitoring ### Security & Resource Management - Configurable security policies with SELinux, AppArmor, and Seccomp support - Fine-grained capability management with secure defaults - Network isolation options with configurable DNS and proxy settings - Resource monitoring with real-time CPU, memory, and network usage tracking - Comprehensive ulimits configuration for process and file handle limits ### Repository Integration - Seamless repository mounting from local paths to container workspaces - Git configuration support with user credentials and global settings - File inclusion/exclusion patterns for selective repository access - Configurable permissions and ownership for mounted repositories ### Testing Infrastructure - Comprehensive test suite with 60+ test cases covering all functionality - Docker integration tests with Alpine Linux containers (skipped in short mode) - Mock sandbox implementation for unit testing without Docker dependencies - Security policy validation tests with read-only filesystem enforcement - Resource usage monitoring and cleanup verification tests ## Technical Details ### Dependencies Added - github.com/docker/docker v28.4.0+incompatible - Docker API client - github.com/docker/go-connections v0.6.0 - Docker connection utilities - github.com/docker/go-units v0.5.0 - Docker units and formatting - Associated Docker API dependencies for complete container management ### Architecture - Interface-driven design enabling multiple sandbox implementations - Comprehensive configuration structures for all sandbox aspects - Resource usage tracking with detailed metrics collection - Error handling with retryable error classification - Proper cleanup and resource management throughout sandbox lifecycle ### Compatibility - Maintains backward compatibility with existing CHORUS architecture - Designed for future integration with Phase 3 Core Task Execution Engine - Extensible design supporting additional sandbox implementations (VM, process) This Phase 2 implementation provides the foundation for secure, isolated task execution that will be integrated with the AI model providers from Phase 1 in the upcoming Phase 3 development. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
120 lines
3.7 KiB
Go
120 lines
3.7 KiB
Go
// Copyright The OpenTelemetry Authors
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
/*
|
|
Package trace provides an implementation of the tracing part of the
|
|
OpenTelemetry API.
|
|
|
|
To participate in distributed traces a Span needs to be created for the
|
|
operation being performed as part of a traced workflow. In its simplest form:
|
|
|
|
var tracer trace.Tracer
|
|
|
|
func init() {
|
|
tracer = otel.Tracer("instrumentation/package/name")
|
|
}
|
|
|
|
func operation(ctx context.Context) {
|
|
var span trace.Span
|
|
ctx, span = tracer.Start(ctx, "operation")
|
|
defer span.End()
|
|
// ...
|
|
}
|
|
|
|
A Tracer is unique to the instrumentation and is used to create Spans.
|
|
Instrumentation should be designed to accept a TracerProvider from which it
|
|
can create its own unique Tracer. Alternatively, the registered global
|
|
TracerProvider from the go.opentelemetry.io/otel package can be used as
|
|
a default.
|
|
|
|
const (
|
|
name = "instrumentation/package/name"
|
|
version = "0.1.0"
|
|
)
|
|
|
|
type Instrumentation struct {
|
|
tracer trace.Tracer
|
|
}
|
|
|
|
func NewInstrumentation(tp trace.TracerProvider) *Instrumentation {
|
|
if tp == nil {
|
|
tp = otel.TracerProvider()
|
|
}
|
|
return &Instrumentation{
|
|
tracer: tp.Tracer(name, trace.WithInstrumentationVersion(version)),
|
|
}
|
|
}
|
|
|
|
func operation(ctx context.Context, inst *Instrumentation) {
|
|
var span trace.Span
|
|
ctx, span = inst.tracer.Start(ctx, "operation")
|
|
defer span.End()
|
|
// ...
|
|
}
|
|
|
|
# API Implementations
|
|
|
|
This package does not conform to the standard Go versioning policy; all of its
|
|
interfaces may have methods added to them without a package major version bump.
|
|
This non-standard API evolution could surprise an uninformed implementation
|
|
author. They could unknowingly build their implementation in a way that would
|
|
result in a runtime panic for their users that update to the new API.
|
|
|
|
The API is designed to help inform an instrumentation author about this
|
|
non-standard API evolution. It requires them to choose a default behavior for
|
|
unimplemented interface methods. There are three behavior choices they can
|
|
make:
|
|
|
|
- Compilation failure
|
|
- Panic
|
|
- Default to another implementation
|
|
|
|
All interfaces in this API embed a corresponding interface from
|
|
[go.opentelemetry.io/otel/trace/embedded]. If an author wants the default
|
|
behavior of their implementations to be a compilation failure, signaling to
|
|
their users they need to update to the latest version of that implementation,
|
|
they need to embed the corresponding interface from
|
|
[go.opentelemetry.io/otel/trace/embedded] in their implementation. For
|
|
example,
|
|
|
|
import "go.opentelemetry.io/otel/trace/embedded"
|
|
|
|
type TracerProvider struct {
|
|
embedded.TracerProvider
|
|
// ...
|
|
}
|
|
|
|
If an author wants the default behavior of their implementations to panic, they
|
|
can embed the API interface directly.
|
|
|
|
import "go.opentelemetry.io/otel/trace"
|
|
|
|
type TracerProvider struct {
|
|
trace.TracerProvider
|
|
// ...
|
|
}
|
|
|
|
This option is not recommended. It will lead to publishing packages that
|
|
contain runtime panics when users update to newer versions of
|
|
[go.opentelemetry.io/otel/trace], which may be done with a transitive
|
|
dependency.
|
|
|
|
Finally, an author can embed another implementation in theirs. The embedded
|
|
implementation will be used for methods not defined by the author. For example,
|
|
an author who wants to default to silently dropping the call can use
|
|
[go.opentelemetry.io/otel/trace/noop]:
|
|
|
|
import "go.opentelemetry.io/otel/trace/noop"
|
|
|
|
type TracerProvider struct {
|
|
noop.TracerProvider
|
|
// ...
|
|
}
|
|
|
|
It is strongly recommended that authors only embed
|
|
[go.opentelemetry.io/otel/trace/noop] if they choose this default behavior.
|
|
That implementation is the only one OpenTelemetry authors can guarantee will
|
|
fully implement all the API interfaces when a user updates their API.
|
|
*/
|
|
package trace // import "go.opentelemetry.io/otel/trace"
|