Migrate from Docker-in-Docker to nsjail sandboxing

.env.example

@@ -1,176 +1,41 @@
 # Code Interpreter API Configuration
+# Only settings you're likely to change are listed here.
+# All other settings have sensible defaults — see docs/CONFIGURATION.md for the full list.
 
-# API Configuration
-API_HOST=0.0.0.0
-API_PORT=8000
-API_DEBUG=false
-API_RELOAD=false
-
-# SSL/HTTPS Configuration
-ENABLE_HTTPS=false
-HTTPS_PORT=443
-SSL_REDIRECT=false
-
-# Docker: Path to directory containing cert.pem and key.pem on the host
-# The directory is mounted to /app/ssl/ inside the container automatically.
-# Default is ./ssl (relative to docker-compose.yml)
-# SSL_CERTS_PATH=/path/to/your/ssl/certs
-
-# Non-Docker only: Absolute paths to certificate files (not needed for Docker)
-# SSL_CERT_FILE=/path/to/cert.pem
-# SSL_KEY_FILE=/path/to/key.pem
-# SSL_CA_CERTS=/path/to/ca.pem
-
-# Authentication Configuration
+# ── Authentication ──────────────────────────────────────────────
 API_KEY=your-secure-api-key-here-change-this-in-production
 # API_KEYS=key1,key2,key3  # Additional API keys (comma-separated)
-API_KEY_HEADER=x-api-key
-API_KEY_CACHE_TTL=300
+# MASTER_API_KEY=your-secure-master-key  # Required for admin dashboard CLI
 
-# API Key Management Configuration
-# MASTER_API_KEY=your-secure-master-key  # Required for CLI key management
-RATE_LIMIT_ENABLED=true
-
-# Redis Configuration
+# ── Redis ───────────────────────────────────────────────────────
 REDIS_HOST=localhost
 REDIS_PORT=6379
-REDIS_PASSWORD=
-REDIS_DB=0
-# Alternative: Use Redis URL instead of individual settings
-# REDIS_URL=redis://localhost:6379/0
-REDIS_MAX_CONNECTIONS=20
-REDIS_SOCKET_TIMEOUT=5
-REDIS_SOCKET_CONNECT_TIMEOUT=5
+# REDIS_PASSWORD=
+# REDIS_URL=redis://localhost:6379/0  # Alternative to individual settings
 
-# MinIO/S3 Configuration
+# ── MinIO / S3 ─────────────────────────────────────────────────
 MINIO_ENDPOINT=localhost:9000
 MINIO_ACCESS_KEY=minioadmin
 MINIO_SECRET_KEY=minioadmin
-MINIO_SECURE=false
-MINIO_BUCKET=code-interpreter-files
-MINIO_REGION=us-east-1
-
-# Docker Configuration
-DOCKER_IMAGE_REGISTRY=code-interpreter
-# DOCKER_BASE_URL=unix://var/run/docker.sock
-DOCKER_TIMEOUT=60
-DOCKER_NETWORK_MODE=none
-DOCKER_READ_ONLY=true
-
-# Resource Limits - Execution
-MAX_EXECUTION_TIME=120
-MAX_MEMORY_MB=512
-MAX_CPUS=1
-MAX_PIDS=512
-MAX_OPEN_FILES=1024
-
-# Resource Limits - Files
-MAX_FILE_SIZE_MB=10
-MAX_TOTAL_FILE_SIZE_MB=50
-MAX_FILES_PER_SESSION=50
-MAX_OUTPUT_FILES=10
-MAX_FILENAME_LENGTH=255
-
-# Resource Limits - Sessions
-MAX_CONCURRENT_EXECUTIONS=10
-MAX_SESSIONS_PER_ENTITY=100
-
-# Session Configuration
-# TTL applies only to MinIO-stored session data (files/metadata). Containers are ephemeral per execution.
-SESSION_TTL_HOURS=24
-SESSION_CLEANUP_INTERVAL_MINUTES=60
-SESSION_ID_LENGTH=32
+# MINIO_SECURE=false
+# MINIO_BUCKET=code-interpreter-files
 
-# MinIO Orphan Cleanup (optional)
-# Enable periodic pruning of MinIO objects older than TTL with missing Redis sessions
-ENABLE_ORPHAN_MINIO_CLEANUP=true
+# ── Execution Limits ───────────────────────────────────────────
+# MAX_EXECUTION_TIME=30    # Seconds (default: 30)
+# MAX_MEMORY_MB=512        # Per-execution memory limit
 
-# Container Pool Configuration
-CONTAINER_POOL_ENABLED=true
-CONTAINER_POOL_WARMUP_ON_STARTUP=true
+# ── Sandbox Pool (Python REPL) ─────────────────────────────────
+# SANDBOX_POOL_ENABLED=true
+# SANDBOX_POOL_PY=5        # Number of pre-warmed Python REPLs
+# REPL_ENABLED=true
 
-# Per-language pool sizes (0 = on-demand only, no pre-warming)
-# Only set the languages you want to pre-warm
-CONTAINER_POOL_PY=5     # Python
-CONTAINER_POOL_JS=2     # JavaScript
-# CONTAINER_POOL_TS=0   # TypeScript (default: 0)
-# CONTAINER_POOL_GO=0   # Go (default: 0)
-# CONTAINER_POOL_JAVA=0 # Java (default: 0)
-# CONTAINER_POOL_C=0    # C (default: 0)
-# CONTAINER_POOL_CPP=0  # C++ (default: 0)
-# CONTAINER_POOL_PHP=0  # PHP (default: 0)
-# CONTAINER_POOL_RS=0   # Rust (default: 0)
-# CONTAINER_POOL_R=0    # R (default: 0)
-# CONTAINER_POOL_F90=0  # Fortran (default: 0)
-# CONTAINER_POOL_D=0    # D (default: 0)
-
-# Pool optimization settings
-CONTAINER_POOL_PARALLEL_BATCH=5
-CONTAINER_POOL_REPLENISH_INTERVAL=2
-CONTAINER_POOL_EXHAUSTION_TRIGGER=true
-
-# REPL Configuration (Python Fast Execution)
-# Pre-warmed Python interpreter for ~20-40ms execution latency
-REPL_ENABLED=true
-REPL_WARMUP_TIMEOUT_SECONDS=15
-REPL_HEALTH_CHECK_TIMEOUT_SECONDS=5
-
-# State Persistence Configuration (Python)
-# Enables Python variable/function persistence across executions within same session
-STATE_PERSISTENCE_ENABLED=true
-# Redis hot storage TTL (default: 2 hours)
-STATE_TTL_SECONDS=7200
-# Maximum serialized state size
-STATE_MAX_SIZE_MB=50
-# Capture state even on execution failure
-STATE_CAPTURE_ON_ERROR=false
-
-# State Archival Configuration (Python)
-# Archives inactive states from Redis to MinIO for long-term storage
-STATE_ARCHIVE_ENABLED=true
-# Archive to MinIO after this inactivity period (default: 1 hour)
-STATE_ARCHIVE_AFTER_SECONDS=3600
-# Keep archived states in MinIO for this many days (default: 1 day / 24 hours)
-STATE_ARCHIVE_TTL_DAYS=1
-# How often to check for states to archive
-STATE_ARCHIVE_CHECK_INTERVAL_SECONDS=300
-
-# Detailed Metrics Configuration
-# Track per-API-key, per-language execution metrics
-DETAILED_METRICS_ENABLED=true
-# Maximum metrics to buffer in memory
-METRICS_BUFFER_SIZE=10000
-# Archive metrics to MinIO for long-term analysis
-METRICS_ARCHIVE_ENABLED=true
-# Keep archived metrics for this many days
-METRICS_ARCHIVE_RETENTION_DAYS=90
-
-# Security Configuration
-ENABLE_NETWORK_ISOLATION=true
-ENABLE_FILESYSTEM_ISOLATION=true
-
-# WAN Network Access Configuration
-# When enabled, execution containers can access the public internet
-# but are blocked from accessing host, other containers, and private networks
-# IMPORTANT: Requires NET_ADMIN capability for iptables management
-ENABLE_WAN_ACCESS=false
-WAN_NETWORK_NAME=code-interpreter-wan
-# WAN_DNS_SERVERS=8.8.8.8,1.1.1.1,8.8.4.4
-
-# Logging Configuration
-LOG_LEVEL=INFO
-LOG_FORMAT=json
-# LOG_FILE=/var/log/code-interpreter-api.log
-LOG_MAX_SIZE_MB=100
-LOG_BACKUP_COUNT=5
-ENABLE_ACCESS_LOGS=true
-ENABLE_SECURITY_LOGS=true
-
-# Health Check Configuration
-HEALTH_CHECK_INTERVAL=30
-HEALTH_CHECK_TIMEOUT=5
+# ── SSL/HTTPS ──────────────────────────────────────────────────
+# ENABLE_HTTPS=false
+# HTTPS_PORT=443
+# SSL_CERT_FILE=/path/to/cert.pem
+# SSL_KEY_FILE=/path/to/key.pem
 
-# Development Configuration
-ENABLE_CORS=false
-# CORS_ORIGINS=http://localhost:3000,http://localhost:8080
-ENABLE_DOCS=false
+# ── Logging ────────────────────────────────────────────────────
+# LOG_LEVEL=INFO             # INFO = clean (1 log per execution); DEBUG = full detail
+# LOG_FORMAT=json            # json (structured) or text (human-readable, colored)
+# ENABLE_ACCESS_LOGS=false   # Set true to enable uvicorn per-request access logs

.github/workflows/docker-publish.yml

@@ -6,6 +6,7 @@ on:
     tags: ["v*.*.*"]
     paths:
       - 'Dockerfile'
+      - 'docker/**'
       - 'src/**'
       - 'requirements.txt'
       - 'pyproject.toml'

.github/workflows/lint.yml

@@ -20,7 +20,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
-          pip install pytest pytest-asyncio pytest-cov pytest-mock bandit
+          pip install flake8 black mypy pytest pytest-asyncio pytest-cov pytest-mock bandit
 
       - name: Lint with flake8
         run: |
@@ -45,3 +45,20 @@ jobs:
       - name: Run Unit Tests
         run: |
           pytest tests/unit/
+
+  docker-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Validate Docker build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max