feat(executor): implement Docker client integration and security configuration for issue #9 #45
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces the Docker-based execution engine and security hardening for VoidRunner by integrating a secure Docker client, defining security validation/configuration, and wiring up an async task execution service.
- Adds a TaskExecutorService to manage execution records, async execution, and cleanup integration
- Implements SecurityManager for script validation, container config checks, and seccomp profile generation
- Provides Executor and DockerClient wrappers to orchestrate container creation, execution, logging, and cleanup
Reviewed Changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/services/task_executor_service.go | Service layer integrating async task execution and cleanup |
| internal/executor/security.go | SecurityManager for script/content validation and config |
| internal/executor/docker_client.go | DockerClient wrapper for secure container operations |
| internal/executor/executor.go | Core TaskExecutor implementation orchestrating execution |
| internal/executor/cleanup.go | CleanupManager for container lifecycle and resource cleanup |
| logger.Info("starting background task execution") | ||
|
|
||
| // Register execution with cleanup manager | ||
| s.cleanupManager.RegisterContainer("", task.ID, execution.ID, "") |
There was a problem hiding this comment.
RegisterContainer is called with an empty container ID, so the cleanup manager won't track any real containers. Consider moving the registration into the Executor after container creation and passing the actual container ID.
| func (s *TaskExecutorService) updateExecutionStatus(ctx context.Context, executionID uuid.UUID, status models.ExecutionStatus, userID uuid.UUID) error { | ||
| // For now, we'll use the basic update. In a full implementation, | ||
| // we'd want to update just the status field | ||
| return nil // Placeholder - would need repository method for status-only update |
There was a problem hiding this comment.
The updateExecutionStatus method is a no-op placeholder, so execution status changes are never persisted. Implement the repository call to update only the status field rather than returning nil.
internal/executor/executor.go
Outdated
| // Note: For full implementation, we'd need to track running containers | ||
| // by execution ID. For now, this is a placeholder. | ||
| e.logger.Info("execution cancellation requested", "execution_id", executionID.String()) | ||
| return NewExecutorError("cancel", "cancellation not fully implemented yet", nil) |
There was a problem hiding this comment.
The Executor.Cancel method is currently a placeholder and does not actually stop or remove running containers. Implement proper cancellation logic (e.g., invoking client.StopContainer) to support real execution cancellation.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Fix container registration to use actual container ID after creation - Implement updateExecutionStatus method with proper repository access - Add proper cancellation logic in Executor.Cancel method - Fix code formatting issues that caused lint CI failure - Add container lifecycle tracking and cleanup manager integration - Ensure proper resource cleanup and container status management Addresses review comments from PR #45: - Container registration with empty ID (task_executor_service.go:87) - No-op status update method (task_executor_service.go:140) - Incomplete cancellation implementation (executor.go:256) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Claude finished @starbops's task —— View job PR Review: Docker Client Integration and Security ConfigurationI've completed a comprehensive review of this PR. This is a substantial implementation that establishes the foundation for secure Docker-based code execution. Here are my findings: Review Checklist
🔍 Code Review Summary✅ Strengths
|
- Fix overly restrictive security validation that was blocking legitimate operations - Allow safe Python imports (math, json, datetime, etc.) and built-ins - Allow essential Bash operators (|, &&, ||, ;, >, <) with controlled usage - Allow JavaScript console.log and safe require patterns for standard modules - Add comprehensive test coverage for executor, docker client, and cleanup manager - Improve executor package coverage from 25.9% to 46.6% - Fix container ID logging to prevent slice bounds panics - Enhance error handling and code robustness Addresses critical review feedback from PR #45 about security validation being too restrictive while maintaining strong security boundaries. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Claude finished @starbops's task —— View job Claude finished @starbops's task —— View job PR Review: Docker Client Integration and Security ConfigurationI've completed a comprehensive review of this PR. This is a substantial implementation that establishes the foundation for secure Docker-based code execution. Here are my findings: Review Checklist
🔍 Code Review Summary✅ Strengths
|
This commit addresses critical issues identified in the PR review: **Critical Fixes:** - Fix seccomp profile file permissions (0600 → 0644) to allow Docker daemon access - Add container ID validation in RegisterContainer to prevent empty ID registration - Refine security validation rules to allow legitimate operations while maintaining security **Security Validation Improvements:** - Allow basic file operations within containers (read-only filesystem provides protection) - Allow /tmp/ directory access for container temp space usage - Allow basic system info commands (whoami, id) for educational purposes - Remove overly restrictive Python file access restrictions - Maintain protection against dangerous patterns while reducing false positives **Test Coverage:** - Updated test expectations to match refined validation rules - Maintained 83.8% test coverage for executor package (exceeds 80% target) - All unit and integration tests passing **Verification:** - Local linting passes without issues - All existing functionality preserved - Security posture maintained while reducing restrictions on legitimate operations Addresses review feedback in: #45 (comment) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Claude finished @starbops's task —— View job PR Review: Docker Client Integration and Security ConfigurationI've completed a comprehensive review of this PR. This is a substantial implementation that establishes the foundation for secure Docker-based code execution. Here are my findings: Review Checklist
🔍 Code Review Summary✅ Strengths
|
…trols Implement complete Docker client integration for secure task execution: - Docker client with connection health checks and validation - Comprehensive resource limits (memory, CPU, PIDs) with security caps - Network isolation and non-root execution (UID:GID 1000:1000) - Security profiles with Seccomp/AppArmor support - Multi-language script validation (Python, Bash, JavaScript, Go) - Automatic container cleanup and lifecycle management - Integration with API server and task execution service Fixes #9 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
starbops
force-pushed
the
feature/9-docker-client-integration
branch
from
c845424 to
976b2ca
Compare
Summary
Implements issue #9: Docker Client Integration and Security Configuration as the foundation for VoidRunner's container execution engine.
This PR provides a complete, secure Docker-based code execution system with comprehensive security hardening and resource management.
Features Implemented
🐳 Docker Client Integration
🔒 Security Hardening
--network none)⚙️ Resource Management
🔧 Integration
Security Measures
Files Added
Core Implementation
internal/executor/interfaces.go- Core executor interfaces and typesinternal/executor/config.go- Configuration management with defaultsinternal/executor/docker_client.go- Docker client wrapper with securityinternal/executor/security.go- Security validation and hardeninginternal/executor/executor.go- Main execution engineinternal/executor/cleanup.go- Resource cleanup managementinternal/executor/errors.go- Structured error types and handlinginternal/services/task_executor_service.go- Integration serviceTesting
internal/executor/config_test.go- Configuration testsinternal/executor/security_test.go- Security validation testsinternal/executor/errors_test.go- Error handling testsDependencies Added
github.com/docker/docker- Docker API clientgithub.com/containerd/errdefs- Container error definitionsTest Plan
Epic Progress
This PR completes Epic #8 Issue #9 and provides the foundation for:
Breaking Changes
None - this is a new feature that doesn't affect existing functionality.
Performance
Fixes #9
🤖 Generated with Claude Code