alexsun/compose-anything
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(opensandbox): add initial configuration files and documentation for OpenSandbox platform

Browse Source 
feat(elasticsearch): upgrade Elasticsearch version to 9.3.0 in environment and docker-compose files

feat(gitlab): update GitLab version to 18.8.3-ce.0 in environment and docker-compose files

feat(grafana): bump Grafana version to 12.3.2 in environment and docker-compose files

feat(jenkins): upgrade Jenkins version to 2.541-lts-jdk17 in environment and docker-compose files

fix(minio): remove unnecessary newline in docker-compose file

feat(nginx): downgrade Nginx version to 1.28.2-alpine3.22 in environment and docker-compose files

feat(ollama): update Ollama version to 0.14.3 in environment and docker-compose files

feat(prometheus): upgrade Prometheus version to 3.5.1 in environment and docker-compose files

feat(rabbitmq): update RabbitMQ version to 4.2.3-management-alpine in environment and docker-compose files
This commit is contained in:
Sun-ZhenXing
2026-02-07 18:11:02 +08:00
parent d53dffca83
commit c03771751c
24 changed files with 953 additions and 297 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -19,7 +19,7 @@ These services require building custom Docker images from source.
## Supported Services
| Service | Version |
| -------------------------------------------------------------- | -------------------- |
| -------------------------------------------------------------- | ------------------- |
| [Apache APISIX](./src/apisix) | 3.13.0 |
| [Apache Cassandra](./src/cassandra) | 5.0.2 |
| [Apache Flink](./src/flink) | 1.20.0 |
@@ -45,7 +45,7 @@ These services require building custom Docker images from source.
| [Doris](./src/doris) | 3.0.0 |
| [DuckDB](./src/duckdb) | v1.1.3 |
| [Easy Dataset](./apps/easy-dataset) | 1.5.1 |
| [Elasticsearch](./src/elasticsearch) | 8.16.1 |
| [Elasticsearch](./src/elasticsearch) | 9.3.0 |
| [etcd](./src/etcd) | 3.6.0 |
| [FalkorDB](./src/falkordb) | v4.14.11 |
| [Firecrawl](./src/firecrawl) | latest |
@@ -55,16 +55,16 @@ These services require building custom Docker images from source.
| [Gitea Runner](./src/gitea-runner) | 0.2.13 |
| [Gitea](./src/gitea) | 1.25.4-rootless |
| [GitLab Runner](./src/gitlab-runner) | 17.10.1 |
| [GitLab](./src/gitlab) | 17.10.4-ce.0 |
| [GitLab](./src/gitlab) | 18.8.3-ce.0 |
| [GPUStack](./src/gpustack) | v0.5.3 |
| [Grafana](./src/grafana) | 12.1.1 |
| [Grafana](./src/grafana) | 12.3.2 |
| [Grafana Loki](./src/loki) | 3.3.2 |
| [Grafana Tempo](./src/tempo) | 2.7.2 |
| [Halo](./src/halo) | 2.21.9 |
| [Harbor](./src/harbor) | v2.12.0 |
| [HashiCorp Consul](./src/consul) | 1.20.3 |
| [InfluxDB](./src/influxdb) | 2.8.0 |
| [Jenkins](./src/jenkins) | 2.486-lts |
| [Jenkins](./src/jenkins) | 2.541-lts |
| [JODConverter](./src/jodconverter) | latest |
| [Kestra](./src/kestra) | latest-full |
| [Kibana](./src/kibana) | 8.16.1 |
@@ -83,7 +83,7 @@ These services require building custom Docker images from source.
| [Milvus Standalone Embed](./src/milvus-standalone-embed) | v2.6.7 |
| [Milvus Standalone](./src/milvus-standalone) | v2.6.7 |
| [Minecraft Bedrock Server](./src/minecraft-bedrock-server) | latest |
| [MinIO](./src/minio) | 0.20251015 |
| [MinIO](./src/minio) | 0.20260202 |
| [MLflow](./src/mlflow) | v2.20.2 |
| [MoltBot](./apps/moltbot) | main |
| [MongoDB ReplicaSet Single](./src/mongodb-replicaset-single) | 8.2.3 |
@@ -97,11 +97,11 @@ These services require building custom Docker images from source.
| [NexaSDK](./src/nexa-sdk) | v0.2.62 |
| [Neo4j](./src/neo4j) | 5.27.4 |
| [Netdata](./src/netdata) | latest |
| [Nginx](./src/nginx) | 1.29.1 |
| [Nginx](./src/nginx) | 1.28.2 |
| [Node Exporter](./src/node-exporter) | v1.8.2 |
| [OceanBase](./src/oceanbase) | 4.3.3 |
| [Odoo](./src/odoo) | 19.0 |
| [Ollama](./src/ollama) | 0.12.0 |
| [Ollama](./src/ollama) | 0.14.3 |
| [Open WebUI](./src/open-webui) | main |
| [Phoenix (Arize)](./src/phoenix) | 12.31.2-nonroot |
| [Pingora Proxy Manager](./src/pingora-proxy-manager) | v1.0.3 |
@@ -111,7 +111,8 @@ These services require building custom Docker images from source.
| [OpenCut](./src/opencut) | latest |
| [OpenList](./src/openlist) | latest |
| [OpenLIT](./apps/openlit) | latest |
| [OpenObserve](./apps/openobserve) | v0.50.0 (enterprise) |
| [OpenSandbox](./apps/opensandbox) | v1.0.5 |
| [OpenObserve](./apps/openobserve) | v0.50.0 |
| [OpenSearch](./src/opensearch) | 2.19.0 |
| [OpenTelemetry Collector](./src/otel-collector) | 0.115.1 |
| [Overleaf](./src/overleaf) | 5.2.1 |
@@ -121,10 +122,10 @@ These services require building custom Docker images from source.
| [Portainer](./src/portainer) | 2.27.3-alpine |
| [Portkey AI Gateway](./src/portkey-gateway) | latest |
| [PostgreSQL](./src/postgres) | 17.6 |
| [Prometheus](./src/prometheus) | 3.5.0 |
| [Prometheus](./src/prometheus) | 3.5.1 |
| [PyTorch](./src/pytorch) | 2.6.0 |
| [Qdrant](./src/qdrant) | 1.15.4 |
| [RabbitMQ](./src/rabbitmq) | 4.1.4 |
| [RabbitMQ](./src/rabbitmq) | 4.2.3 |
| [Ray](./src/ray) | 2.42.1 |
| [Redpanda](./src/redpanda) | v24.3.1 |
| [Redis Cluster](./src/redis-cluster) | 8.2.1 |

23
README.zh.md
View File

@@ -19,7 +19,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
## 已经支持的服务
| 服务 | 版本 |
| -------------------------------------------------------------- | --------------------- |
| -------------------------------------------------------------- | ------------------- |
| [Apache APISIX](./src/apisix) | 3.13.0 |
| [Apache Cassandra](./src/cassandra) | 5.0.2 |
| [Apache Flink](./src/flink) | 1.20.0 |
@@ -45,7 +45,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
| [Doris](./src/doris) | 3.0.0 |
| [DuckDB](./src/duckdb) | v1.1.3 |
| [Easy Dataset](./apps/easy-dataset) | 1.5.1 |
| [Elasticsearch](./src/elasticsearch) | 8.16.1 |
| [Elasticsearch](./src/elasticsearch) | 9.3.0 |
| [etcd](./src/etcd) | 3.6.0 |
| [FalkorDB](./src/falkordb) | v4.14.11 |
| [Firecrawl](./src/firecrawl) | latest |
@@ -55,16 +55,16 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
| [Gitea Runner](./src/gitea-runner) | 0.2.13 |
| [Gitea](./src/gitea) | 1.25.4-rootless |
| [GitLab Runner](./src/gitlab-runner) | 17.10.1 |
| [GitLab](./src/gitlab) | 17.10.4-ce.0 |
| [GitLab](./src/gitlab) | 18.8.3-ce.0 |
| [GPUStack](./src/gpustack) | v0.5.3 |
| [Grafana](./src/grafana) | 12.1.1 |
| [Grafana](./src/grafana) | 12.3.2 |
| [Grafana Loki](./src/loki) | 3.3.2 |
| [Grafana Tempo](./src/tempo) | 2.7.2 |
| [Halo](./src/halo) | 2.21.9 |
| [Harbor](./src/harbor) | v2.12.0 |
| [HashiCorp Consul](./src/consul) | 1.20.3 |
| [InfluxDB](./src/influxdb) | 2.8.0 |
| [Jenkins](./src/jenkins) | 2.486-lts |
| [Jenkins](./src/jenkins) | 2.541-lts |
| [JODConverter](./src/jodconverter) | latest |
| [Kestra](./src/kestra) | latest-full |
| [Kibana](./src/kibana) | 8.16.1 |
@@ -83,7 +83,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
| [Milvus Standalone Embed](./src/milvus-standalone-embed) | v2.6.7 |
| [Milvus Standalone](./src/milvus-standalone) | v2.6.7 |
| [Minecraft Bedrock Server](./src/minecraft-bedrock-server) | latest |
| [MinIO](./src/minio) | 0.20251015 |
| [MinIO](./src/minio) | 0.20260202 |
| [MLflow](./src/mlflow) | v2.20.2 |
| [MoltBot](./apps/moltbot) | main |
| [MongoDB ReplicaSet Single](./src/mongodb-replicaset-single) | 8.2.3 |
@@ -97,11 +97,11 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
| [NexaSDK](./src/nexa-sdk) | v0.2.62 |
| [Neo4j](./src/neo4j) | 5.27.4 |
| [Netdata](./src/netdata) | latest |
| [Nginx](./src/nginx) | 1.29.1 |
| [Nginx](./src/nginx) | 1.28.2 |
| [Node Exporter](./src/node-exporter) | v1.8.2 |
| [OceanBase](./src/oceanbase) | 4.3.3 |
| [Odoo](./src/odoo) | 19.0 |
| [Ollama](./src/ollama) | 0.12.0 |
| [Ollama](./src/ollama) | 0.14.3 |
| [Open WebUI](./src/open-webui) | main |
| [Phoenix (Arize)](./src/phoenix) | 12.31.2-nonroot |
| [Pingora Proxy Manager](./src/pingora-proxy-manager) | v1.0.3 |
@@ -111,7 +111,8 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
| [OpenCut](./src/opencut) | latest |
| [OpenList](./src/openlist) | latest |
| [OpenLIT](./apps/openlit) | latest |
| [OpenObserve](./apps/openobserve) | v0.50.0enterprise |
| [OpenSandbox](./apps/opensandbox) | v1.0.5 |
| [OpenObserve](./apps/openobserve) | v0.50.0 |
| [OpenSearch](./src/opensearch) | 2.19.0 |
| [OpenTelemetry Collector](./src/otel-collector) | 0.115.1 |
| [Overleaf](./src/overleaf) | 5.2.1 |
@@ -121,10 +122,10 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件,
| [Portainer](./src/portainer) | 2.27.3-alpine |
| [Portkey AI Gateway](./src/portkey-gateway) | latest |
| [PostgreSQL](./src/postgres) | 17.6 |
| [Prometheus](./src/prometheus) | 3.5.0 |
| [Prometheus](./src/prometheus) | 3.5.1 |
| [PyTorch](./src/pytorch) | 2.6.0 |
| [Qdrant](./src/qdrant) | 1.15.4 |
| [RabbitMQ](./src/rabbitmq) | 4.1.4 |
| [RabbitMQ](./src/rabbitmq) | 4.2.3 |
| [Ray](./src/ray) | 2.42.1 |
| [Redpanda](./src/redpanda) | v24.3.1 |
| [Redis Cluster](./src/redis-cluster) | 8.2.1 |

46
apps/opensandbox/.env.example Normal file
View File

@@ -0,0 +1,46 @@
# OpenSandbox Configuration
# A general-purpose sandbox platform for AI applications
# Global registry prefix for all images (optional)
# Example: GLOBAL_REGISTRY=registry.example.com/
GLOBAL_REGISTRY=
# Timezone setting
TZ=UTC
# ========================================
# OpenSandbox Server Configuration
# ========================================
# OpenSandbox server image version
# Default: v1.0.5
OPENSANDBOX_SERVER_VERSION=v1.0.5
# OpenSandbox server port override (host port mapping)
# Default: 8080
OPENSANDBOX_SERVER_PORT_OVERRIDE=8080
# Docker socket path (for sandbox container creation)
# Default: unix:///var/run/docker.sock
# On macOS with Colima: unix://${HOME}/.colima/default/docker.sock
DOCKER_HOST=unix:///var/run/docker.sock
# ========================================
# Resource Limits
# ========================================
# OpenSandbox Server CPU limit
# Default: 2.0 (2 CPU cores)
OPENSANDBOX_SERVER_CPU_LIMIT=2.0
# OpenSandbox Server CPU reservation
# Default: 1.0 (1 CPU core)
OPENSANDBOX_SERVER_CPU_RESERVATION=1.0
# OpenSandbox Server memory limit
# Default: 2G
OPENSANDBOX_SERVER_MEMORY_LIMIT=2G
# OpenSandbox Server memory reservation
# Default: 1G
OPENSANDBOX_SERVER_MEMORY_RESERVATION=1G

241
apps/opensandbox/README.md Normal file
View File

@@ -0,0 +1,241 @@
# OpenSandbox
English | [中文](README.zh.md)
A general-purpose sandbox platform for AI applications, offering multi-language SDKs, unified sandbox APIs, and Docker/Kubernetes runtimes. Ideal for scenarios like Coding Agents, GUI Agents, Agent Evaluation, AI Code Execution, and RL Training.
## Features
- **Multi-language SDK Support**: Python, JavaScript/TypeScript, Java/Kotlin, and Go client SDKs
- **Unified Sandbox API**: Consistent interface for sandbox lifecycle, command execution, and file operations
- **Multiple Runtime Options**: Docker and Kubernetes runtime support
- **Security Hardening**: Built-in security features including capability dropping, privilege escalation prevention, and resource limits
- **Flexible Configuration**: Support for various network modes, resource constraints, and security profiles
- **Code Interpreter**: Pre-built images with Python, Node.js, Java, and Go kernel support
## Quick Start
### Prerequisites
- Docker Engine (required for Docker runtime)
- Docker Compose
- Sufficient permissions to access Docker socket
> **Note for macOS users using Colima**: You need to set the `DOCKER_HOST` environment variable before starting OpenSandbox:
>
> ```bash
> export DOCKER_HOST="unix://${HOME}/.colima/default/docker.sock"
> ```
### Deployment
1. **Copy the environment file and configure as needed:**
```bash
cp .env.example .env
```
2. **Edit `config.toml` to set your API key:**
```toml
[server]
api_key = "your-secret-api-key-change-this"
```
**IMPORTANT**: Change the default API key in production!
3. **Start the service:**
```bash
docker compose up -d
```
4. **Verify the service is running:**
```bash
curl http://localhost:8080/health
```
You should receive a successful health check response.
## Configuration
### Environment Variables
Key environment variables (see [.env.example](.env.example) for full list):
| Variable | Description | Default |
| ---------------------------------- | -------------------------------- | ----------------------------- |
| `OPENSANDBOX_SERVER_VERSION` | OpenSandbox server image version | `v1.0.5` |
| `OPENSANDBOX_SERVER_PORT_OVERRIDE` | Host port mapping | `8080` |
| `DOCKER_HOST` | Docker socket path | `unix:///var/run/docker.sock` |
| `OPENSANDBOX_SERVER_CPU_LIMIT` | CPU cores limit | `2.0` |
| `OPENSANDBOX_SERVER_MEMORY_LIMIT` | Memory limit | `2G` |
### Server Configuration
The main configuration is in [config.toml](config.toml). Key sections:
- **[server]**: HTTP server settings (host, port, log level, API key)
- **[runtime]**: Runtime type and execd image configuration
- **[docker]**: Docker-specific settings including network mode and security options
#### Network Modes
- **bridge** (recommended): Containers have isolated networks, supports multiple sandboxes
- **host**: Containers share host network, only one sandbox instance at a time
#### Security Features
- **Capability dropping**: Removes dangerous Linux capabilities from containers
- **Privilege escalation prevention**: Blocks privilege escalation inside containers
- **Process limits**: Controls maximum number of processes per sandbox
- **AppArmor/Seccomp profiles**: Optional security profiles (leave empty for Docker defaults)
## Usage
### Basic Sandbox Creation (Python SDK)
```python
from opensandbox import Sandbox
from datetime import timedelta
# Create a sandbox with code interpreter
sandbox = await Sandbox.create(
"opensandbox/code-interpreter:v1.0.1",
entrypoint="/opt/opensandbox/code-interpreter.sh",
env={"PYTHON_VERSION": "3.11"},
timeout=timedelta(minutes=10)
)
async with sandbox:
# Execute Python code
result = await sandbox.execute(
"python",
"-c",
"print('Hello from OpenSandbox!')"
)
print(result.stdout)
```
### API Authentication
All API requests require the `X-API-Key` header with the key configured in `config.toml`:
```bash
curl -H "X-API-Key: your-secret-api-key-change-this" \
http://localhost:8080/sandboxes
```
## Pre-built Images
OpenSandbox provides several pre-built sandbox images:
- **opensandbox/code-interpreter**: Multi-language code interpreter (Python, Node.js, Java, Go)
- **opensandbox/vscode**: VS Code Server environment
- **opensandbox/desktop**: Full desktop environment with VNC support
- **opensandbox/playwright**: Browser automation with Playwright
- **opensandbox/chrome**: Chromium browser environment
## Ports
| Port | Service | Description |
| ---- | ------------------ | --------------- |
| 8080 | OpenSandbox Server | HTTP API server |
## Data Persistence
- **opensandbox_data**: Server data and state
## Health Check
The service includes a built-in health check endpoint at `/health`:
```bash
curl http://localhost:8080/health
```
## Security Considerations
### Docker Socket Access
This service requires access to the Docker socket (`/var/run/docker.sock`) to create and manage sandbox containers. This is a high-privilege operation.
**Security implications:**
- Containers with Docker socket access can potentially control the host system
- Only deploy in trusted environments
- Consider using Docker-in-Docker or rootless Docker for additional isolation in production
**Alternatives:**
- Use Kubernetes runtime instead of Docker runtime (requires Kubernetes cluster)
- Deploy with restricted user permissions and resource quotas
### API Key Security
- **Never use the default API key in production**
- Store API keys securely (e.g., using Docker secrets, environment variables from secret managers)
- Rotate API keys regularly
- Limit network exposure (use firewall rules, reverse proxy)
### Resource Limits
Always configure appropriate CPU and memory limits to prevent resource exhaustion:
```yaml
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
```
## Troubleshooting
### Docker Socket Connection Issues
**Error**: Failed to initialize Docker service
**Solution**:
- Ensure Docker Desktop/Engine is running
- On macOS with Colima: Set `DOCKER_HOST=unix://${HOME}/.colima/default/docker.sock`
- Check Docker socket permissions: `ls -l /var/run/docker.sock`
### Health Check Failing
**Error**: Health check timeout
**Solution**:
- Check container logs: `docker compose logs opensandbox-server`
- Verify the service started successfully: `docker compose ps`
- Increase `start_period` in docker-compose.yaml if the service needs more time to initialize
### Sandbox Creation Failures
**Error**: Failed to create sandbox
**Solution**:
- Ensure the execd image is accessible: `docker pull opensandbox/execd:v1.0.5`
- Check available system resources (CPU, memory, disk space)
- Review server logs for detailed error messages
## License
This project is part of the OpenSandbox suite. See the main [LICENSE](https://github.com/alibaba/OpenSandbox/blob/main/LICENSE) file for details.
## References
- [OpenSandbox GitHub Repository](https://github.com/alibaba/OpenSandbox)
- [OpenSandbox Documentation](https://github.com/alibaba/OpenSandbox/tree/main/docs)
- [Docker Security](https://docs.docker.com/engine/security/)
## Support
For issues and questions:
- [GitHub Issues](https://github.com/alibaba/OpenSandbox/issues)
- [Official Documentation](https://github.com/alibaba/OpenSandbox)

241
apps/opensandbox/README.zh.md Normal file
View File

@@ -0,0 +1,241 @@
# OpenSandbox
[English](README.md) | 中文
一个通用的 AI 应用沙箱平台,提供多语言 SDK、统一的沙箱 API 以及 Docker/Kubernetes 运行时。适用于代码智能体、GUI 智能体、智能体评估、AI 代码执行和强化学习训练等场景。
## 功能特性
- **多语言 SDK 支持**:提供 Python、JavaScript/TypeScript、Java/Kotlin 和 Go 客户端 SDK
- **统一的沙箱 API**:为沙箱生命周期、命令执行和文件操作提供一致的接口
- **多种运行时选项**:支持 Docker 和 Kubernetes 运行时
- **安全加固**:内置安全特性,包括能力限制、特权提升防护和资源限制
- **灵活的配置**:支持各种网络模式、资源约束和安全配置
- **代码解释器**:预构建的镜像,支持 Python、Node.js、Java 和 Go 内核
## 快速开始
### 前置要求
- Docker EngineDocker 运行时必需)
- Docker Compose
- 足够的权限访问 Docker socket
> **使用 Colima 的 macOS 用户注意**:您需要在启动 OpenSandbox 之前设置 `DOCKER_HOST` 环境变量:
>
> ```bash
> export DOCKER_HOST="unix://${HOME}/.colima/default/docker.sock"
> ```
### 部署
1. **复制环境文件并根据需要配置:**
```bash
cp .env.example .env
```
2. **编辑 `config.toml` 设置您的 API 密钥:**
```toml
[server]
api_key = "your-secret-api-key-change-this"
```
**重要**:在生产环境中必须更改默认的 API 密钥!
3. **启动服务:**
```bash
docker compose up -d
```
4. **验证服务是否运行:**
```bash
curl http://localhost:8080/health
```
您应该收到成功的健康检查响应。
## 配置
### 环境变量
主要环境变量(完整列表见 [.env.example](.env.example)
| 变量 | 描述 | 默认值 |
| ---------------------------------- | -------------------------- | ----------------------------- |
| `OPENSANDBOX_SERVER_VERSION` | OpenSandbox 服务器镜像版本 | `v1.0.5` |
| `OPENSANDBOX_SERVER_PORT_OVERRIDE` | 主机端口映射 | `8080` |
| `DOCKER_HOST` | Docker socket 路径 | `unix:///var/run/docker.sock` |
| `OPENSANDBOX_SERVER_CPU_LIMIT` | CPU 核心限制 | `2.0` |
| `OPENSANDBOX_SERVER_MEMORY_LIMIT` | 内存限制 | `2G` |
### 服务器配置
主配置文件为 [config.toml](config.toml)。主要配置部分:
- **[server]**HTTP 服务器设置主机、端口、日志级别、API 密钥)
- **[runtime]**:运行时类型和 execd 镜像配置
- **[docker]**Docker 特定设置,包括网络模式和安全选项
#### 网络模式
- **bridge**(推荐):容器拥有隔离的网络,支持多个沙箱
- **host**:容器共享主机网络,一次只能运行一个沙箱实例
#### 安全特性
- **能力限制**:从容器中移除危险的 Linux 能力
- **特权提升防护**:阻止容器内的特权提升
- **进程限制**:控制每个沙箱的最大进程数
- **AppArmor/Seccomp 配置文件**:可选的安全配置文件(留空使用 Docker 默认值)
## 使用方法
### 基本沙箱创建Python SDK
```python
from opensandbox import Sandbox
from datetime import timedelta
# 创建一个代码解释器沙箱
sandbox = await Sandbox.create(
"opensandbox/code-interpreter:v1.0.1",
entrypoint="/opt/opensandbox/code-interpreter.sh",
env={"PYTHON_VERSION": "3.11"},
timeout=timedelta(minutes=10)
)
async with sandbox:
# 执行 Python 代码
result = await sandbox.execute(
"python",
"-c",
"print('Hello from OpenSandbox!')"
)
print(result.stdout)
```
### API 认证
所有 API 请求都需要在 `X-API-Key` 头中包含 `config.toml` 中配置的密钥:
```bash
curl -H "X-API-Key: your-secret-api-key-change-this" \
http://localhost:8080/sandboxes
```
## 预构建镜像
OpenSandbox 提供了几个预构建的沙箱镜像:
- **opensandbox/code-interpreter**多语言代码解释器Python、Node.js、Java、Go
- **opensandbox/vscode**VS Code Server 环境
- **opensandbox/desktop**:支持 VNC 的完整桌面环境
- **opensandbox/playwright**:使用 Playwright 进行浏览器自动化
- **opensandbox/chrome**Chromium 浏览器环境
## 端口
| 端口 | 服务 | 描述 |
| ---- | ------------------ | --------------- |
| 8080 | OpenSandbox Server | HTTP API 服务器 |
## 数据持久化
- **opensandbox_data**:服务器数据和状态
## 健康检查
该服务在 `/health` 端点提供内置的健康检查:
```bash
curl http://localhost:8080/health
```
## 安全注意事项
### Docker Socket 访问
此服务需要访问 Docker socket`/var/run/docker.sock`)以创建和管理沙箱容器。这是一个高权限操作。
**安全影响:**
- 具有 Docker socket 访问权限的容器可能会控制主机系统
- 仅在受信任的环境中部署
- 在生产环境中考虑使用 Docker-in-Docker 或 rootless Docker 以获得额外的隔离
**替代方案:**
- 使用 Kubernetes 运行时而不是 Docker 运行时(需要 Kubernetes 集群)
- 使用受限用户权限和资源配额进行部署
### API 密钥安全
- **切勿在生产环境中使用默认 API 密钥**
- 安全存储 API 密钥(例如,使用 Docker secrets、密钥管理器的环境变量
- 定期轮换 API 密钥
- 限制网络暴露(使用防火墙规则、反向代理)
### 资源限制
始终配置适当的 CPU 和内存限制以防止资源耗尽:
```yaml
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
```
## 故障排除
### Docker Socket 连接问题
**错误**Failed to initialize Docker service
**解决方案**
- 确保 Docker Desktop/Engine 正在运行
- 在使用 Colima 的 macOS 上:设置 `DOCKER_HOST=unix://${HOME}/.colima/default/docker.sock`
- 检查 Docker socket 权限:`ls -l /var/run/docker.sock`
### 健康检查失败
**错误**Health check timeout
**解决方案**
- 检查容器日志:`docker compose logs opensandbox-server`
- 验证服务是否成功启动:`docker compose ps`
- 如果服务需要更多时间初始化,增加 docker-compose.yaml 中的 `start_period`
### 沙箱创建失败
**错误**Failed to create sandbox
**解决方案**
- 确保 execd 镜像可访问:`docker pull opensandbox/execd:v1.0.5`
- 检查可用的系统资源CPU、内存、磁盘空间
- 查看服务器日志以获取详细的错误消息
## 许可证
此项目是 OpenSandbox 套件的一部分。详情请参阅主 [LICENSE](https://github.com/alibaba/OpenSandbox/blob/main/LICENSE) 文件。
## 参考资料
- [OpenSandbox GitHub 仓库](https://github.com/alibaba/OpenSandbox)
- [OpenSandbox 文档](https://github.com/alibaba/OpenSandbox/tree/main/docs)
- [Docker 安全](https://docs.docker.com/engine/security/)
## 支持
如有问题和疑问:
- [GitHub Issues](https://github.com/alibaba/OpenSandbox/issues)
- [官方文档](https://github.com/alibaba/OpenSandbox)

46
apps/opensandbox/config.toml Normal file
View File

@@ -0,0 +1,46 @@
# OpenSandbox Server Configuration
# This is a minimal Docker runtime configuration for running OpenSandbox
[server]
host = "0.0.0.0"
port = 8080
log_level = "INFO"
# IMPORTANT: Change this API key in production!
api_key = "opensandbox-change-this-secret-key"
[runtime]
type = "docker"
# The execd image that will be injected into sandbox containers
execd_image = "opensandbox/execd:v1.0.5"
[docker]
# Network mode for sandbox containers
# - "host": containers share host network (only one sandbox at a time)
# - "bridge": containers have isolated networks (recommended for multiple sandboxes)
network_mode = "bridge"
# Security hardening options
# Drop dangerous capabilities
drop_capabilities = [
"AUDIT_WRITE",
"MKNOD",
"NET_ADMIN",
"NET_RAW",
"SYS_ADMIN",
"SYS_MODULE",
"SYS_PTRACE",
"SYS_TIME",
"SYS_TTY_CONFIG"
]
# Prevent privilege escalation inside containers
no_new_privileges = true
# AppArmor profile (optional, leave empty for Docker default)
apparmor_profile = ""
# Seccomp profile (optional, leave empty for Docker default)
seccomp_profile = ""
# Maximum number of processes per sandbox container
pids_limit = 512

48
apps/opensandbox/docker-compose.yaml Normal file
View File

@@ -0,0 +1,48 @@
# OpenSandbox Docker Compose Configuration
# A general-purpose sandbox platform for AI applications
# Provides multi-language SDKs, unified sandbox APIs, and Docker/Kubernetes runtimes
x-defaults: &defaults
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 100m
max-file: "3"
services:
opensandbox-server:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}opensandbox/server:${OPENSANDBOX_SERVER_VERSION:-v1.0.5}
ports:
- "${OPENSANDBOX_SERVER_PORT_OVERRIDE:-8080}:8080"
volumes:
# Mount Docker socket to enable sandbox creation
- /var/run/docker.sock:/var/run/docker.sock
# Configuration file
- ./config.toml:/etc/opensandbox/config.toml:ro
# Data persistence
- opensandbox_data:/app/data
environment:
- TZ=${TZ:-UTC}
# Server configuration
- SANDBOX_CONFIG_PATH=/etc/opensandbox/config.toml
# Docker runtime settings (override config.toml via env vars if needed)
- DOCKER_HOST=${DOCKER_HOST:-unix:///var/run/docker.sock}
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
deploy:
resources:
limits:
cpus: ${OPENSANDBOX_SERVER_CPU_LIMIT:-2.0}
memory: ${OPENSANDBOX_SERVER_MEMORY_LIMIT:-2G}
reservations:
cpus: ${OPENSANDBOX_SERVER_CPU_RESERVATION:-1.0}
memory: ${OPENSANDBOX_SERVER_MEMORY_RESERVATION:-1G}
volumes:
opensandbox_data:

2
src/elasticsearch/.env.example
View File

@@ -1,5 +1,5 @@
# Elasticsearch version
ELASTICSEARCH_VERSION=9.2.0
ELASTICSEARCH_VERSION=9.3.0
# Timezone
TZ=UTC

5
src/elasticsearch/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
elasticsearch:
<<: *defaults
image: docker.elastic.co/elasticsearch/elasticsearch-wolfi:${ELASTICSEARCH_VERSION:-9.2.0}
image: docker.elastic.co/elasticsearch/elasticsearch-wolfi:${ELASTICSEARCH_VERSION:-9.3.0}
ports:
- "${ELASTICSEARCH_HTTP_PORT_OVERRIDE:-9200}:9200"
- "${ELASTICSEARCH_TRANSPORT_PORT_OVERRIDE:-9300}:9300"
@@ -42,7 +42,8 @@ services:
cpus: ${ELASTICSEARCH_CPU_RESERVATION:-0.50}
memory: ${ELASTICSEARCH_MEMORY_RESERVATION:-1G}
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:9200/_cluster/health || exit 1"]
test:
["CMD-SHELL", "curl -f http://localhost:9200/_cluster/health || exit 1"]
interval: 30s
timeout: 10s
retries: 5

2
src/gitlab/.env.example
View File

@@ -1,5 +1,5 @@
# GitLab Version
GITLAB_VERSION=18.4.0-ce.0
GITLAB_VERSION=18.8.3-ce.0
# GitLab ports
GITLAB_PORT_OVERRIDE_HTTPS=5443

2
src/gitlab/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
gitlab:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}gitlab/gitlab-ce:${GITLAB_VERSION:-18.4.0-ce.0}
image: ${GLOBAL_REGISTRY:-}gitlab/gitlab-ce:${GITLAB_VERSION:-18.8.3-ce.0}
ports:
- "${GITLAB_PORT_OVERRIDE_HTTPS:-5443}:443"
- "${GITLAB_PORT_OVERRIDE_HTTP:-5080}:80"

2
src/grafana/.env.example
View File

@@ -1,7 +1,7 @@
# Grafana Environment Variables
# Grafana image version
GRAFANA_VERSION=12.1.1
GRAFANA_VERSION=12.3.2
# Host port mapping (maps to Grafana port 3000 in container)
GRAFANA_PORT_OVERRIDE=3000

12
src/grafana/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
grafana:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}grafana/grafana:${GRAFANA_VERSION:-12.1.1}
image: ${GLOBAL_REGISTRY:-}grafana/grafana:${GRAFANA_VERSION:-12.3.2}
ports:
- "${GRAFANA_PORT_OVERRIDE:-3000}:3000"
volumes:
@@ -37,7 +37,15 @@ services:
cpus: ${GRAFANA_CPU_RESERVATION:-0.25}
memory: ${GRAFANA_MEMORY_RESERVATION:-256M}
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/api/health"]
test:
[
"CMD",
"wget",
"--no-verbose",
"--tries=1",
"--spider",
"http://localhost:3000/api/health",
]
interval: 30s
timeout: 10s
retries: 3

2
src/jenkins/.env.example
View File

@@ -1,5 +1,5 @@
# Jenkins version
JENKINS_VERSION=2.486-lts-jdk17
JENKINS_VERSION=2.541-lts-jdk17
# Timezone
TZ=UTC

2
src/jenkins/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
jenkins:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}jenkins/jenkins:${JENKINS_VERSION:-2.486-lts-jdk17}
image: ${GLOBAL_REGISTRY:-}jenkins/jenkins:${JENKINS_VERSION:-2.541-lts-jdk17}
ports:
- "${JENKINS_HTTP_PORT_OVERRIDE:-8080}:8080"
- "${JENKINS_AGENT_PORT_OVERRIDE:-50000}:50000"

1
src/minio/docker-compose.yaml
View File

@@ -35,6 +35,5 @@ services:
cpus: ${MINIO_CPU_RESERVATION:-0.25}
memory: ${MINIO_MEMORY_RESERVATION:-512M}
volumes:
minio_data:

2
src/nginx/.env.example
View File

@@ -1,5 +1,5 @@
# Nginx version
NGINX_VERSION=1.29.2-alpine3.22
NGINX_VERSION=1.28.2-alpine3.22
# Timezone
TZ=UTC

12
src/nginx/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
nginx:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}nginx:${NGINX_VERSION:-1.29.2-alpine3.22}
image: ${GLOBAL_REGISTRY:-}nginx:${NGINX_VERSION:-1.28.2-alpine3.22}
ports:
- "${NGINX_HTTP_PORT_OVERRIDE:-80}:80"
- "${NGINX_HTTPS_PORT_OVERRIDE:-443}:443"
@@ -34,7 +34,15 @@ services:
cpus: ${NGINX_CPU_RESERVATION:-0.25}
memory: ${NGINX_MEMORY_RESERVATION:-64M}
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80/"]
test:
[
"CMD",
"wget",
"--no-verbose",
"--tries=1",
"--spider",
"http://localhost:80/",
]
interval: 30s
timeout: 10s
retries: 3

2
src/ollama/.env.example
View File

@@ -1,5 +1,5 @@
# Ollama Version
OLLAMA_VERSION=0.12.10
OLLAMA_VERSION=0.14.3
# Port to bind to on the host machine
OLLAMA_PORT_OVERRIDE=11434

16
src/ollama/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
ollama:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}ollama/ollama:${OLLAMA_VERSION:-0.12.10}
image: ${GLOBAL_REGISTRY:-}ollama/ollama:${OLLAMA_VERSION:-0.14.3}
ports:
- "${OLLAMA_PORT_OVERRIDE:-11434}:11434"
volumes:
@@ -18,7 +18,15 @@ services:
- TZ=${TZ:-UTC}
ipc: host
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:11434/"]
test:
[
"CMD",
"wget",
"--no-verbose",
"--tries=1",
"--spider",
"http://localhost:11434/",
]
interval: 30s
timeout: 10s
retries: 3
@@ -33,8 +41,8 @@ services:
memory: ${OLLAMA_MEMORY_RESERVATION:-4G}
devices:
- driver: nvidia
device_ids: [ '0' ]
capabilities: [ gpu ]
device_ids: ["0"]
capabilities: [gpu]
volumes:
ollama_models:

2
src/prometheus/.env.example
View File

@@ -1,7 +1,7 @@
# Prometheus Environment Variables
# Prometheus image version
PROMETHEUS_VERSION=v3.5.0
PROMETHEUS_VERSION=v3.5.1
# Host port mapping (maps to Prometheus port 9090 in container)
PROMETHEUS_PORT_OVERRIDE=9090

30
src/prometheus/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
prometheus:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}prom/prometheus:${PROMETHEUS_VERSION:-v3.5.0}
image: ${GLOBAL_REGISTRY:-}prom/prometheus:${PROMETHEUS_VERSION:-v3.5.1}
ports:
- "${PROMETHEUS_PORT_OVERRIDE:-9090}:9090"
volumes:
@@ -19,15 +19,15 @@ services:
# - ./prometheus.yml:/etc/prometheus/prometheus.yml
# - ./rules:/etc/prometheus/rules
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/etc/prometheus/console_libraries'
- '--web.console.templates=/etc/prometheus/consoles'
- '--storage.tsdb.retention.time=${PROMETHEUS_RETENTION_TIME:-15d}'
- '--storage.tsdb.retention.size=${PROMETHEUS_RETENTION_SIZE:-}'
- '--web.enable-lifecycle'
- '--web.enable-admin-api'
- '--web.external-url=${PROMETHEUS_EXTERNAL_URL:-http://localhost:9090}'
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--web.console.libraries=/etc/prometheus/console_libraries"
- "--web.console.templates=/etc/prometheus/consoles"
- "--storage.tsdb.retention.time=${PROMETHEUS_RETENTION_TIME:-15d}"
- "--storage.tsdb.retention.size=${PROMETHEUS_RETENTION_SIZE:-}"
- "--web.enable-lifecycle"
- "--web.enable-admin-api"
- "--web.external-url=${PROMETHEUS_EXTERNAL_URL:-http://localhost:9090}"
environment:
- TZ=${TZ:-UTC}
- PROMETHEUS_RETENTION_TIME=${PROMETHEUS_RETENTION_TIME:-15d}
@@ -42,7 +42,15 @@ services:
cpus: ${PROMETHEUS_CPU_RESERVATION:-0.25}
memory: ${PROMETHEUS_MEMORY_RESERVATION:-512M}
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9090/-/healthy"]
test:
[
"CMD",
"wget",
"--no-verbose",
"--tries=1",
"--spider",
"http://localhost:9090/-/healthy",
]
interval: 30s
timeout: 10s
retries: 3

2
src/rabbitmq/.env.example
View File

@@ -1,5 +1,5 @@
# RabbitMQ Version
RABBITMQ_VERSION=4.1.4-management-alpine
RABBITMQ_VERSION=4.2.3-management-alpine
# RabbitMQ credentials
RABBITMQ_DEFAULT_USER=admin

2
src/rabbitmq/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ x-defaults: &defaults
services:
rabbitmq:
<<: *defaults
image: ${GLOBAL_REGISTRY:-}rabbitmq:${RABBITMQ_VERSION:-4.1.4-management-alpine}
image: ${GLOBAL_REGISTRY:-}rabbitmq:${RABBITMQ_VERSION:-4.2.3-management-alpine}
volumes:
- rabbitmq_data:/var/lib/rabbitmq
ports: