alexsun/compose-anything
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e263ddf0841ac63f0d57fd313e932ce2dc01c091
compose-anything/builds/microsandbox/docker-compose.yaml
copilot-swe-agent[bot] e263ddf084 Apply @appcypher's recommendations for microsandbox Docker configuration 
Co-authored-by: Sun-ZhenXing <44517244+Sun-ZhenXing@users.noreply.github.com>
2026-01-15 07:43:19 +00:00

78 lines
2.4 KiB
YAML
Raw Blame History

# Docker Compose Configuration for MicroSandbox
# KVM-based secure sandbox environment
# https://github.com/zerocore-ai/microsandbox
x-defaults: &defaults
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 100m
max-file: "3"
services:
microsandbox:
<<: *defaults
build:
context: .
dockerfile: Dockerfile
platforms:
- linux/amd64
- linux/arm64
args:
- DEBIAN_VERSION=${DEBIAN_VERSION:-13.2-slim}
- MICROSANDBOX_VERSION=${MICROSANDBOX_VERSION:-}
- MICROSANDBOX_AUTO_PULL_IMAGES=${MICROSANDBOX_AUTO_PULL_IMAGES:-true}
image: ${GLOBAL_REGISTRY:-ghcr.io/zerocore-ai/}microsandbox:${MICROSANDBOX_VERSION:-latest}
ports:
- "${MICROSANDBOX_PORT_OVERRIDE:-5555}:${MICROSANDBOX_PORT:-5555}"
# Privileged mode and relaxed security profiles are required for KVM access
# This provides hardware-level isolation inside the container
# See README.md for security considerations
privileged: true
security_opt:
- apparmor=unconfined
- seccomp=unconfined
environment:
- TZ=${TZ:-UTC}
- MICROSANDBOX_HOME=/root/.microsandbox
volumes:
# Store namespace configurations and VM state
- microsandbox_namespaces:/root/.microsandbox/namespaces
# Working directory for sandbox operations
- microsandbox_workspace:/workspace
devices:
# KVM device for hardware-accelerated virtualization
- /dev/kvm:/dev/kvm
# TUN device for network tunneling (TAP/TUN interfaces)
- /dev/net/tun:/dev/net/tun
command:
- /bin/sh
- -c
- >
if [ "$${MICROSANDBOX_DEV_MODE:-true}" = "true" ]; then
DEV_FLAG="--dev";
else
DEV_FLAG="";
fi;
exec server start --host 0.0.0.0 --port $${MICROSANDBOX_PORT:-5555} $${DEV_FLAG};
working_dir: /workspace
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:${MICROSANDBOX_PORT:-5555}/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
deploy:
resources:
limits:
cpus: ${MICROSANDBOX_CPU_LIMIT:-4}
memory: ${MICROSANDBOX_MEMORY_LIMIT:-4G}
reservations:
cpus: ${MICROSANDBOX_CPU_RESERVATION:-1}
memory: ${MICROSANDBOX_MEMORY_RESERVATION:-1G}
volumes:
microsandbox_namespaces:
microsandbox_workspace:
Reference in New Issue View Git Blame Copy Permalink