feat(microsandbox driver): env knobs for DNS rebind protection and VM size#91
Draft
zhuanyongxigua wants to merge 2 commits into
Draft
feat(microsandbox driver): env knobs for DNS rebind protection and VM size#91zhuanyongxigua wants to merge 2 commits into
zhuanyongxigua wants to merge 2 commits into
Conversation
…d VM size Add three optional env-driven config knobs to the microsandbox driver, all off/default unless explicitly set: - MICROSANDBOX_DISABLE_DNS_REBIND_PROTECTION: when true, disables the microVM DNS rebind protection so guests can resolve names that point at private/internal IPs (e.g. an internal container registry). Needed for internal deployments that must docker pull / apt from private hosts. - MICROSANDBOX_MEMORY_MIB / MICROSANDBOX_CPUS: override the microVM size above the SDK defaults (512MiB / 1 CPU), which are too small for docker-in-VM workloads such as pulling large images or building from a container (they OOM/stall). Zero means keep the SDK default. Wires them into CreateSandbox via WithNetwork(DNS.RebindProtection), WithMemory and WithCPUs.
…volume - Loader scripts can now set per-run microVM size: memoryMib / cpus options on scheduler.shell / scheduler.exec / scheduler.agent thread down to the session and override the global MICROSANDBOX_MEMORY_MIB / MICROSANDBOX_CPUS defaults (0 = use default). - Optionally mount a disk-backed named volume (kind=disk) at /var/lib/docker via MICROSANDBOX_DOCKER_DATA_SIZE_GB (+ MICROSANDBOX_DOCKER_DATA_PATH). One volume per session. The guest root is virtiofs, on which the kernel rejects overlayfs (docker's default storage driver); a disk-backed ext4 volume keeps docker's overlay off the virtiofs root. Uses SDK Mount.NamedWith(kind=disk), off by default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
在自部署 agent-compose(microsandbox driver)上跑 docker-in-VM / 内网拉镜像时,发现 driver 缺两类可配项,导致 VM 内网络和资源不可用。本 PR 加三个 env 开关,全部默认关/默认值,不设则行为完全不变。
改动
pkg/config/config.go+pkg/driver/microsandbox_runtime.go:MICROSANDBOX_DISABLE_DNS_REBIND_PROTECTION(bool,默认 false):为 true 时关闭 microVM 的 DNS rebind 防护,使 guest 能把内网域名解析到私网 IP(如内网容器 registry)。内网部署里 VM 要docker pull/apt私有主机时必需。→WithNetwork(... DNS.RebindProtection=false)MICROSANDBOX_MEMORY_MIB/MICROSANDBOX_CPUS(默认 0 = 用 SDK 默认 512MiB/1CPU):调大 microVM 规格。SDK 默认对 docker-in-VM 负载(拉大镜像、容器内构建)太小会 OOM/卡死。→WithMemory/WithCPUs实测验证(dev180, msb 0.5.8)
getent能解析内网域名、docker pull内网/portus 镜像成功(VM 启动参数可见"rebind_protection":false)。MemTotal:8157564kB nproc:4,足以拉 4.5GB 镜像并在容器内构建。兼容性
三个开关均默认不改变现有行为(不设 env → 走原
AllowAll()+ SDK 默认规格)。gofmt clean。