Remove sandbox mode

Author: runabol

README.md

@@ -53,7 +53,6 @@ Tork is a highly-scalable, general-purpose workflow engine.
 - [For-Each Task](https://www.tork.run/tasks#each-task)
 - [Subjob Task](https://www.tork.run/tasks#sub-job-task)
 - [Task Priority](https://www.tork.run/tasks#priority)
-- [Sandbox Mode](https://www.tork.run/runtime#sandbox-mode-experimental)
 - [Secrets](https://www.tork.run/tasks#secrets)
 - [Scheduled Jobs](https://tork.run/jobs#scheduled-jobs)
 - [Web UI](https://www.tork.run/web-ui)

configs/sample.config.toml

@@ -119,8 +119,5 @@ gid = ""             # set the gid for the the task process (recommended)
 
 [runtime.docker]
 config = ""
-sandbox = false
-busybox.image = "busybox:stable"
 
 [runtime.podman]
-sandbox = false

engine/worker.go

@@ -76,8 +76,6 @@ func (e *Engine) initRuntime() (runtime.Runtime, error) {
 			docker.WithMounter(mounter),
 			docker.WithConfig(conf.String("runtime.docker.config")),
 			docker.WithBroker(e.brokerRef),
-			docker.WithSandbox(conf.BoolDefault("runtime.docker.sandbox", false)),
-			docker.WithBusyboxImage(conf.StringDefault("runtime.docker.busybox.image", "busybox:stable")),
 		)
 	case runtime.Shell:
 		return shell.NewShellRuntime(shell.Config{
@@ -101,7 +99,6 @@ func (e *Engine) initRuntime() (runtime.Runtime, error) {
 		return podman.NewPodmanRuntime(
 			podman.WithBroker(e.brokerRef),
 			podman.WithMounter(mounter),
-			podman.WithSandbox(conf.BoolDefault("runtime.podman.sandbox", false)),
 		), nil
 	default:
 		return nil, errors.Errorf("unknown runtime type: %s", runtimeType)

go.mod

@@ -21,7 +21,6 @@ require (
 	github.com/labstack/echo/v4 v4.13.3
 	github.com/lib/pq v1.10.9
 	github.com/lithammer/shortuuid/v4 v4.0.0
-	github.com/moby/moby v27.0.3+incompatible
 	github.com/pkg/errors v0.9.1
 	github.com/rabbitmq/amqp091-go v1.9.0
 	github.com/robfig/cron/v3 v3.0.1
@@ -40,7 +39,6 @@ require (
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/containerd/containerd v1.7.18 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -59,7 +57,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/jonboulle/clockwork v0.4.0 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/knadh/koanf/maps v0.1.1 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
@@ -71,9 +68,6 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect

go.sum

@@ -1,14 +1,10 @@
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/containerd/containerd v1.7.18 h1:jqjZTQNfXGoEaZdW1WwPU0RqSn1Bm2Ay/KJPUuO8nao=
-github.com/containerd/containerd v1.7.18/go.mod h1:IYEk9/IO6wAPUz2bCMVUbsfXjzw5UNP5fLz4PsUygQ4=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
@@ -78,8 +74,6 @@ github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST
 github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/knadh/koanf/maps v0.1.1 h1:G5TjmUh2D7G2YWf5SQQqSiHRJEjaicvU0KpypqB3NIs=
 github.com/knadh/koanf/maps v0.1.1/go.mod h1:npD/QZY3V6ghQDdcQzl1W4ICNVTkohC8E73eI2xW4yI=
 github.com/knadh/koanf/parsers/toml v0.1.0 h1:S2hLqS4TgWZYj4/7mI5m1CQQcWurxUz6ODgOub/6LCI=
@@ -126,14 +120,6 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/moby v27.0.3+incompatible h1:lnUi7z7EFl1VkcahJOdvkI5QDEHJyib4CHbQK3MCQsw=
-github.com/moby/moby v27.0.3+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
-github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
-github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
-github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -269,7 +255,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13 h1:vlzZttNJGVqTsRFU9AmdnrcO1Znh8Ew9kCD//yjigk0=
 google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de h1:jFNzHPIeuzhdRwVhbZdiym9q0ory/xY3sA+v2wPg8I0=
 google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda h1:LI5DOvAxUPMv/50agcLLoo+AdWc1irS9Rzz4vPuD1V4=

runtime/docker/docker.go

@@ -11,7 +11,6 @@ import (
 	"io"
 	"math/big"
 	"os"
-	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -38,22 +37,17 @@ import (
 // defaultWorkdir is the directory where `Task.File`s are
 // written to by default, should `Task.Workdir` not be set
 const (
-	defaultWorkdir     = "/tork/workdir"
-	defaultSandboxUser = "1000:1000"
+	defaultWorkdir = "/tork/workdir"
 )
 
-var rootUserPattern = regexp.MustCompile(`^(|root|0|root(:root)?|root:0|0:root|0:0)$`)
-
 type DockerRuntime struct {
-	client       *client.Client
-	tasks        *syncx.Map[string, string]
-	images       *syncx.Map[string, bool]
-	pullq        chan *pullRequest
-	mounter      runtime.Mounter
-	broker       broker.Broker
-	config       string
-	sandbox      bool
-	busyboxImage string
+	client  *client.Client
+	tasks   *syncx.Map[string, string]
+	images  *syncx.Map[string, bool]
+	pullq   chan *pullRequest
+	mounter runtime.Mounter
+	broker  broker.Broker
+	config  string
 }
 
 type dockerLogsReader struct {
@@ -93,18 +87,6 @@ func WithConfig(config string) Option {
 	}
 }
 
-func WithSandbox(val bool) Option {
-	return func(rt *DockerRuntime) {
-		rt.sandbox = val
-	}
-}
-
-func WithBusyboxImage(name string) Option {
-	return func(rt *DockerRuntime) {
-		rt.busyboxImage = name
-	}
-}
-
 func NewDockerRuntime(opts ...Option) (*DockerRuntime, error) {
 	dc, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
@@ -119,9 +101,6 @@ func NewDockerRuntime(opts ...Option) (*DockerRuntime, error) {
 	for _, o := range opts {
 		o(rt)
 	}
-	if rt.busyboxImage == "" {
-		rt.busyboxImage = "busybox:stable"
-	}
 	// setup a default mounter
 	if rt.mounter == nil {
 		vmounter, err := NewVolumeMounter()
@@ -142,16 +121,6 @@ func (d *DockerRuntime) Run(ctx context.Context, t *tork.Task) error {
 		if err != nil {
 			return err
 		}
-		if d.sandbox && mnt.Type == tork.MountTypeVolume {
-			// add a pre-task to adjust volume permissions
-			// to allow access to the tork user
-			t.Pre = append([]*tork.Task{{
-				Internal: true,
-				Image:    d.busyboxImage,
-				CMD:      []string{"sh", "-c", fmt.Sprintf("chmod 777 %s", mnt.Target)},
-				Mounts:   []tork.Mount{mnt},
-			}}, t.Pre...)
-		}
 		defer func(m tork.Mount) {
 			uctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
 			defer cancel()
@@ -307,18 +276,6 @@ func (d *DockerRuntime) doRun(ctx context.Context, t *tork.Task, logger io.Write
 		Cmd:        cmd,
 		Entrypoint: entrypoint,
 	}
-	if d.sandbox && !t.Internal {
-		imageInspect, _, err := d.client.ImageInspectWithRaw(ctx, t.Image)
-		if err != nil {
-			return err
-		}
-		user := imageInspect.Config.User
-		if rootUserPattern.MatchString(user) {
-			// set a sandboxed (non-root) user
-			// only if the default user is root
-			containerConf.User = defaultSandboxUser
-		}
-	}
 	// we want to override the default
 	// image WORKDIR only if the task
 	// introduces work files _or_ if the