fix(executor): mount writable tmpfs over ~/.cache (alt to #135 env redirect)#137
Draft
las7 wants to merge 1 commit into
Draft
fix(executor): mount writable tmpfs over ~/.cache (alt to #135 env redirect)#137las7 wants to merge 1 commit into
las7 wants to merge 1 commit into
Conversation
…rect Alternative to the #135 cache fix. Instead of redirecting XDG_CACHE_HOME / MPLCONFIGDIR to /tmp from the entrypoint, mount a writable tmpfs directly over the sandbox user's ~/.cache in the container run args: --tmpfs=/home/sandbox/.cache:rw,...,mode=1777,size=<cache_tmpfs_size> Why this is cleaner: - Caches live at their conventional path, so libraries that hardcode ~/.cache and ignore XDG_CACHE_HOME also work, no per-variable allowlist to maintain. - mode=1777 lets the dropped sandbox user write without CAP_CHOWN (the container runs --cap-drop=ALL keeping only SETUID/SETGID), so it does not depend on the entrypoint chown that #135 used. - Dedicated, independently configurable size (container_limits.cache_tmpfs_size, default 256m) that does not compete with /tmp's budget. The --read-only root filesystem is unchanged; this only adds one bounded, ephemeral writable mount (same class as the existing /tmp tmpfs). Applied to both the server CodeExecutor and the library Sandbox via their run-arg builders. entrypoint keeps a single MPLCONFIGDIR line for matplotlib's config dir, which lives outside ~/.cache. Docs and config reference updated. Trade-off vs #135: this is a container-arg/config change (worker.py, sandbox.py, config.py) rather than a 4-line entrypoint edit. It still does not make large ML model downloads persist, /tmp and ~/.cache are both RAM-backed and ephemeral; pre-staging remains the answer for those. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft for side-by-side comparison with the merged cache fix (#135). Same goal,
different mechanism. Not meant to auto-merge: pick one approach.
The two approaches
entrypoint.shexportsXDG_CACHE_HOME/MPLCONFIGDIR->/tmp/.cache~/.cacheitself in the run args/tmp(shared with site-packages etc.)/home/sandbox/.cachetmpfsXDG_CACHE_HOMEand hardcode~/.cachechown(needs CAP_CHOWN, which--cap-drop=ALLremoves)mode=1777, no chown needed/tmpbudgetcontainer_limits.cache_tmpfs_size(default 256m)Why I think the tmpfs-over-
~/.cachemechanism is cleaner~/.cache, not justthe XDG-aware ones we enumerated.
mode=1777lets the unprivileged sandbox user write withoutCAP_CHOWN. Thecontainer runs
--cap-drop=ALLkeeping only SETUID/SETGID (docker.py), so fix(executor): redirect lib cache dirs to writable /tmp + document filesystem/cache model #135'sentrypoint
chown -R sandbox:sandboxis on shaky ground; this sidesteps it./tmp.Security
Unchanged posture. The
--read-onlyroot filesystem stays read-only; this adds onebounded, ephemeral writable mount, the same class of thing as the existing
/tmptmpfs. It does not make the image writable. The mount mirrors
/tmp's exec policy(exec only when runtime deps are installed on the server path).
Scope / honesty
CodeExecutorand librarySandbox) viatheir run-arg builders, so they cannot drift.
entrypoint.shkeeps a singleMPLCONFIGDIRline, matplotlib's config dir livesoutside
~/.cache./tmpand~/.cacheareboth RAM-backed and wiped per run). Pre-staging remains the answer for those; see the
updated
docs/guide/filesystem-and-caches.md.ruffclean, config + isolation/sandbox tests pass (138 passed, 10 skipped).Not runtime-verified end-to-end, confirming the tmpfs mount + library writes needs
an executor image rebuild + container run (same deploy caveat as fix(executor): redirect lib cache dirs to writable /tmp + document filesystem/cache model #135).
If we take this, we should revert the #135 entrypoint redirect (this PR already removes it).
🤖 Generated with Claude Code