Create sandbox event endpoint and handlers

[0div]

Description

We currently do not have a way to send events from inside a sandbox and programmatically handle them from the host, this is an attempt to solve that.

Setup networking in sandbox that routes http://events.e2b.dev requests to a server listening in orchestrator with customizable handlers.

• add internal routing (/etc/hosts) in sandbox
• add ip table rule to route sbx event requests to event server
• parametrize event handler registering for event server
• appends events to redis sorted set
• abstract event store interface with getters and setters
• track sandbox IPs via store on sandbox resume
• use it to map back to sandbox ID in event handler
• wire to ClickHouse
• build API routes to fetch events

Test

[infra]
$ make build-and-upload/envd
$ make build-and-upload/template-manager
$ make build-and-upload/orchestrator
$ make plan
$ make apply 

[E2B/template/base]
$ e2b template build

[Sandbox]
$ e2b sbx sp base
user@e2b:~$ curl -X POST http://events.e2b.dev/test -d '{"your": "data"}'

{"event_ack": true, "path": "/test"}

user@e2b:~$ curl -X GET http://events.e2b.dev

[{"path":"/test","body":{"your": "data"}}]

[linear]

E2B-2486 Create internal sandbox event endpoint

[dobrac]

use different IP than 8.8.8.7, I guess any IP from these should be more appropriate:

var blockedRanges = []string{
	"10.0.0.0/8",
	"169.254.0.0/16",
	"192.168.0.0/16",
	"172.16.0.0/12",
}

[0div]

ideally yes, i first tried private IPs, they don't leave the sandbox through the network bridge with current setup, i'd have to figure out a way to route one of the private ones this way.

[dobrac]

just note, these ranges are blocked by default, you need to enable the target IP address (maybe that might be why you haven't seen them routed)

[sitole]

Can we maybe not use public IP, but something like metadata IP used by envd for accessing Firecracker VM metadata?

[sitole]

More details on why Firecracker and cloud providers are using 169.254/16 https://datatracker.ietf.org/doc/html/rfc3927

[sitole]

Perhaps provide the domain as an environment variable via envd so we are not locked into it for the future? Then does not matter what domain we will use now

[dobrac]

It does matter in a sense where it will be encoded in all envds

[sitole]

It does matter in a sense where it will be encoded in all envds

That was my point with Perhaps provide the domain as an environment variable via envd so we are not locked into it for the future

[dobrac]

Oh, you mean through MMDS, not environment variable, correct?

[sitole]

Yes, sorry for confusion

[dobrac]

Also, how will we handle events like sandbox creation, deletion, etc? Basically events emitted from outside of the sandbox

[0div]

Also, how will we handle events like sandbox creation, deletion, etc? Basically events emitted from outside of the sandbox

This is not meant to replace events emitted from outside the sandbox.

[dobrac]

I've meant that we don't have events emitted from the outside, so the question is if it maybe makes sense to have it united

[0div]

I've meant that we don't have events emitted from the outside, so the question is if it maybe makes sense to have it united

any event that can be listened to from the outside should continue to be—especially if it's uncertain the VM is running—any event we would have to poll for inside the sandbox ideally shouldn't.

[sitole]

What about running Gin here so we can use a strict Golang client in envd and track all version changes?

[0div]

sure, we can use gin, but i'm not sure it's more strict than the std lib and also what do u mean by tracking version changes in this case?

[sitole]

but i'm not sure it's more strict than the std lib and also what do u mean by tracking version changes in this case?

I was thinking that the "metrics server" can be Gin-backed by the OpenAPI scheme, as we are using for the API, so all breaking changes will be clear (because of the re-generated schema). You will also be able to use the generated Go client from EnvD to call metrics service endpoints.

[sitole]

The point was just make it strong types on both caller and receiver

[jakubno]

Agree with @sitole

[sitole]

Why can we not directly get the sandbox from the orchestrator cache and get the slot IP on it?

[0div]

Correct me if i'm wrong but that map uses sandbox ID as key? in my use case I need sandbox IP as key to get the ID.

[sitole]

Yes, you are right. But still, using Redis may not be needed here? You don't need to share state to a 3rd party service, because you will always receive requests just from sandboxes that are managed by the orchestrator itself, right? This way on Orchestrator, you should always know about all sandboxes without fetching them from Redis.

Probably there will be <300 sandboxes, which means the sandboxes map is not that big to iterate it every time you need to find an IP in it. The number of sandboxes will probably not grow, because of networking, memory, and CPU limitations. If you feel that it can be issue, then we can do some pattern that will create in-memory map "sbx ip -> sbx id" and make it synced with sandboxes map.

[jakubno]

Agree with @sitole here

[sitole]

Lets make IP constant in some shared package

[0div]

Yeah, i was gonna introduce a consts.go like in other packages.

[jakubno]

Will we use redis or clickhouse here?

[jakubno]

do we want to bake in into the template? Can't we use a mmds server here?

[jakubno]

why do you use TEST-NET-3 here?

[jakubno]

Agree with @sitole

[sitole]

@0div is there some update?

I would like to use the sandbox -> orchestrator HTTP server you introduced here.
I'm thinking we could split it into separate PRs to make the review quicker?

[0div]

@0div is there some update?

I would like to use the sandbox -> orchestrator HTTP server you introduced here. I'm thinking we could split it into separate PRs to make the review quicker?

@sitole , i put this back as draft bc i would start using it once i can consume it with the webhooks system i'm implenting.
What do you need this for exactly and how urgent do you need it?