test: enforce strict replay sandboxing in e2e fixtures

Author: sohankshirsagar

drift/instrumentation/aiohttp/e2e-tests/.tusk/config.yaml

@@ -25,4 +25,6 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict
 

drift/instrumentation/aiohttp/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/aiohttp/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1

drift/instrumentation/django/e2e-tests/.tusk/config.yaml

@@ -25,3 +25,5 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict

drift/instrumentation/django/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/django/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1

drift/instrumentation/e2e_common/Dockerfile.base

@@ -3,7 +3,7 @@
 # This base image contains:
 # - Python 3.9 (minimum supported version)
 # - Tusk CLI (for running replay tests)
-# - System utilities (curl, postgresql-client)
+# - System utilities (curl, postgresql-client, socat, bubblewrap)
 #
 # Build this image before running e2e tests:
 #   docker build -t python-e2e-base:latest -f drift/instrumentation/e2e-common/Dockerfile.base .
@@ -12,38 +12,40 @@ FROM python:3.9-slim
 
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    postgresql-client \
-    && rm -rf /var/lib/apt/lists/*
+  curl \
+  postgresql-client \
+  socat \
+  bubblewrap \
+  && rm -rf /var/lib/apt/lists/*
 
 # Install Tusk CLI
 # The CLI is downloaded from GitHub releases (tar.gz archives)
 ARG TUSK_CLI_VERSION=latest
 RUN set -ex && \
-    if [ "$TUSK_CLI_VERSION" = "latest" ]; then \
-      # Get the latest version tag
-      VERSION=$(curl -s https://api.github.com/repos/Use-Tusk/tusk-drift-cli/releases/latest | grep '"tag_name"' | cut -d '"' -f 4); \
-    else \
-      VERSION="${TUSK_CLI_VERSION}"; \
-    fi && \
-    # Remove 'v' prefix if present for the filename
-    VERSION_NUM=$(echo "$VERSION" | sed 's/^v//') && \
-    # Detect architecture (x86_64 or arm64)
-    ARCH=$(uname -m) && \
-    case "$ARCH" in \
-      x86_64) ARCH_NAME="x86_64" ;; \
-      aarch64|arm64) ARCH_NAME="arm64" ;; \
-      *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
-    esac && \
-    # Construct download URL (archives are named like tusk-drift-cli_0.1.35_Linux_x86_64.tar.gz)
-    DOWNLOAD_URL="https://github.com/Use-Tusk/tusk-drift-cli/releases/download/${VERSION}/tusk-drift-cli_${VERSION_NUM}_Linux_${ARCH_NAME}.tar.gz" && \
-    echo "Downloading Tusk CLI from: $DOWNLOAD_URL" && \
-    curl -fsSL "$DOWNLOAD_URL" -o /tmp/tusk.tar.gz && \
-    tar -xzf /tmp/tusk.tar.gz -C /tmp && \
-    mv /tmp/tusk /usr/local/bin/tusk && \
-    chmod +x /usr/local/bin/tusk && \
-    rm -rf /tmp/tusk.tar.gz /tmp/LICENSE /tmp/README.md && \
-    tusk --version
+  if [ "$TUSK_CLI_VERSION" = "latest" ]; then \
+  # Get the latest version tag
+  VERSION=$(curl -s https://api.github.com/repos/Use-Tusk/tusk-drift-cli/releases/latest | grep '"tag_name"' | cut -d '"' -f 4); \
+  else \
+  VERSION="${TUSK_CLI_VERSION}"; \
+  fi && \
+  # Remove 'v' prefix if present for the filename
+  VERSION_NUM=$(echo "$VERSION" | sed 's/^v//') && \
+  # Detect architecture (x86_64 or arm64)
+  ARCH=$(uname -m) && \
+  case "$ARCH" in \
+  x86_64) ARCH_NAME="x86_64" ;; \
+  aarch64|arm64) ARCH_NAME="arm64" ;; \
+  *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
+  esac && \
+  # Construct download URL (archives are named like tusk-drift-cli_0.1.35_Linux_x86_64.tar.gz)
+  DOWNLOAD_URL="https://github.com/Use-Tusk/tusk-drift-cli/releases/download/${VERSION}/tusk-drift-cli_${VERSION_NUM}_Linux_${ARCH_NAME}.tar.gz" && \
+  echo "Downloading Tusk CLI from: $DOWNLOAD_URL" && \
+  curl -fsSL "$DOWNLOAD_URL" -o /tmp/tusk.tar.gz && \
+  tar -xzf /tmp/tusk.tar.gz -C /tmp && \
+  mv /tmp/tusk /usr/local/bin/tusk && \
+  chmod +x /usr/local/bin/tusk && \
+  rm -rf /tmp/tusk.tar.gz /tmp/LICENSE /tmp/README.md && \
+  tusk --version
 
 # Upgrade pip
 RUN pip install --upgrade pip

drift/instrumentation/fastapi/e2e-tests/.tusk/config.yaml

@@ -25,4 +25,6 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict
 

drift/instrumentation/fastapi/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/fastapi/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1

drift/instrumentation/fastapi/e2e-tests/requirements.txt

@@ -2,5 +2,6 @@
 fastapi>=0.115.0
 uvicorn>=0.30.0
 requests>=2.32.5
-httpx>=0.27.0
+# Strict replay sandbox routes outbound HTTP through a SOCKS proxy.
+httpx[socks]>=0.27.0
 

drift/instrumentation/flask/e2e-tests/.tusk/config.yaml

@@ -25,4 +25,6 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict
 

drift/instrumentation/flask/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/flask/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1