feat(orchestrator): introduce apt cache proxy for sandbox provisioning#2623
feat(orchestrator): introduce apt cache proxy for sandbox provisioning#2623arkamar wants to merge 7 commits into
Conversation
Introduce an apt caching layer to speed up apt-get operations during template builds and sandbox runtime. An apt-cacher-ng container is added to the local-dev Docker Compose stack, and the orchestrator conditionally injects an apt proxy config into the sandbox rootfs. Controlled by the 'apt-cache-enabled' LaunchDarkly feature flag and the APT_PROXY_URL environment variable on the orchestrator.
Writing the apt proxy config in provision.sh instead of injecting it as an OCI layer makes it easier to add conditional logic for other package managers (dnf, apk) if non-Debian distros are supported in the future.
…to sandbox runtime
… collisions with user config
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.
Once the cap resets or is raised, reopen this pull request to trigger a review.
PR SummaryMedium Risk Overview Reviewed by Cursor Bugbot for commit 6402343. Bugbot is set up for automated code reviews on this repo. Configure here. |
❌ 8 Tests Failed:
View the full list of 11 ❄️ flaky test(s)
To view more test analytics, go to the Test Analytics Dashboard |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
The provisioning script uses double quotes for the APT_PROXY_URL assignment, which allows for potential command injection. The APT configuration also lacks an HTTPS proxy definition, causing requests to HTTPS repositories to bypass the cache.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Proxy URLs may contain credentials. Since provisioning logs are visible to template builders, omit the URL from the log message entirely.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e1b72b2728
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| BusyBox: rootfs.SandboxBusyBoxPath, | ||
| ResultPath: provisionScriptResultPath, | ||
| Provider: buildContext.BuilderConfig.Provider, | ||
| AptProxyURL: aptProxyURL, |
There was a problem hiding this comment.
When apt-cache-enabled or APT_PROXY_URL changes after a base layer has already been cached, this rendered AptProxyURL does not affect the base hash: Hash still keys on the unrendered provisionScriptFile (or the manual provision version), so the phase cache can skip Build and reuse a rootfs with a stale or missing /etc/apt/apt.conf.d/00-e2b-build-proxy. In that scenario downstream build steps run with the previous proxy state until someone forces a rebuild or bumps the provision version, defeating flag rollouts and potentially leaving builds pointed at an old proxy URL.
Useful? React with 👍 / 👎.
…changes The base layer hash did not account for the apt proxy configuration. When the apt-cache feature flag was toggled or the proxy URL changed, builds would reuse a stale cached rootfs with the old proxy state. The proxy URL is now included as a hash key only when non-empty, so existing caches are not invalidated unnecessarily.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 640234302e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| attribute.String("provision_version", provisionVersion), | ||
| attribute.String("base_source", baseSource), | ||
| attribute.Int64("disk_size_mb", bb.Config.DiskSizeMB), | ||
| attribute.String("apt_proxy_url", aptProxyURL), |
There was a problem hiding this comment.
If APT_PROXY_URL is configured with embedded credentials (for example http://user:pass@proxy:3142, which apt proxy URLs allow), this attribute sends the full secret-bearing URL to the tracing backend for every base hash calculation. The value only needs to affect cache invalidation, so telemetry should record a redacted URL, host, or enabled flag instead of the raw config value.
Useful? React with 👍 / 👎.
|
@tvi Is this hitting the same problems we discussed for the proxy before? |
3 participants
Introduces an apt cache proxy for sandbox provisioning, controlled by the apt-cache-enabled LaunchDarkly feature flag and APT_PROXY_URL env var. When enabled, apt-get operations during template builds go through the configured proxy, speeding up repeated builds and insulating provisioning from upstream apt repository outages or rate limits. The proxy config is cleaned up in the finalize phase so it doesn't leak into end-user sandboxes.