Skip to content

Commit aa37dc2

Browse files
PangjipingPangjiping
committed
fix(server): fix sandbox port expose bug under windows and egress
1 parent 5050a90 commit aa37dc2

2 files changed

Lines changed: 6 additions & 4 deletions

File tree

server/opensandbox_server/services/docker.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1193,6 +1193,7 @@ def _provision_sandbox(
11931193
# dockur/windows exposes RDP and noVNC/web UI on these ports.
11941194
# https://github.com/dockur/windows/blob/master/Dockerfile
11951195
exposed_ports.extend(["3389/tcp", "3389/udp", "8006/tcp"])
1196+
container_exposed_ports: Optional[list[str]] = exposed_ports
11961197

11971198
if request.network_policy:
11981199
egress_token = generate_egress_token()
@@ -1218,6 +1219,9 @@ def _provision_sandbox(
12181219
host_config_kwargs = self._base_host_config_kwargs(
12191220
effective_mem_limit, effective_nano_cpus, f"container:{sidecar_container.id}"
12201221
)
1222+
# Container network namespace is shared with sidecar. Docker rejects
1223+
# exposing ports on the main container in "container:<id>" mode.
1224+
container_exposed_ports = None
12211225
# Drop NET_ADMIN for the main container; only the sidecar should keep it
12221226
cap_drop = set(host_config_kwargs.get("cap_drop") or [])
12231227
cap_drop.add("NET_ADMIN")
@@ -1258,7 +1262,7 @@ def _provision_sandbox(
12581262
labels,
12591263
environment,
12601264
host_config_kwargs,
1261-
exposed_ports,
1265+
container_exposed_ports,
12621266
request.platform,
12631267
)
12641268
except Exception:

server/tests/test_docker_service.py

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1537,9 +1537,7 @@ async def test_create_sandbox_windows_profile_with_network_policy_maps_windows_p
15371537
assert host_config_kwargs["network_mode"] == "container:sidecar-123"
15381538
assert "NET_ADMIN" in set(host_config_kwargs.get("cap_add") or [])
15391539
assert "NET_ADMIN" not in set(host_config_kwargs.get("cap_drop") or [])
1540-
assert "3389/tcp" in forwarded_ports
1541-
assert "3389/udp" in forwarded_ports
1542-
assert "8006/tcp" in forwarded_ports
1540+
assert forwarded_ports is None
15431541
assert labels["opensandbox.io/embedding-proxy-port"] == "51664"
15441542
assert labels["opensandbox.io/http-port"] == "48891"
15451543

0 commit comments

Comments
 (0)