fix(server): fix sandbox port expose bug under windows and egress

Author: Pangjiping

server/opensandbox_server/services/docker.py

@@ -63,7 +63,11 @@
 )
 from opensandbox_server.config import AppConfig, get_config
 from opensandbox_server.services.docker_diagnostics import DockerDiagnosticsMixin
-from opensandbox_server.services.docker_port_allocator import allocate_port_bindings
+from opensandbox_server.services.docker_port_allocator import (
+    allocate_port_bindings,
+    normalize_container_port_spec,
+    normalize_port_bindings,
+)
 from opensandbox_server.services.docker_windows_profile import (
     apply_windows_runtime_host_config_defaults,
     fetch_execd_install_bat,
@@ -1235,7 +1239,7 @@ def _provision_sandbox(
                     port_bindings = allocate_port_bindings(exposed_ports)
                     host_execd_port = port_bindings["44772"][1]
                     host_http_port = port_bindings["8080"][1]
-                    host_config_kwargs["port_bindings"] = port_bindings
+                    host_config_kwargs["port_bindings"] = normalize_port_bindings(port_bindings)
                     labels[SANDBOX_EMBEDDING_PROXY_PORT_LABEL] = str(host_execd_port)
                     labels[SANDBOX_HTTP_PORT_LABEL] = str(host_http_port)
                 else:
@@ -2276,7 +2280,7 @@ def _start_egress_sidecar(
         sidecar_host_config_kwargs: dict[str, Any] = {
             "network_mode": BRIDGE_NETWORK_MODE,
             "cap_add": ["NET_ADMIN"],
-            "port_bindings": sidecar_port_bindings,
+            "port_bindings": normalize_port_bindings(sidecar_port_bindings),
         }
         if self.app_config.egress.disable_ipv6:
             # Optional: disable IPv6 in the shared namespace when egress.disable_ipv6 is set.
@@ -2301,7 +2305,7 @@ def _start_egress_sidecar(
                     labels=sidecar_labels,
                     environment=sidecar_env,
                     # Expose the ports that have host bindings so Docker publishes them in bridge mode.
-                    ports=list(sidecar_port_bindings.keys()),
+                    ports=[normalize_container_port_spec(p) for p in sidecar_port_bindings.keys()],
                 )
             sidecar_container_id = sidecar_resp.get("Id")
             if not sidecar_container_id:
@@ -2373,7 +2377,11 @@ def _create_and_start_container(
                 container_kwargs = {
                     "image": image_uri,
                     "command": bootstrap_command,
-                    "ports": exposed_ports,
+                    "ports": (
+                        [normalize_container_port_spec(p) for p in exposed_ports]
+                        if exposed_ports
+                        else None
+                    ),
                     "name": f"sandbox-{sandbox_id}",
                     "environment": environment,
                     "labels": labels,

server/opensandbox_server/services/docker_port_allocator.py

@@ -23,6 +23,28 @@
 from opensandbox_server.services.constants import SandboxErrorCodes
 
 
+def normalize_container_port_spec(port_spec: str) -> str:
+    token = str(port_spec).strip()
+    if token.endswith("/tcp"):
+        return token[:-4]
+    return token
+
+
+def normalize_port_bindings(
+    port_bindings: dict[str, tuple[str, int]],
+) -> dict[str, tuple[str, int]]:
+    """
+    Normalize binding keys to docker-py canonical forms.
+
+    Docker port bindings accept "port" for tcp and "port/udp" for udp.
+    """
+    normalized: dict[str, tuple[str, int]] = {}
+    for container_port, binding in port_bindings.items():
+        normalized_key = normalize_container_port_spec(container_port)
+        normalized[normalized_key] = binding
+    return normalized
+
+
 def allocate_host_port(
     min_port: int = 40000,
     max_port: int = 60000,

server/tests/test_docker_service.py

@@ -928,6 +928,54 @@ def host_cfg_side_effect(**kwargs):
     hc2 = mock_client.api.create_host_config.call_args.kwargs
     assert hc2["sysctls"]["net.ipv6.conf.all.disable_ipv6"] == 1
 
+
+@patch("opensandbox_server.services.docker.docker")
+def test_egress_sidecar_normalizes_windows_port_bindings(mock_docker):
+    mock_client = MagicMock()
+    mock_client.containers.list.return_value = []
+
+    def host_cfg_side_effect(**kwargs):
+        return kwargs
+
+    sidecar_container = MagicMock()
+    mock_client.api.create_host_config.side_effect = host_cfg_side_effect
+    mock_client.api.create_container.return_value = {"Id": "sidecar-id"}
+    mock_client.containers.get.return_value = sidecar_container
+    mock_docker.from_env.return_value = mock_client
+
+    cfg = _app_config()
+    cfg.docker.network_mode = "bridge"
+    cfg.egress = EgressConfig(image="egress:latest", disable_ipv6=False)
+    service = DockerSandboxService(config=cfg)
+
+    with (
+        patch.object(service, "_ensure_image_available"),
+        patch.object(service, "_docker_operation") as mock_op,
+    ):
+        mock_op.return_value.__enter__.return_value = None
+        mock_op.return_value.__exit__.return_value = None
+        service._start_egress_sidecar(
+            "sandbox-id",
+            NetworkPolicy(defaultAction="deny", egress=[]),
+            egress_token="egress-token",
+            host_execd_port=44772,
+            host_http_port=8080,
+            extra_port_bindings={
+                "3389/tcp": ("0.0.0.0", 53389),
+                "3389/udp": ("0.0.0.0", 53390),
+                "8006/tcp": ("0.0.0.0", 58006),
+            },
+        )
+
+    hc_kwargs = mock_client.api.create_host_config.call_args.kwargs
+    assert "3389" in hc_kwargs["port_bindings"]
+    assert "3389/udp" in hc_kwargs["port_bindings"]
+    assert "8006" in hc_kwargs["port_bindings"]
+    sidecar_kwargs = mock_client.api.create_container.call_args.kwargs
+    assert "3389" in sidecar_kwargs["ports"]
+    assert "3389/udp" in sidecar_kwargs["ports"]
+    assert "8006" in sidecar_kwargs["ports"]
+
 def test_expire_cleans_sidecar():
     service = DockerSandboxService(config=_app_config())
     mock_container = MagicMock()
@@ -1293,9 +1341,9 @@ async def test_create_sandbox_windows_profile_injects_runtime_defaults(mock_dock
     port_bindings = host_config_kwargs["port_bindings"]
     assert "44772" in port_bindings
     assert "8080" in port_bindings
-    assert "3389/tcp" in port_bindings
+    assert "3389" in port_bindings
     assert "3389/udp" in port_bindings
-    assert "8006/tcp" in port_bindings
+    assert "8006" in port_bindings
 
 
 @pytest.mark.asyncio