Skip to content

Docker Client Integration and Security Configuration #9

Closed
Task
#45
Closed
Docker Client Integration and Security Configuration#9
Task
#45
Assignees
starbops
Labels
area/executionarea/securitycomponent/dockerpriority/0
Milestone
Secure Execution Engine
@starbops

Description

@starbops
starbops
opened on Jul 3, 2025

Docker Client Integration and Security Configuration

User Story

As the system, I want secure Docker client integration so that I can safely execute user-provided code in isolated containers.

Technical Requirements

  • Set up Docker client with proper authentication
  • Configure security options for container execution
  • Implement resource limits (CPU, memory, PID)
  • Set up network isolation for containers
  • Create security profiles (AppArmor/seccomp)
  • Implement container cleanup mechanisms

Acceptance Criteria

  • Docker client connects securely to Docker daemon
  • Resource limits prevent resource exhaustion attacks
  • Network isolation prevents external communication
  • Security profiles restrict dangerous system calls
  • Non-root execution enforced for all containers
  • Automatic cleanup removes containers and images

Definition of Done

  • Docker integration working with security controls
  • Resource limits tested and enforced
  • Security profiles deployed and functional
  • Container cleanup verified under all conditions
  • Security testing completed with no critical issues

Implementation Guide

Required Dependencies

go get github.com/docker/docker/api/types
go get github.com/docker/docker/api/types/container
go get github.com/docker/docker/client

Security Configuration

// Container configuration with security hardening
containerConfig := &container.Config{
    Image:      "voidrunner/python-executor:v1.0",
    Cmd:        []string{"python3", "-c", userCode},
    User:       "1000:1000", // Non-root execution
    WorkingDir: "/tmp/workspace",
    Env:        []string{"HOME=/tmp"},
}

hostConfig := &container.HostConfig{
    Resources: container.Resources{
        Memory:    128 * 1024 * 1024, // 128MB
        CPUQuota:  50000,             // 0.5 CPU
        PidsLimit: ptr(int64(128)),    // Limit processes
    },
    SecurityOpt: []string{
        "no-new-privileges",
        "seccomp=/opt/voidrunner/seccomp-profile.json",
    },
    NetworkMode:    "none", // No network access
    ReadonlyRootfs: true,
    Tmpfs: map[string]string{
        "/tmp": "rw,noexec,nosuid,size=100m",
    },
    AutoRemove: true,
}

Container Images

# Python execution environment
FROM python:3.11-alpine
RUN adduser -D -u 1000 executor
USER executor
WORKDIR /tmp/workspace

# Bash execution environment  
FROM alpine:latest
RUN adduser -D -u 1000 executor
USER executor
WORKDIR /tmp/workspace

Security Profiles

  • Custom seccomp profile to restrict system calls
  • AppArmor profile for additional MAC controls
  • Non-root user execution (UID 1000)
  • Read-only root filesystem with tmpfs mounts
  • No network access (--network none)
  • Resource limits for CPU, memory, and PIDs

Related Epic

Contributes to Epic #8: Container Execution Engine

Metadata

Metadata

Assignees

Labels

area/executionarea/securitycomponent/dockerpriority/0

Type

Task

Projects

VoidRunner Sprint Board

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions