Merge branch 'v2-c' into knowledge_workflow

Author: liuruibin

apps/common/utils/tool_code.py

@@ -29,7 +29,7 @@ def __init__(self, sandbox=False):
         else:
             self.sandbox_path = os.path.join(PROJECT_DIR, 'data', 'sandbox')
             self.user = None
-        self.sandbox_so_path = f'{self.sandbox_path}/sandbox.so'
+        self.sandbox_so_path = f'{self.sandbox_path}/lib/sandbox.so'
         self.process_timeout_seconds = int(CONFIG.get("SANDBOX_PYTHON_PROCESS_TIMEOUT_SECONDS", '3600'))
         try:
             self._init_dir()
@@ -60,10 +60,9 @@ def _init_dir(self):
             tmp_dir_path = os.path.join(self.sandbox_path, 'tmp')
             os.makedirs(tmp_dir_path, 0o700, exist_ok=True)
             os.system(f"chown -R {self.user}:root {tmp_dir_path}")
-        if os.path.exists(self.sandbox_so_path):
-            os.chmod(self.sandbox_so_path, 0o440)
         # 初始化sandbox配置文件
-        sandbox_conf_file_path = f'{self.sandbox_path}/.sandbox.conf'
+        sandbox_lib_path = os.path.dirname(self.sandbox_so_path)
+        sandbox_conf_file_path = f'{sandbox_lib_path}/.sandbox.conf'
         if os.path.exists(sandbox_conf_file_path):
             os.remove(sandbox_conf_file_path)
         allow_subprocess = CONFIG.get("SANDBOX_PYTHON_ALLOW_SUBPROCESS", '0')
@@ -75,7 +74,7 @@ def _init_dir(self):
         with open(sandbox_conf_file_path, "w") as f:
             f.write(f"SANDBOX_PYTHON_BANNED_HOSTS={banned_hosts}\n")
             f.write(f"SANDBOX_PYTHON_ALLOW_SUBPROCESS={allow_subprocess}\n")
-        os.chmod(sandbox_conf_file_path, 0o440)
+        os.system(f"chmod -R 550 {sandbox_lib_path}")
 
     def exec_code(self, code_str, keywords, function_name=None):
         _id = str(uuid.uuid7())

installer/Dockerfile

@@ -13,7 +13,7 @@ RUN apt-get update && \
     apt-get clean all  && \
     rm -rf /var/lib/apt/lists/*
 WORKDIR /opt/maxkb-app
-RUN gcc -shared -fPIC -o ${MAXKB_SANDBOX_HOME}/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \
+RUN gcc -shared -fPIC -o ${MAXKB_SANDBOX_HOME}/lib/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \
     rm -rf /opt/maxkb-app/ui && \
     pip install uv --break-system-packages && \
     python -m uv pip install -r pyproject.toml && \

installer/Dockerfile-base

@@ -24,9 +24,9 @@ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
     chmod 755 /usr/bin/start-*.sh && \
     find /etc/ -type f ! -path '/etc/resolv.conf' ! -path '/etc/hosts' | xargs chmod g-rx && \
     curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \
-    mkdir -p /opt/maxkb-app/sandbox && \
+    mkdir -p /opt/maxkb-app/sandbox/lib && \
     useradd --no-create-home --home /opt/maxkb-app/sandbox sandbox -g root && \
-    chown -R sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \
+    chown sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \
     chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \
     chmod g+xr /usr/bin/ld.so && \
     chmod g+x /usr/local/bin/python* && \