chore(cdk): Add Firejail and gVisor POC Dockerfiles

Co-Authored-By: Aaron <AJ> Steers <[email protected]>

Author: devin-ai-integration[bot]

docker/sandbox-poc/Dockerfile.firejail

@@ -0,0 +1,20 @@
+# Dockerfile for Firejail POC
+FROM airbyte/source-declarative-manifest:latest
+
+USER root
+
+# Install firejail
+RUN apt-get update && \
+    apt-get install -y firejail && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create a wrapper script for the entry point
+RUN echo '#!/bin/bash' > /usr/local/bin/firejail-wrapper.sh && \
+    echo '# Firejail wrapper for source-declarative-manifest' >> /usr/local/bin/firejail-wrapper.sh && \
+    echo 'firejail --noprofile --quiet --private -- python /airbyte/integration_code/main.py "$@"' >> /usr/local/bin/firejail-wrapper.sh && \
+    chmod +x /usr/local/bin/firejail-wrapper.sh
+
+# Set the new entry point
+ENTRYPOINT ["/usr/local/bin/firejail-wrapper.sh"]
+USER airbyte

docker/sandbox-poc/Dockerfile.gvisor

@@ -0,0 +1,28 @@
+# Dockerfile for gVisor POC
+FROM airbyte/source-declarative-manifest:latest
+
+USER root
+
+# Install dependencies
+RUN apt-get update && \
+    apt-get install -y curl gnupg apt-transport-https ca-certificates && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Add gVisor repo and install runsc
+RUN curl -fsSL https://gvisor.dev/archive.key | apt-key add - && \
+    echo 'deb https://storage.googleapis.com/gvisor/releases release main' > /etc/apt/sources.list.d/gvisor.list && \
+    apt-get update && \
+    apt-get install -y runsc && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create a wrapper script for the entry point
+RUN echo '#!/bin/bash' > /usr/local/bin/gvisor-wrapper.sh && \
+    echo '# gVisor wrapper for source-declarative-manifest' >> /usr/local/bin/gvisor-wrapper.sh && \
+    echo 'runsc run --network=host --TESTONLY-unsafe-nonroot=true --rootless -- python /airbyte/integration_code/main.py "$@"' >> /usr/local/bin/gvisor-wrapper.sh && \
+    chmod +x /usr/local/bin/gvisor-wrapper.sh
+
+# Set the new entry point
+ENTRYPOINT ["/usr/local/bin/gvisor-wrapper.sh"]
+USER airbyte

docker/sandbox-poc/README.md

@@ -0,0 +1,25 @@
+# Sandbox POC Dockerfiles
+
+This directory contains Dockerfiles for proof-of-concept (POC) implementations of sandboxing solutions for the source-declarative-manifest connector.
+
+## Firejail
+
+The `Dockerfile.firejail` adds [Firejail](https://firejail.wordpress.com/) to the source-declarative-manifest image. Firejail is a SUID sandbox program that restricts the running environment of untrusted applications using Linux namespaces and seccomp-bpf.
+
+To build the image:
+```
+docker build -f Dockerfile.firejail -t airbyte/source-declarative-manifest-firejail .
+```
+
+## gVisor
+
+The `Dockerfile.gvisor` adds [gVisor](https://gvisor.dev/) (via runsc) to the source-declarative-manifest image. gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.
+
+To build the image:
+```
+docker build -f Dockerfile.gvisor -t airbyte/source-declarative-manifest-gvisor .
+```
+
+## Usage
+
+Both images wrap the original entry point of the source-declarative-manifest connector with their respective sandboxing solution. The wrapped entry point handles all the same command-line arguments as the original entry point.