Skip to content

chore(cdk): Add Firejail and gVisor POC Dockerfiles (do not merge) #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devin-ai-integration wants to merge 9 commits into from
Closed

chore(cdk): Add Firejail and gVisor POC Dockerfiles (do not merge) #399

devin-ai-integration wants to merge 9 commits into from

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Mar 8, 2025
edited
Loading

Description

This PR adds two POC Dockerfiles for sandboxing the source-declarative-manifest connector:

  1. Firejail Sandbox: Uses Linux namespaces and seccomp-bpf for lightweight isolation
  2. gVisor Sandbox: Uses a user-space kernel for stronger isolation

Both implementations wrap the original entry point with their respective sandboxing solution while preserving all functionality.

See the detailed implementation notes and potential enhancements in the devlog/2025-03-sandboxing.md file.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Both Docker images have been built and tested locally with the 'spec' command to verify basic functionality.

Checklist

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

Link to Devin run: https://app.devin.ai/sessions/650f2fd1e3f249719e04c8dddcb105ca
Requested by: Aaron

@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Mar 8, 2025

🤖 Devin AI Engineer

Original prompt from Aaron:

Received message in Slack channel #ask-devin-ai:

@Devin - I want to do two POC / spikes of firejail and gvisor. Please create two new Dockerfiles in a new PR to the CDK repo. Both Dockerfiles should start from the airbyte/source-declarative-manifest docker image, but for simplicity's sake, don't try to make a dynamic reference to our build process. Just build on top of that existing image and add either Firejail or gVisor (via runc). The entry point for each image should be the wrapped version of the `source-declarative-manifest` CLI entry point, as defined in pyproject.toml of the CDK repo. Show me your plan before you start.

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add "(aside)" to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-actions github-actions bot added the chore label Mar 8, 2025
devin-ai-integration bot and others added 8 commits March 8, 2025 22:17
@devin-ai-integration devin-ai-integration bot mentioned this pull request Mar 9, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@natikgadzhi @aaronsteers