feat: Add support for custom entrypoints in sandbox configs

Author: ctlaltlaltc

packages/service/core/agentSkills/sandboxConfig.ts

@@ -24,9 +24,13 @@ export type SandboxDefaults = {
   cleanupInterval: number; // in milliseconds
   inactiveThreshold: number; // in seconds
   defaultImage: SandboxImageConfigType;
-  homeDirectory: string;
   workDirectory: string;
   targetPort: number;
+  entrypoint: {
+    editDebugKubernetes: string; // SANDBOX_K8S_ENTRYPOINT
+    sessionKubernetes: string; // SANDBOX_SESSION_K8S_ENTRYPOINT
+    docker: string; // SANDBOX_DOCKER_ENTRYPOINT
+  };
 };
 
 /**
@@ -55,12 +59,17 @@ export function getSandboxDefaults(): SandboxDefaults {
     cleanupInterval: safeParseInt(process.env.SANDBOX_CLEANUP_INTERVAL, 3600000),
     inactiveThreshold: safeParseInt(process.env.SANDBOX_INACTIVE_THRESHOLD, 7200),
     defaultImage: {
-      repository: process.env.SANDBOX_DEFAULT_IMAGE || 'node',
-      tag: process.env.SANDBOX_DEFAULT_IMAGE_TAG || '18-alpine'
+      repository: process.env.SANDBOX_DEFAULT_IMAGE || 'fastgpt-agent-sandbox',
+      tag: process.env.SANDBOX_DEFAULT_IMAGE_TAG || 'docker'
     },
-    homeDirectory: '/home/coder',
-    workDirectory: '/workspace/projects',
-    targetPort: 8080
+    workDirectory: process.env.SANDBOX_WORK_DIRECTORY || '/home/sandbox/workspace',
+    targetPort: 8080,
+    entrypoint: {
+      editDebugKubernetes: process.env.SANDBOX_K8S_ENTRYPOINT || '/home/sandbox/entrypoint.sh',
+      sessionKubernetes:
+        process.env.SANDBOX_SESSION_K8S_ENTRYPOINT || '/opt/sync-agent/docker-entrypoint.sh',
+      docker: process.env.SANDBOX_DOCKER_ENTRYPOINT || '/opt/sync-agent/docker-entrypoint.sh'
+    }
   };
 }
 
@@ -129,12 +138,13 @@ export function buildDockerSyncEnv(
   }
 
   return {
-    SESSION_ID: sessionId,
-    MINIO_ENDPOINT: endpoint,
-    MINIO_ACCESS_KEY: accessKey,
-    MINIO_SECRET_KEY: secretKey,
-    MINIO_BUCKET: bucket,
-    SYNC_PATH: syncPath,
-    ENABLE_CODE_SERVER: enableCodeServer ? 'true' : 'false'
+    FASTGPT_SESSION_ID: sessionId,
+    FASTGPT_MINIO_ENDPOINT: endpoint,
+    FASTGPT_MINIO_ACCESS_KEY: accessKey,
+    FASTGPT_MINIO_SECRET_KEY: secretKey,
+    FASTGPT_MINIO_BUCKET: bucket,
+    FASTGPT_WORKDIR: syncPath,
+    FASTGPT_SYNC_PATH: syncPath,
+    FASTGPT_ENABLE_CODE_SERVER: enableCodeServer ? 'true' : 'false'
   };
 }

packages/service/core/agentSkills/sandboxController.ts

@@ -37,6 +37,7 @@ export type CreateEditDebugSandboxParams = {
   tmbId: string;
   image?: SandboxImageConfigType;
   timeout?: number;
+  entrypoint?: string; // override default entrypoint for this request
   onProgress?: (status: SandboxStatusItemType) => void; // lifecycle progress callback
 };
 
@@ -78,7 +79,7 @@ export type RenewSandboxParams = {
 export async function createEditDebugSandbox(
   params: CreateEditDebugSandboxParams
 ): Promise<CreateEditDebugSandboxResult> {
-  const { skillId, teamId, tmbId, image, timeout, onProgress } = params;
+  const { skillId, teamId, tmbId, image, timeout, entrypoint, onProgress } = params;
 
   // === Phase 1: Resolve and validate configuration ===
   const providerConfig = getSandboxProviderConfig();
@@ -186,7 +187,8 @@ export async function createEditDebugSandbox(
       await sandbox.create({
         image: sandboxImage,
         timeout: sandboxTimeout,
-        entrypoint: ['/home/coder/entrypoint.sh'],
+        entrypoint: [entrypoint ?? defaults.entrypoint.editDebugKubernetes],
+        env: buildDockerSyncEnv(sessionId, defaults.workDirectory, true),
         metadata: {
           skillId,
           teamId,
@@ -196,9 +198,9 @@ export async function createEditDebugSandbox(
       });
     } else {
       await sandbox.create({
-        image: { repository: 'fastgpt-agent-sandbox', tag: 'docker' },
+        image: sandboxImage,
         timeout: sandboxTimeout,
-        entrypoint: ['/opt/sync-agent/docker-entrypoint.sh'],
+        entrypoint: [entrypoint ?? defaults.entrypoint.docker],
         env: buildDockerSyncEnv(sessionId, defaults.workDirectory, true),
         metadata: {
           skillId,
@@ -468,7 +470,7 @@ export async function renewSandboxExpiration(
  *
  * @param params - Parameters for packaging
  * @param params.providerSandboxId - Provider sandbox ID
- * @param params.workDirectory - Working directory (defaults to homeDirectory)
+ * @param params.workDirectory - Working directory
  * @returns Buffer containing the package.zip file
  *
  * @throws Error if packaging fails, file cannot be read, or directory exceeds size limit

packages/service/core/workflow/dispatch/ai/agent/sub/sandbox/lifecycle.ts

@@ -43,6 +43,7 @@ type CreateAgentSandboxParams = {
   teamId: string;
   tmbId: string;
   sessionId: string; // chat 模式 = chatId，debug 模式 = 构造的 key，决定 MinIO 数据路径
+  entrypoint?: string; // override default entrypoint for this request
   onProgress?: (status: SandboxStatusItemType) => void; // lifecycle progress callback
 };
 
@@ -96,10 +97,10 @@ function mergeSkillWithVersion(
 
 /** Dynamically discover all deployed skill directories in the sandbox by locating SKILL.md files.
  * Example:
- * $ find /workspace/projects -name "SKILL.md" -maxdepth 5 2>/dev/null
- * /workspace/projects/skill-creator/SKILL.md
- * /workspace/projects/deep-research/SKILL.md
- * /workspace/projects/science/SKILL.md
+ * $ find ${FASTGPT_WORKDIR} -name "SKILL.md" -maxdepth 5 2>/dev/null
+ * /home/sandbox/workspace/projects/skill-creator/SKILL.md
+ * /home/sandbox/workspace/projects/deep-research/SKILL.md
+ * /home/sandbox/workspace/projects/science/SKILL.md
  *
  * Runs `find` inside the sandbox to locate SKILL.md files up to maxdepth 2,
  * then reads each file and parses the frontmatter for name/description.
@@ -186,7 +187,7 @@ async function deploySkillsToSandbox(
 export async function createAgentSandbox(
   params: CreateAgentSandboxParams
 ): Promise<AgentSandboxContext> {
-  const { skillIds, teamId, tmbId, sessionId, onProgress } = params;
+  const { skillIds, teamId, tmbId, sessionId, entrypoint, onProgress } = params;
 
   const providerConfig = getSandboxProviderConfig();
   const defaults = getSandboxDefaults();
@@ -275,7 +276,7 @@ export async function createAgentSandbox(
       await sandbox.create({
         image: defaults.defaultImage,
         timeout: defaults.timeout,
-        entrypoint: ['/opt/sync-agent/docker-entrypoint.sh'],
+        entrypoint: [entrypoint ?? defaults.entrypoint.sessionKubernetes],
         env: buildDockerSyncEnv(sessionId, defaults.workDirectory, false),
         metadata: {
           teamId,
@@ -290,7 +291,7 @@ export async function createAgentSandbox(
       await sandbox.create({
         image: { repository: 'fastgpt-agent-sandbox', tag: 'docker' },
         timeout: defaults.timeout,
-        entrypoint: ['/opt/sync-agent/docker-entrypoint.sh'],
+        entrypoint: [entrypoint ?? defaults.entrypoint.docker],
         env: buildDockerSyncEnv(sessionId, defaults.workDirectory, false),
         metadata: {
           teamId,

packages/service/package.json

@@ -3,6 +3,8 @@
   "version": "1.0.0",
   "type": "module",
   "dependencies": {
+    "@anyany/sandbox_provider": "^0.1.1",
+    "@apidevtools/json-schema-ref-parser": "^11.7.2",
     "@fastgpt-sdk/storage": "^0.6.15",
     "@fastgpt/global": "workspace:*",
     "@logtape/logtape": "^2",
@@ -39,7 +41,6 @@
     "iconv-lite": "^0.6.3",
     "ioredis": "^5.6.0",
     "joplin-turndown-plugin-gfm": "^1.0.12",
-    "@apidevtools/json-schema-ref-parser": "^11.7.2",
     "json5": "^2.2.3",
     "jsonpath-plus": "^10.3.0",
     "jsonwebtoken": "^9.0.2",

projects/sandbox-sync-agent/Dockerfile

@@ -11,7 +11,6 @@ USER root
 # 安装 Sync Agent 依赖
 RUN apt-get update && apt-get install -y \
     inotify-tools \
-    curl \
     && rm -rf /var/lib/apt/lists/*
 
 # 安装 MinIO Client (mc)
@@ -28,6 +27,6 @@ RUN chmod +x /sync.sh /entrypoint.sh
 # 8081: Sync Agent HTTP API（健康检查 / 手动触发同步）
 EXPOSE 8081
 
-USER coder
+USER sandbox
 
 ENTRYPOINT ["/entrypoint.sh"]

projects/sandbox-sync-agent/Dockerfile.docker-runtime

@@ -11,7 +11,6 @@ USER root
 # 安装 Sync Agent 依赖
 RUN apt-get update && apt-get install -y \
     inotify-tools \
-    curl \
     supervisor \
     && rm -rf /var/lib/apt/lists/*
 
@@ -29,8 +28,8 @@ COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 RUN chmod +x /opt/sync-agent/sync.sh \
              /opt/sync-agent/docker-entrypoint.sh && \
     mkdir -p /var/log/supervisor && \
-    chown -R coder:coder /var/log/supervisor
+    chown -R sandbox:sandbox /var/log/supervisor
 
-USER coder
+USER sandbox
 
 ENTRYPOINT ["/opt/sync-agent/docker-entrypoint.sh"]

projects/sandbox-sync-agent/base/Dockerfile

@@ -10,12 +10,14 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 # Install dependencies
 RUN apt-get update && apt-get install -y \
+    git \
+    jq \
+    ripgrep \
     vim-tiny \
     tree \
     unzip \
     curl \
-    ca-certificates \
-    sudo
+    ca-certificates
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt install -y python3 nodejs
 RUN rm -rf /var/lib/apt/lists/*
@@ -24,24 +26,20 @@ RUN rm -rf /var/lib/apt/lists/*
 RUN curl -fsSL https://code-server.dev/install.sh | sh
 
 # Create a non-root user for security
-RUN useradd -m -s /bin/bash coder
+RUN useradd --create-home --shell /bin/bash sandbox
 
-# Create the workspace directory and set permissions
-RUN mkdir -p /workspace/projects && \
-    chown -R coder:coder /workspace/projects
-
-USER coder
-WORKDIR /workspace/projects
+USER sandbox
+WORKDIR /home/sandbox
 
 # Copy VS Code settings
-RUN mkdir -p /home/coder/.local/share/code-server/User
-COPY --chown=coder:coder settings.json /home/coder/.local/share/code-server/User/settings.json
+RUN mkdir -p /home/sandbox/.local/share/code-server/User
+COPY --chown=sandbox:sandbox settings.json /home/sandbox/.local/share/code-server/User/settings.json
 
 # Copy and configure entrypoint
-COPY --chown=coder:coder entrypoint.sh /home/coder/entrypoint.sh
-RUN chmod +x /home/coder/entrypoint.sh
+COPY --chown=sandbox:sandbox entrypoint.sh /home/sandbox/entrypoint.sh
+RUN chmod +x /home/sandbox/entrypoint.sh
 
 # Expose code-server port
 EXPOSE 8080
 
-ENTRYPOINT ["/home/coder/entrypoint.sh"]
+ENTRYPOINT ["/home/sandbox/entrypoint.sh"]

projects/sandbox-sync-agent/base/entrypoint.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+# Set work directory from environment variable, default to /home/sandbox
+WORKDIR="${FASTGPT_WORKDIR:-/home/sandbox}"
+mkdir -p "${WORKDIR}"
+
 # Start code-server
 # --bind-addr 0.0.0.0:8080 allows access from outside the container
 # --auth none removes password protection
@@ -11,5 +15,5 @@ exec code-server \
      --disable-workspace-trust \
      --disable-getting-started-override \
      --app-name "Skills" \
-     --user-data-dir /home/coder/.local/share/code-server \
-     /workspace/projects
+     --user-data-dir /home/sandbox/.local/share/code-server \
+     "${WORKDIR}"