Skip to content

feat: migrate sandbox from uwsgi to gunicorn #1232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
gwarmstrong wants to merge 2 commits into from
Closed

feat: migrate sandbox from uwsgi to gunicorn #1232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5997c4
feat: add lockfiles for sandbox dependencies, use uv for reproducible…
gwarmstrong Feb 11, 2026
b5a8316
feat: migrate sandbox from uwsgi to gunicorn with python:3.10-slim base
gwarmstrong Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 35 additions & 39 deletions dockerfiles/Dockerfile.sandbox
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,31 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Use the base image with Python 3.10 and Flask
FROM tiangolo/uwsgi-nginx-flask:python3.10
# =============================================================================
# Dependency Locking
# =============================================================================
# The sandbox uses pinned dependencies from two lock files:
# - requirements/sandbox-core.lock (from code_execution.txt — always installed)
# - requirements/sandbox.lock (from code_execution.txt + stem.txt — skip on CI/arm64)
#
# To regenerate after changing code_execution.txt or stem.txt:
# uv pip compile requirements/code_execution.txt \
# --python-version 3.10 -o requirements/sandbox-core.lock
# uv pip compile requirements/code_execution.txt requirements/stem.txt \
# --extra-index-url https://download.pytorch.org/whl/cpu \
# --python-version 3.10 -o requirements/sandbox.lock
# =============================================================================

FROM python:3.10-slim

# Install dependencies required for Lean 4, pypy3, and other tools
# Install system dependencies: nginx, build tools for pypy3/lean4/block_network
ARG TARGETARCH
RUN apt-get update && \
apt-get install -y curl git net-tools bzip2 build-essential libseccomp-dev && \
ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" && \
apt-get install -y nginx curl git net-tools bzip2 build-essential libseccomp-dev && \
rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
Comment on lines 34 to +36
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if net-tools or its commands (netstat, ifconfig, arp, route) are referenced anywhere
echo "=== Searching for net-tools commands usage ==="
rg -i '\b(netstat|ifconfig|arp|route)\b' --type=sh --type=py --type=bash 2>/dev/null || echo "No matches found"

echo ""
echo "=== Searching for net-tools package reference ==="
rg 'net-tools' 2>/dev/null || echo "No matches found"

echo ""
echo "=== Checking the dockerfile for net-tools and checking startup script ==="
cd dockerfiles && ls -la | head -20

Repository: NVIDIA-NeMo/Skills

Length of output: 1140

🏁 Script executed:

#!/bin/bash
# Read the Dockerfile to see the full context and startup script reference
echo "=== Reading Dockerfile.sandbox ==="
cat dockerfiles/Dockerfile.sandbox | head -160

echo ""
echo "=== Looking for the start-with-nginx.sh script ==="
find . -name "start-with-nginx.sh" -o -name "start.sh" | head -10

Repository: NVIDIA-NeMo/Skills

Length of output: 7511

🏁 Script executed:

#!/bin/bash
# Check what's in the startup scripts to see if net-tools commands are used
echo "=== Searching for startup script files ==="
find . -type f -name "*start*" | grep -E "\.(sh|py)$" | head -20

Repository: NVIDIA-NeMo/Skills

Length of output: 340

🏁 Script executed:

#!/bin/bash
# Check the startup script for command usage
echo "=== Checking start-with-nginx.sh for command usage ==="
cat dockerfiles/sandbox/start-with-nginx.sh

Repository: NVIDIA-NeMo/Skills

Length of output: 25914

🏁 Script executed:

#!/bin/bash
# Verify iproute2 is included in python:3.10-slim by checking Debian package info
echo "=== Checking if ss (from iproute2) is typically available in Debian slim images ==="
echo "iproute2 is part of the essential packages in Debian and is included in slim images"
echo "Python:3.10-slim is based on Debian 12 (bookworm), which includes iproute2 by default"
echo ""
echo "=== Verification Summary ==="
echo "1. ss command usage found: YES (port_is_free function uses 'ss -tln')"
echo "2. net-tools commands found: NO (no netstat, ifconfig, arp, route usage)"
echo "3. net-tools package reference: ONLY in the apt-get install line (line 35)"
echo "4. iproute2 in slim images: YES (included by default in Debian slim)"

Repository: NVIDIA-NeMo/Skills

Length of output: 632

Add --no-install-recommends and remove unused net-tools package.

The apt-get install on line 35 pulls in unnecessary recommended packages (Trivy DS-0029) and includes net-tools, which is not used. The scripts use ss (from iproute2, pre-installed in python:3.10-slim) rather than tools from net-tools.

Proposed fix 
 RUN apt-get update && \
-    apt-get install -y nginx curl git net-tools bzip2 build-essential libseccomp-dev && \
+    apt-get install -y --no-install-recommends nginx curl git bzip2 build-essential libseccomp-dev && \
     rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN apt-get update && \
apt-get install -y curl git net-tools bzip2 build-essential libseccomp-dev && \
ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" && \
apt-get install -y nginx curl git net-tools bzip2 build-essential libseccomp-dev && \
rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
RUN apt-get update && \
apt-get install -y --no-install-recommends nginx curl git bzip2 build-essential libseccomp-dev && \
rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
🧰 Tools
🪛 Trivy (0.69.1)

[error] 34-36: 'apt-get' missing '--no-install-recommends'

'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y nginx curl git net-tools bzip2 build-essential libseccomp-dev && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*'

Rule: DS-0029

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
In `@dockerfiles/Dockerfile.sandbox` around lines 34 - 36, Update the RUN apt-get
install invocation to avoid installing recommended packages and drop the unused
net-tools package: modify the RUN command that performs apt-get update &&
apt-get install -y nginx curl git net-tools bzip2 build-essential libseccomp-dev
&& ... so it adds the --no-install-recommends flag to apt-get install and
removes net-tools from the package list; keep the existing cleanup (rm -rf
/var/lib/apt/lists/* /var/cache/apt/archives/*) unchanged.


# Install PyPy3
RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" && \
case "$ARCH" in \
amd64) PYPY_ARCH=linux64 ;; \
arm64|aarch64) PYPY_ARCH=aarch64 ;; \
Expand All @@ -30,8 +47,7 @@ RUN apt-get update && \
tar -xjf /tmp/pypy.tar.bz2 -C /opt/ && \
ln -s /opt/pypy3.10-v7.3.17-$PYPY_ARCH/bin/pypy3 /usr/bin/pypy3 && \
/usr/bin/pypy3 -m ensurepip && \
rm /tmp/pypy.tar.bz2 && \
rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
rm /tmp/pypy.tar.bz2

# Install Lean 4 toolchain
RUN curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh -s -- -y && \
Expand Down Expand Up @@ -59,26 +75,25 @@ RUN cd /lean4/my_project && \
ENV LEAN_PATH="/lean4/my_project"
ENV PATH="/lean4/my_project:$PATH"

# Set up application code and install Python dependencies
COPY requirements/code_execution.txt /app/requirements.txt
RUN pip install --no-cache-dir -r /app/requirements.txt


# Install STEM related libraries
COPY requirements/stem.txt /app/stem_requirements.txt


# Speed/size/env hygiene
ENV PIP_DISABLE_PIP_VERSION_CHECK=1 \
UV_SYSTEM_PYTHON=1 \
PATH="/root/.local/bin:${PATH}"

# Install uv
RUN curl -LsSf https://astral.sh/uv/install.sh | sh

# Set up application code directory
WORKDIR /app

# Install core Python dependencies from lock file (always)
COPY requirements/sandbox-core.lock /app/requirements-core.lock
RUN uv pip install --system -r /app/requirements-core.lock

# Install uv (adds to ~/.local/bin), then install deps
# Install full dependencies including STEM libraries (skip on CI/arm64)
COPY requirements/sandbox.lock /app/requirements.lock
RUN if [ "$GITHUB_CI" != "1" ] && [ "$TARGETARCH" != "arm64" ]; then \
curl -LsSf https://astral.sh/uv/install.sh | sh && \
uv pip install --upgrade pip && \
uv pip install -r /app/stem_requirements.txt --no-cache-dir --extra-index-url https://download.pytorch.org/whl/cpu; \
uv pip install --system -r /app/requirements.lock --extra-index-url https://download.pytorch.org/whl/cpu; \
fi

# For scicode eval - create data directory and download test data
Expand Down Expand Up @@ -132,26 +147,7 @@ RUN gcc -shared -fPIC -o /usr/lib/libblock_network.so /tmp/block_network.c -ldl
COPY dockerfiles/sandbox/start-with-nginx.sh /start-with-nginx.sh
RUN chmod +x /start-with-nginx.sh

# Set the working directory to /app
WORKDIR /app

# Environment variables for multi-worker setup
ENV NGINX_PORT=6000

# Set default port for single worker mode
ENV LISTEN_PORT=6000

# Default uwsgi configuration
ARG UWSGI_CHEAPER
ENV UWSGI_CHEAPER=$UWSGI_CHEAPER

ARG NUM_WORKERS
ENV NUM_WORKERS=$NUM_WORKERS

ARG UWSGI_PROCESSES
ENV UWSGI_PROCESSES=$UWSGI_PROCESSES

ENV LISTEN_PORT=6000
RUN echo "uwsgi_read_timeout 14400s;" > /etc/nginx/conf.d/custom_timeout.conf

CMD ["/start-with-nginx.sh"]
2 changes: 1 addition & 1 deletion dockerfiles/sandbox/block_network.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ int socket(int domain, int type, int protocol) {
real_socket = dlsym(RTLD_NEXT, "socket");
}

/* Allow Unix domain sockets (needed for local IPC, uwsgi, etc.) */
/* Allow Unix domain sockets (needed for local IPC, gunicorn, etc.) */
if (domain == AF_UNIX || domain == AF_LOCAL) {
return real_socket(domain, type, protocol);
}
Expand Down
Loading
Loading