-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsandbox.yaml
169 lines (168 loc) · 3.89 KB
/
sandbox.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
apiVersion: v1
data:
python-requirements.txt: ""
kind: ConfigMap
metadata:
labels:
io.kompose.service: sandbox
name: sandbox-cm0
namespace: dify
---
apiVersion: v1
data:
config.yaml: |
app:
port: 8194
debug: True
key: sandbox
max_workers: 4
max_requests: 50
worker_timeout: 5
python_path: /usr/local/bin/python3
enable_network: True # please make sure there is no network risk in your environment
allowed_syscalls: # please leave it empty if you have no idea how seccomp works
proxy:
socks5: ''
http: ''
https: ''
config.yaml.example: |
app:
port: 8194
debug: True
key: sandbox
max_workers: 4
max_requests: 50
worker_timeout: 5
python_path: /usr/local/bin/python3
python_lib_path:
- /usr/local/lib/python3.10
- /usr/lib/python3.10
- /usr/lib/python3
- /usr/lib/x86_64-linux-gnu
- /etc/ssl/certs/ca-certificates.crt
- /etc/nsswitch.conf
- /etc/hosts
- /etc/resolv.conf
- /run/systemd/resolve/stub-resolv.conf
- /run/resolvconf/resolv.conf
- /etc/localtime
- /usr/share/zoneinfo
- /etc/timezone
# add more paths if needed
python_pip_mirror_url: https://pypi.tuna.tsinghua.edu.cn/simple
nodejs_path: /usr/local/bin/node
enable_network: True
allowed_syscalls:
- 1
- 2
- 3
# add all the syscalls which you require
proxy:
socks5: ''
http: ''
https: ''
kind: ConfigMap
metadata:
labels:
io.kompose.service: sandbox
name: sandbox-cm1
namespace: dify
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sandbox
namespace: dify
labels:
app: sandbox
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: sandbox
template:
metadata:
labels:
app: sandbox
spec:
automountServiceAccountToken: false
nodeSelector:
kubernetes.io/os: linux
containers:
- name: sandbox
image: langgenius/dify-sandbox:0.2.11
env:
- name: API_KEY
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_API_KEY
- name: GIN_MODE
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_GIN_MODE
- name: WORKER_TIMEOUT
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_WORKER_TIMEOUT
- name: ENABLE_NETWORK
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_ENABLE_NETWORK
- name: HTTP_PROXY
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_HTTP_PROXY
- name: HTTPS_PROXY
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_HTTPS_PROXY
- name: SANDBOX_PORT
valueFrom:
configMapKeyRef:
name: dify-config
key: SANDBOX_PORT
livenessProbe:
exec:
command:
- "curl"
- "-f"
- "http://localhost:8194/health"
ports:
- containerPort: 8194
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /dependencies
name: sandbox-cm0
- mountPath: /conf
name: sandbox-cm1
volumes:
- configMap:
name: sandbox-cm0
name: sandbox-cm0
- configMap:
name: sandbox-cm1
name: sandbox-cm1
---
apiVersion: v1
kind: Service
metadata:
name: sandbox
namespace: dify
spec:
ports:
- port: 8194
targetPort: 8194
protocol: TCP
name: sandbox
type: ClusterIP
clusterIP: None
selector:
app: sandbox
---