Class: Microsandbox::Sandbox

Inherits:
Object
  • Object
show all
Defined in:
lib/microsandbox/sandbox.rb

Overview

A running sandbox (microVM) — the primary entry point of the SDK.

Examples:

Block form (auto-stops on exit)

Microsandbox::Sandbox.create("hello", image: "python") do |sb|
  out = sb.exec("python", ["-c", "print('hi')"])
  puts out.stdout
end

Manual lifecycle

sb = Microsandbox::Sandbox.create("hello", image: "python")
begin
  sb.shell("echo hi")
ensure
  sb.stop
end

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(native) ⇒ Sandbox

Returns a new instance of Sandbox.



276
277
278
 
# File 'lib/microsandbox/sandbox.rb', line 276

def initialize(native)
  @native = native
end

Class Method Details

.create(name, image: nil, cpus: nil, memory: nil, env: nil, workdir: nil, shell: nil, user: nil, hostname: nil, labels: nil, scripts: nil, entrypoint: nil, ports: nil, ports_udp: nil, volumes: nil, network: nil, from_snapshot: nil, log_level: nil, quiet_logs: false, security: nil, oci_upper_size: nil, max_duration: nil, idle_timeout: nil, rlimits: nil, pull_policy: nil, secrets: nil, detached: false, replace: false, replace_with_timeout: nil) {|sandbox| ... } ⇒ Sandbox, Object

Create and boot a sandbox.

When a block is given the sandbox is yielded and stopped automatically when the block returns (the block’s value is returned); otherwise the live Microsandbox::Sandbox is returned and you are responsible for calling #stop.

Parameters:

  • name (String)

    sandbox name (max 128 UTF-8 bytes)

  • image (String, nil) (defaults to: nil)

    OCI image reference (e.g. “python”)

  • cpus (Integer, nil) (defaults to: nil)

    number of vCPUs

  • memory (Integer, nil) (defaults to: nil)

    memory in MiB

  • env (Hash, nil) (defaults to: nil)

    environment variables

  • workdir (String, nil) (defaults to: nil)

    working directory inside the guest

  • shell (String, nil) (defaults to: nil)

    default shell (for #shell)

  • user (String, nil) (defaults to: nil)

    default user

  • hostname (String, nil) (defaults to: nil)

    guest hostname

  • labels (Hash, nil) (defaults to: nil)

    metadata labels

  • scripts (Hash, nil) (defaults to: nil)

    named scripts to install

  • entrypoint (Array<String>, nil) (defaults to: nil)

    image entrypoint override

  • ports (Hash, nil) (defaults to: nil)

    host_port => guest_port TCP publications

  • ports_udp (Hash, nil) (defaults to: nil)

    host_port => guest_port UDP publications

  • network ("public_only", "none", "allow_all", "non_local", nil) (defaults to: nil)

    network policy preset (default public_only)

  • log_level ("error", "warn", "info", "debug", "trace", nil) (defaults to: nil)

    guest log verbosity

  • quiet_logs (Boolean) (defaults to: false)

    suppress sandbox process logs

  • security ("default", "restricted", nil) (defaults to: nil)

    exec security profile

  • oci_upper_size (Integer, nil) (defaults to: nil)

    writable upper-layer size cap, in MiB

  • max_duration (Integer, nil) (defaults to: nil)

    hard wall-clock lifetime, in seconds

  • idle_timeout (Integer, nil) (defaults to: nil)

    stop after this many idle seconds

  • rlimits (Hash, nil) (defaults to: nil)

    resource limits: { resource => limit } or { resource => [soft, hard] } (e.g. { nofile: 65_535 })

  • pull_policy ("always", "if-missing", "never", nil) (defaults to: nil)

    image pull behavior

  • secrets (Array<Hash>, nil) (defaults to: nil)

    placeholder-protected secrets, each { env:, value:, host: } — the value is substituted by the TLS proxy only for the allowed host (auto-enables TLS interception)

  • detached (Boolean) (defaults to: false)

    keep running after this process exits

  • replace (Boolean) (defaults to: false)

    replace an existing sandbox with the same name

  • replace_with_timeout (Numeric, nil) (defaults to: nil)

    replace, waiting up to N seconds

Yield Parameters:

Returns:

  • (Sandbox, Object)

    the sandbox, or the block’s return value



130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
 
# File 'lib/microsandbox/sandbox.rb', line 130

def create(name,
           image: nil, cpus: nil, memory: nil, env: nil, workdir: nil,
           shell: nil, user: nil, hostname: nil, labels: nil, scripts: nil,
           entrypoint: nil, ports: nil, ports_udp: nil, volumes: nil, network: nil,
           from_snapshot: nil, log_level: nil, quiet_logs: false, security: nil,
           oci_upper_size: nil, max_duration: nil, idle_timeout: nil, rlimits: nil,
           pull_policy: nil, secrets: nil,
           detached: false, replace: false, replace_with_timeout: nil)
  opts = {}
  opts["image"] = image.to_s if image
  opts["from_snapshot"] = from_snapshot.to_s if from_snapshot
  opts["cpus"] = Integer(cpus) if cpus
  opts["memory"] = Integer(memory) if memory
  opts["workdir"] = workdir.to_s if workdir
  opts["shell"] = shell.to_s if shell
  opts["user"] = user.to_s if user
  opts["hostname"] = hostname.to_s if hostname
  opts["env"] = stringify(env) if env
  opts["labels"] = stringify(labels) if labels
  opts["scripts"] = stringify(scripts) if scripts
  opts["entrypoint"] = Array(entrypoint).map(&:to_s) if entrypoint
  opts["ports"] = intify_ports(ports) if ports
  opts["ports_udp"] = intify_ports(ports_udp) if ports_udp
  opts["volumes"] = normalize_volumes(volumes) if volumes
  opts["network"] = network.to_s if network
  opts["log_level"] = log_level.to_s if log_level
  opts["quiet_logs"] = true if quiet_logs
  opts["security"] = security.to_s if security
  opts["oci_upper_size"] = Integer(oci_upper_size) if oci_upper_size
  opts["max_duration"] = Integer(max_duration) if max_duration
  opts["idle_timeout"] = Integer(idle_timeout) if idle_timeout
  opts["rlimits"] = normalize_rlimits(rlimits) if rlimits
  opts["pull_policy"] = pull_policy.to_s if pull_policy
  opts["secrets"] = normalize_secrets(secrets) if secrets
  opts["detached"] = true if detached
  if replace_with_timeout
    opts["replace_with_timeout"] = Float(replace_with_timeout)
  elsif replace
    opts["replace"] = true
  end

  sandbox = new(Native::Sandbox.create(name.to_s, opts))
  return sandbox unless block_given?

  begin
    yield sandbox
  ensure
    begin
      sandbox.stop
    rescue Microsandbox::Error
      # best-effort cleanup; ignore stop failures during teardown
    end
  end
end

.get(name) ⇒ SandboxInfo

Fetch metadata for a sandbox by name.

Returns:



193
194
195
 
# File 'lib/microsandbox/sandbox.rb', line 193

def get(name)
  SandboxInfo.new(Native::Sandbox.get(name.to_s))
end

.listArray<SandboxInfo>

List all sandboxes.

Returns:



199
200
201
 
# File 'lib/microsandbox/sandbox.rb', line 199

def list
  Native::Sandbox.list.map { |info| SandboxInfo.new(info) }
end

.list_with(labels: {}) ⇒ Array<SandboxInfo>

List sandboxes carrying all of the given labels (AND-matched).

Parameters:

  • labels (Hash) (defaults to: {})

    required key => value labels

Returns:



206
207
208
209
 
# File 'lib/microsandbox/sandbox.rb', line 206

def list_with(labels: {})
  opts = { "labels" => stringify(labels) }
  Native::Sandbox.list_with(opts).map { |info| SandboxInfo.new(info) }
end

.remove(name) ⇒ nil

Remove a (stopped) sandbox by name.

Returns:

  • (nil) 


213
214
215
216
 
# File 'lib/microsandbox/sandbox.rb', line 213

def remove(name)
  Native::Sandbox.remove(name.to_s)
  nil
end

.start(name, detached: false) ⇒ Sandbox

Restart a previously-defined sandbox by name.

Returns:



187
188
189
 
# File 'lib/microsandbox/sandbox.rb', line 187

def start(name, detached: false)
  new(Native::Sandbox.start(name.to_s, { "detached" => detached }))
end

Instance Method Details

#detachnil

Detach this handle: disarm the stop-on-drop safety net so the sandbox keeps running after this handle is gone (and after this process exits).

Returns:

  • (nil) 


433
434
435
436
 
# File 'lib/microsandbox/sandbox.rb', line 433

def detach
  @native.detach
  nil
end

#exec(command, args = [], cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil) ⇒ ExecOutput

Run a command (no shell interpretation) and collect its output.

Parameters:

  • command (String)

    the executable

  • args (Array<String>) (defaults to: [])

    arguments

  • cwd (String, nil) (defaults to: nil)

    working directory

  • user (String, nil) (defaults to: nil)

    user to run as

  • env (Hash, nil) (defaults to: nil)

    extra environment variables

  • timeout (Numeric, nil) (defaults to: nil)

    kill after N seconds

  • tty (Boolean) (defaults to: false)

    allocate a pseudo-terminal

  • stdin (String, nil) (defaults to: nil)

    data to feed to stdin

Returns:



296
297
298
299
 
# File 'lib/microsandbox/sandbox.rb', line 296

def exec(command, args = [], cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil)
  ExecOutput.new(@native.exec(command.to_s, Array(args).map(&:to_s),
                              exec_opts(cwd:, user:, env:, timeout:, tty:, stdin:, rlimits:)))
end

#exec_stream(command, args = [], cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil) ⇒ ExecHandle

Run a command and stream its output as it arrives.

Returns:

See Also:



311
312
313
314
 
# File 'lib/microsandbox/sandbox.rb', line 311

def exec_stream(command, args = [], cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil)
  ExecHandle.new(@native.exec_stream(command.to_s, Array(args).map(&:to_s),
                                     exec_opts(cwd:, user:, env:, timeout:, tty:, stdin:, rlimits:)))
end

#fsFS

Guest filesystem operations.

Returns:



325
326
327
 
# File 'lib/microsandbox/sandbox.rb', line 325

def fs
  @fs ||= FS.new(@native)
end

#inspectObject 



438
439
440
 
# File 'lib/microsandbox/sandbox.rb', line 438

def inspect
  "#<Microsandbox::Sandbox name=#{name.inspect}>"
end

#kill(timeout: nil) ⇒ nil

Force-kill the sandbox (SIGKILL).

Parameters:

  • timeout (Numeric, nil) (defaults to: nil)

    seconds to wait

Returns:

  • (nil) 


391
392
393
394
 
# File 'lib/microsandbox/sandbox.rb', line 391

def kill(timeout: nil)
  @native.kill(timeout && Float(timeout))
  nil
end

#log_stream(sources: nil, since_ms: nil, from_cursor: nil, until_ms: nil, follow: false) ⇒ LogStream

Stream captured logs as they appear.

Parameters:

  • sources (Array<String,Symbol>, nil) (defaults to: nil)

    filter by source (“stdout”/“stderr”/“output”/“system”)

  • since_ms (Numeric, nil) (defaults to: nil)

    start at the first entry at/after this Unix ms

  • from_cursor (String, nil) (defaults to: nil)

    resume exactly after a prior LogEntry#cursor (mutually exclusive with since_ms; takes precedence if both given)

  • until_ms (Numeric, nil) (defaults to: nil)

    stop before any entry at/after this Unix ms

  • follow (Boolean) (defaults to: false)

    keep the stream open for new entries past current EOF

Returns:



370
371
372
373
374
375
376
377
378
 
# File 'lib/microsandbox/sandbox.rb', line 370

def log_stream(sources: nil, since_ms: nil, from_cursor: nil, until_ms: nil, follow: false)
  opts = {}
  opts["sources"] = Array(sources).map(&:to_s) if sources
  opts["since_ms"] = Float(since_ms) if since_ms
  opts["from_cursor"] = from_cursor.to_s if from_cursor
  opts["until_ms"] = Float(until_ms) if until_ms
  opts["follow"] = true if follow
  LogStream.new(@native.log_stream(opts))
end

#logs(tail: nil, since_ms: nil, until_ms: nil, sources: nil) ⇒ Array<LogEntry>

Read captured logs.

Parameters:

  • tail (Integer, nil) (defaults to: nil)

    only the last N entries

  • since_ms (Numeric, nil) (defaults to: nil)

    only entries at/after this Unix ms

  • until_ms (Numeric, nil) (defaults to: nil)

    only entries before this Unix ms

  • sources (Array<String,Symbol>, nil) (defaults to: nil)

    filter by source (“stdout”/“stderr”/“output”/“system”/“all”)

Returns:



343
344
345
346
347
348
349
350
 
# File 'lib/microsandbox/sandbox.rb', line 343

def logs(tail: nil, since_ms: nil, until_ms: nil, sources: nil)
  opts = {}
  opts["tail"] = Integer(tail) if tail
  opts["since_ms"] = Float(since_ms) if since_ms
  opts["until_ms"] = Float(until_ms) if until_ms
  opts["sources"] = Array(sources).map(&:to_s) if sources
  @native.logs(opts).map { |entry| LogEntry.new(entry) }
end

#metricsMetrics

Latest resource-usage snapshot.

Returns:



331
332
333
 
# File 'lib/microsandbox/sandbox.rb', line 331

def metrics
  Metrics.new(@native.metrics)
end

#metrics_stream(interval: 1.0) ⇒ MetricsStream

Stream resource-usage snapshots, one per interval tick, until the sandbox stops. Requires metrics to be enabled for the sandbox.

Parameters:

  • interval (Numeric) (defaults to: 1.0)

    seconds between snapshots

Returns:



356
357
358
 
# File 'lib/microsandbox/sandbox.rb', line 356

def metrics_stream(interval: 1.0)
  MetricsStream.new(@native.metrics_stream(Float(interval)))
end

#nameString

Returns the sandbox name.

Returns:

  • (String)

    the sandbox name



281
282
283
 
# File 'lib/microsandbox/sandbox.rb', line 281

def name
  @native.name
end

#owns_lifecycle?Boolean

Returns whether this handle owns the sandbox process lifecycle (i.e. stopping it or dropping the handle terminates the sandbox).

Returns:

  • (Boolean)

    whether this handle owns the sandbox process lifecycle (i.e. stopping it or dropping the handle terminates the sandbox)



426
427
428
 
# File 'lib/microsandbox/sandbox.rb', line 426

def owns_lifecycle?
  @native.owns_lifecycle
end

#request_drainnil

Request a graceful drain and return immediately, without waiting.

Returns:

  • (nil) 


413
414
415
416
 
# File 'lib/microsandbox/sandbox.rb', line 413

def request_drain
  @native.request_drain
  nil
end

#request_killnil

Send the force-kill request and return immediately, without waiting.

Returns:

  • (nil) 


406
407
408
409
 
# File 'lib/microsandbox/sandbox.rb', line 406

def request_kill
  @native.request_kill
  nil
end

#request_stopnil

Send the graceful-shutdown request and return immediately, without waiting for the sandbox to terminate. Pair with #wait_until_stopped.

Returns:

  • (nil) 


399
400
401
402
 
# File 'lib/microsandbox/sandbox.rb', line 399

def request_stop
  @native.request_stop
  nil
end

#shell(script, cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil) ⇒ ExecOutput

Run a shell script (pipes, redirects, etc. allowed) and collect output.

Returns:



303
304
305
306
 
# File 'lib/microsandbox/sandbox.rb', line 303

def shell(script, cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil)
  ExecOutput.new(@native.shell(script.to_s,
                               exec_opts(cwd:, user:, env:, timeout:, tty:, stdin:, rlimits:)))
end

#shell_stream(script, cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil) ⇒ ExecHandle

Run a shell script and stream its output as it arrives.

Returns:



318
319
320
321
 
# File 'lib/microsandbox/sandbox.rb', line 318

def shell_stream(script, cwd: nil, user: nil, env: nil, timeout: nil, tty: false, stdin: nil, rlimits: nil)
  ExecHandle.new(@native.shell_stream(script.to_s,
                                      exec_opts(cwd:, user:, env:, timeout:, tty:, stdin:, rlimits:)))
end

#stop(timeout: nil) ⇒ nil

Gracefully stop the sandbox (and wait for it to terminate).

Parameters:

  • timeout (Numeric, nil) (defaults to: nil)

    seconds to wait before SIGKILL

Returns:

  • (nil) 


383
384
385
386
 
# File 'lib/microsandbox/sandbox.rb', line 383

def stop(timeout: nil)
  @native.stop(timeout && Float(timeout))
  nil
end

#wait_until_stoppedSandboxStopResult

Block until the sandbox is observed in a terminal (non-running) state.

Returns:



420
421
422
 
# File 'lib/microsandbox/sandbox.rb', line 420

def wait_until_stopped
  SandboxStopResult.new(@native.wait_until_stopped)
end