2d7c1368f0
### What problem does this PR solve? Add code_executor_manager. #4977. ### Type of change - [x] New Feature (non-breaking change which adds functionality)
RAGFlow Sandbox
A secure, pluggable code execution backend for RAGFlow and beyond.
🔧 Features
- ✅ Seamless RAGFlow Integration — Out-of-the-box compatibility with the
codecomponent. - 🔐 High Security — Leverages gVisor for syscall-level sandboxing.
- 🔧 Customizable Sandboxing — Easily modify
seccompsettings as needed. - 🧩 Pluggable Runtime Support — Easily extend to support any programming language.
- ⚙️ Developer Friendly — Get started with a single command using
Makefile.
🏗 Architecture
🚀 Quick Start
📋 Prerequisites
Required
- Linux distro compatible with gVisor
- gVisor
- Docker >=
24.0.0 - Docker Compose >=
v2.26.1like RAGFlow - uv as package and project manager
Optional (Recommended)
- GNU Make for simplified CLI management
🐳 Build Docker Base Images
We use isolated base images for secure containerized execution:
# Build base images manually
docker build -t sandbox-base-python:latest ./sandbox_base_image/python
docker build -t sandbox-base-nodejs:latest ./sandbox_base_image/nodejs
# OR use Makefile
make build
Then, build the executor manager image:
docker build -t sandbox-executor-manager:latest ./executor_manager
📦 Running with RAGFlow
-
Ensure gVisor is correctly installed.
-
Configure your
.envindocker/.env:- Uncomment sandbox-related variables.
- Enable sandbox profile at the bottom.
-
Add the following line to
/etc/hostsas recommended:127.0.0.1 sandbox-executor-manager -
Start RAGFlow service.
🧭 Running Standalone
Manual Setup
-
Initialize environment:
cp .env.example .env -
Launch:
docker compose -f docker-compose.yml up -
Test:
source .venv/bin/activate export PYTHONPATH=$(pwd) uv pip install -r executor_manager/requirements.txt uv run tests/sandbox_security_tests_full.py
With Make
make # setup + build + launch + test
📈 Monitoring
docker logs -f sandbox-executor-manager # Manual
make logs # With Make
🧰 Makefile Toolbox
| Command | Description |
|---|---|
make |
Setup, build, launch and test all at once |
make setup |
Initialize environment and install uv |
make ensure_env |
Auto-create .env if missing |
make ensure_uv |
Install uv package manager if missing |
make build |
Build all Docker base images |
make start |
Start services with safe env loading and testing |
make stop |
Gracefully stop all services |
make restart |
Shortcut for stop + start |
make test |
Run full test suite |
make logs |
Stream container logs |
make clean |
Stop and remove orphan containers and volumes |
🔐 Security
The RAGFlow sandbox is designed to balance security and usability, offering solid protection without compromising developer experience.
✅ gVisor Isolation
At its core, we use gVisor, a user-space kernel, to isolate code execution from the host system. gVisor intercepts and restricts syscalls, offering robust protection against container escapes and privilege escalations.
🔒 Optional seccomp Support (Advanced)
For users who need zero-trust-level syscall control, we support an additional seccomp profile. This feature restricts containers to only a predefined set of system calls, as specified in executor_manager/seccomp-profile-default.json.
⚠️ This feature is disabled by default to maintain compatibility and usability. Enabling it may cause compatibility issues with some dependencies.
To enable seccomp
-
Edit your
.envfile:SANDBOX_ENABLE_SECCOMP=true -
Customize allowed syscalls in:
executor_manager/seccomp-profile-default.jsonThis profile is passed to the container with:
--security-opt seccomp=/app/seccomp-profile-default.json
🧠 Python Code AST Inspection
In addition to sandboxing, Python code is statically analyzed via AST (Abstract Syntax Tree) before execution. Potentially malicious code (e.g. file operations, subprocess calls, etc.) is rejected early, providing an extra layer of protection.
This security model strikes a balance between robust isolation and developer usability. While seccomp can be highly restrictive, our default setup aims to keep things usable for most developers — no obscure crashes or cryptic setup required.
📦 Add Extra Dependencies for Supported Languages
Currently, the following languages are officially supported:
| Language | Priority |
|---|---|
| Python | High |
| Node.js | Medium |
🐍 Python
To add Python dependencies, simply edit the following file:
sandbox_base_image/python/requirements.txt
Add any additional packages you need, one per line (just like a normal pip requirements file).
🟨 Node.js
To add Node.js dependencies:
-
Navigate to the Node.js base image directory:
cd sandbox_base_image/nodejs -
Use
npmto install the desired packages. For example:npm install lodash -
The dependencies will be saved to
package.jsonandpackage-lock.json, and included in the Docker image when rebuilt.
🤝 Contribution
Contributions are welcome!