LibreCodeInterpreter/docker-compose.yml at main · On-Behalf-AI/LibreCodeInterpreter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
services:
  # Code Interpreter API (unified image with nsjail sandboxing)
  api:
    image: ${API_IMAGE:-ghcr.io/usnavy13/librecodeinterpreter:main}
    pull_policy: always
    container_name: code-interpreter-api
    restart: unless-stopped
    # tini init process reaps zombie nsjail/python child processes
    init: true
    # nsjail requires these capabilities to create namespaces and cgroups.
    # NET_ADMIN is required to install iptables egress rules for the sandbox uid
    # when ENABLE_SANDBOX_NETWORK=true. Restricts sandbox traffic to the
    # inline allowlist proxy and prevents SSRF to Redis/S3/etc.
    cap_add:
      - SYS_ADMIN
      - NET_ADMIN
    security_opt:
      - apparmor:unconfined
    ports:
      - "${PORT:-8000}:8000"
    env_file:
      - .env
    environment:
      # Container-specific overrides (service discovery within compose network)
      - REDIS_HOST=redis
      - S3_ENDPOINT=garage:3900
    volumes:
      - sandbox-data:/var/lib/code-interpreter/sandboxes
      # Persistent skill-deps cache: pip/npm/go/cargo install here when
      # ENABLE_SANDBOX_NETWORK=true so future executions reuse the install.
      # Survives container restarts; purge with POST /api/v1/admin/skill-deps/purge.
      - skill-deps:/opt/skill-deps
      # SSL_CERTS_PATH is a host path; SSL_CERT_FILE and SSL_KEY_FILE must point
      # to the mounted files inside the container under /app/ssl.
      - ${SSL_CERTS_PATH:-./ssl}:/app/ssl:ro
    tmpfs:
      - /tmp:size=512m,mode=1777,noexec,nosuid,nodev
      - /app/data:size=100m
    depends_on:
      redis:
        condition: service_healthy
      garage:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "curl -fs http://localhost:8000/health || curl -fsk https://localhost:8000/health"]
      interval: 30s
      timeout: 15s
      retries: 3
      start_period: 30s

  # Redis for session management
  redis:
    image: redis:7-alpine
    container_name: code-interpreter-redis
    restart: unless-stopped
    ports:
      - "127.0.0.1:${REDIS_PORT:-6379}:6379"
    command: >
      redis-server
      --appendonly yes
      --appendfsync everysec
      --maxmemory 256mb
      --maxmemory-policy allkeys-lru
    volumes:
      - redis-data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

  # Garage S3-compatible object storage
  garage:
    image: dxflrs/garage:v2.3.0
    container_name: code-interpreter-garage
    restart: unless-stopped
    command: /garage server --single-node --default-bucket
    ports:
      - "127.0.0.1:${S3_PORT:-3900}:3900"
      - "127.0.0.1:${GARAGE_ADMIN_PORT:-3903}:3903"
    environment:
      GARAGE_DEFAULT_ACCESS_KEY: ${S3_ACCESS_KEY:-GKminioadmin0000}
      GARAGE_DEFAULT_SECRET_KEY: ${S3_SECRET_KEY:-minioadminsecret}
      GARAGE_DEFAULT_BUCKET: ${S3_BUCKET:-code-interpreter-files}
    volumes:
      - garage-data:/var/lib/garage
      - ./garage.toml:/etc/garage.toml
    healthcheck:
      test: ["CMD", "/garage", "status"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s

volumes:
  sandbox-data:
  skill-deps:
  redis-data:
  garage-data: