feat: subpath mounts

Signed-off-by: Vedran Jukic <[email protected]>

Author: vedranjukic

.devcontainer/Dockerfile

@@ -13,6 +13,11 @@ RUN apt update && export DEBIAN_FRONTEND=noninteractive \
 RUN apt update && export DEBIAN_FRONTEND=noninteractive \
     && apt -y install --no-install-recommends openjdk-11-jdk protobuf-compiler libprotobuf-dev
 
+# Mount-s3 (AWS S3 FUSE driver)
+RUN wget https://s3.amazonaws.com/mountpoint-s3-release/1.20.0/x86_64/mount-s3-1.20.0-x86_64.deb \
+    && apt install -y ./mount-s3-1.20.0-x86_64.deb \
+    && rm -f mount-s3-1.20.0-x86_64.deb
+
 # Telepresence
 RUN curl -fL https://app.getambassador.io/download/tel2oss/releases/download/v2.17.0/telepresence-linux-${TARGETARCH} -o /usr/local/bin/telepresence && \
     chmod a+x /usr/local/bin/telepresence

apps/api/src/sandbox/dto/sandbox.dto.ts

@@ -25,6 +25,13 @@ export class SandboxVolume {
     example: '/data',
   })
   mountPath: string
+
+  @ApiPropertyOptional({
+    description:
+      'Optional subpath within the volume to mount. When specified, only this S3 prefix will be accessible. When omitted, the entire volume is mounted.',
+    example: 'users/alice',
+  })
+  subpath?: string
 }
 
 @ApiSchema({ name: 'Sandbox' })

apps/api/src/sandbox/runner-adapter/runnerAdapter.legacy.ts

@@ -193,6 +193,7 @@ export class RunnerAdapterLegacy implements RunnerAdapter {
       volumes: sandbox.volumes?.map((volume) => ({
         volumeId: volume.volumeId,
         mountPath: volume.mountPath,
+        subpath: volume.subpath,
       })),
       networkBlockAll: sandbox.networkBlockAll,
       networkAllowList: sandbox.networkAllowList,

apps/runner/pkg/api/docs/docs.go

@@ -6,4 +6,5 @@ package dto
 type VolumeDTO struct {
 	VolumeId  string `json:"volumeId"`
 	MountPath string `json:"mountPath"`
+	Subpath   string `json:"subpath,omitempty"`
 }

apps/runner/pkg/api/docs/swagger.json

@@ -5,11 +5,14 @@ package docker
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"sync"
 
 	"github.com/daytonaio/runner/cmd/runner/config"
@@ -23,14 +26,17 @@ func (d *DockerClient) getVolumesMountPathBinds(ctx context.Context, volumes []d
 
 	for _, vol := range volumes {
 		volumeIdPrefixed := fmt.Sprintf("daytona-volume-%s", vol.VolumeId)
-		runnerVolumeMountPath := d.getRunnerVolumeMountPath(volumeIdPrefixed)
+		runnerVolumeMountPath := d.getRunnerVolumeMountPath(volumeIdPrefixed, vol.Subpath)
 
-		// Get or create mutex for this volume
+		// Create unique key for this volume+subpath combination for mutex
+		volumeKey := d.getVolumeKey(volumeIdPrefixed, vol.Subpath)
+
+		// Get or create mutex for this volume+subpath
 		d.volumeMutexesMutex.Lock()
-		volumeMutex, exists := d.volumeMutexes[volumeIdPrefixed]
+		volumeMutex, exists := d.volumeMutexes[volumeKey]
 		if !exists {
 			volumeMutex = &sync.Mutex{}
-			d.volumeMutexes[volumeIdPrefixed] = volumeMutex
+			d.volumeMutexes[volumeKey] = volumeMutex
 		}
 		d.volumeMutexesMutex.Unlock()
 
@@ -39,7 +45,7 @@ func (d *DockerClient) getVolumesMountPathBinds(ctx context.Context, volumes []d
 		defer volumeMutex.Unlock()
 
 		if d.isDirectoryMounted(runnerVolumeMountPath) {
-			log.Infof("volume %s is already mounted to %s", volumeIdPrefixed, runnerVolumeMountPath)
+			log.Infof("volume %s (subpath: %s) is already mounted to %s", volumeIdPrefixed, vol.Subpath, runnerVolumeMountPath)
 			volumeMountPathBinds = append(volumeMountPathBinds, fmt.Sprintf("%s/:%s/", runnerVolumeMountPath, vol.MountPath))
 			continue
 		}
@@ -49,40 +55,69 @@ func (d *DockerClient) getVolumesMountPathBinds(ctx context.Context, volumes []d
 			return nil, fmt.Errorf("failed to create mount directory %s: %s", runnerVolumeMountPath, err)
 		}
 
-		log.Infof("mounting S3 volume %s to %s", volumeIdPrefixed, runnerVolumeMountPath)
+		log.Infof("mounting S3 volume %s (subpath: %s) to %s", volumeIdPrefixed, vol.Subpath, runnerVolumeMountPath)
 
-		cmd := d.getMountCmd(ctx, volumeIdPrefixed, runnerVolumeMountPath)
+		cmd := d.getMountCmd(ctx, volumeIdPrefixed, vol.Subpath, runnerVolumeMountPath)
 		err = cmd.Run()
 		if err != nil {
-			return nil, fmt.Errorf("failed to mount S3 volume %s to %s: %s", volumeIdPrefixed, runnerVolumeMountPath, err)
+			return nil, fmt.Errorf("failed to mount S3 volume %s (subpath: %s) to %s: %s", volumeIdPrefixed, vol.Subpath, runnerVolumeMountPath, err)
 		}
 
-		log.Infof("mounted S3 volume %s to %s", volumeIdPrefixed, runnerVolumeMountPath)
+		log.Infof("mounted S3 volume %s (subpath: %s) to %s", volumeIdPrefixed, vol.Subpath, runnerVolumeMountPath)
 
 		volumeMountPathBinds = append(volumeMountPathBinds, fmt.Sprintf("%s/:%s/", runnerVolumeMountPath, vol.MountPath))
 	}
 
 	return volumeMountPathBinds, nil
 }
 
-func (d *DockerClient) getRunnerVolumeMountPath(volumeId string) string {
-	volumePath := filepath.Join("/mnt", volumeId)
+func (d *DockerClient) getRunnerVolumeMountPath(volumeId, subpath string) string {
+	// If subpath is provided, create a unique mount point for this volume+subpath combination
+	mountDirName := volumeId
+	if subpath != "" {
+		// Create a short hash of the subpath to keep the path reasonable
+		hash := md5.Sum([]byte(subpath))
+		hashStr := hex.EncodeToString(hash[:])[:8]
+		mountDirName = fmt.Sprintf("%s-%s", volumeId, hashStr)
+	}
+
+	volumePath := filepath.Join("/mnt", mountDirName)
 	if config.GetEnvironment() == "development" {
-		volumePath = filepath.Join("/tmp", volumeId)
+		volumePath = filepath.Join("/tmp", mountDirName)
 	}
 
 	return volumePath
 }
 
+func (d *DockerClient) getVolumeKey(volumeId, subpath string) string {
+	if subpath == "" {
+		return volumeId
+	}
+	return fmt.Sprintf("%s:%s", volumeId, subpath)
+}
+
 func (d *DockerClient) isDirectoryMounted(path string) bool {
 	cmd := exec.Command("mountpoint", path)
 	_, err := cmd.Output()
 
 	return err == nil
 }
 
-func (d *DockerClient) getMountCmd(ctx context.Context, volume, path string) *exec.Cmd {
-	cmd := exec.CommandContext(ctx, "mount-s3", "--allow-other", "--allow-delete", "--allow-overwrite", "--file-mode", "0666", "--dir-mode", "0777", volume, path)
+func (d *DockerClient) getMountCmd(ctx context.Context, volume, subpath, path string) *exec.Cmd {
+	args := []string{"--allow-other", "--allow-delete", "--allow-overwrite", "--file-mode", "0666", "--dir-mode", "0777"}
+
+	if subpath != "" {
+		// Ensure subpath ends with /
+		prefix := subpath
+		if !strings.HasSuffix(prefix, "/") {
+			prefix = prefix + "/"
+		}
+		args = append(args, "--prefix", prefix)
+	}
+
+	args = append(args, volume, path)
+
+	cmd := exec.CommandContext(ctx, "mount-s3", args...)
 
 	if d.awsEndpointUrl != "" {
 		cmd.Env = append(cmd.Env, "AWS_ENDPOINT_URL="+d.awsEndpointUrl)

apps/runner/pkg/api/docs/swagger.yaml

@@ -44,9 +44,28 @@ async def main():
         file = await sandbox2.fs.download_file(os.path.join(mount_dir_2, "new-file.txt"))
         print("File:", file)
 
+        # Mount a specific subpath within the volume
+        # This is useful for isolating data or implementing multi-tenancy
+        mount_dir_3 = "/home/daytona/subpath"
+
+        params = CreateSandboxFromSnapshotParams(
+            language="python",
+            volumes=[VolumeMount(volumeId=volume.id, mountPath=mount_dir_3, subpath="users/alice")],
+        )
+        sandbox3 = await daytona.create(params)
+
+        # This sandbox will only see files within the 'users/alice' subpath
+        # Create a file in the subpath
+        subpath_file = os.path.join(mount_dir_3, "alice-file.txt")
+        await sandbox3.fs.upload_file(b"Hello from Alice's subpath!", subpath_file)
+
+        # The file is stored at: volume-root/users/alice/alice-file.txt
+        # but appears at: /home/daytona/subpath/alice-file.txt in the sandbox
+
         # Cleanup
         await daytona.delete(sandbox)
         await daytona.delete(sandbox2)
+        await daytona.delete(sandbox3)
         # daytona.volume.delete(volume)
 
 

apps/runner/pkg/api/dto/volume.go

@@ -44,9 +44,28 @@ def main():
     file = sandbox2.fs.download_file(os.path.join(mount_dir_2, "new-file.txt"))
     print("File:", file)
 
+    # Mount a specific subpath within the volume
+    # This is useful for isolating data or implementing multi-tenancy
+    mount_dir_3 = "/home/daytona/subpath"
+
+    params = CreateSandboxFromSnapshotParams(
+        language="python",
+        volumes=[VolumeMount(volumeId=volume.id, mountPath=mount_dir_3, subpath="users/alice")],
+    )
+    sandbox3 = daytona.create(params)
+
+    # This sandbox will only see files within the 'users/alice' subpath
+    # Create a file in the subpath
+    subpath_file = os.path.join(mount_dir_3, "alice-file.txt")
+    sandbox3.fs.upload_file(b"Hello from Alice's subpath!", subpath_file)
+
+    # The file is stored at: volume-root/users/alice/alice-file.txt
+    # but appears at: /home/daytona/subpath/alice-file.txt in the sandbox
+
     # Cleanup
     daytona.delete(sandbox)
     daytona.delete(sandbox2)
+    daytona.delete(sandbox3)
     # daytona.volume.delete(volume)