Skip to content

feat: add sandbox worker support with multi-arch Docker builds #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andersonleal merged 4 commits into from
Apr 6, 2026
Merged

feat: add sandbox worker support with multi-arch Docker builds #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bb169e8
feat(image-resize): enhance Dockerfile for multi-architecture support…
andersonleal Mar 26, 2026
9fae30e
fix(manifest): update version assertion to use CARGO_PKG_VERSION for …
andersonleal Apr 3, 2026
6927b04
chore(config): clean up example configuration by removing commented-o…
andersonleal Apr 3, 2026
6b0675c
feat(config): update example configuration to define worker settings …
andersonleal Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions image-resize/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
target/
.git/
*.md
docs/
iii-launcher/
.github/
2 changes: 1 addition & 1 deletion image-resize/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

51 changes: 51 additions & 0 deletions image-resize/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
FROM --platform=$BUILDPLATFORM rust:1.88-slim AS builder

ARG TARGETARCH
ARG TARGETOS

RUN apt-get update && apt-get install -y \
pkg-config \
libssl-dev \
gcc-x86-64-linux-gnu \
gcc-aarch64-linux-gnu \
libc6-dev-amd64-cross \
libc6-dev-arm64-cross \
&& rm -rf /var/lib/apt/lists/*

RUN rustup target add x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu

WORKDIR /build
COPY Cargo.toml Cargo.lock ./
COPY src/ src/
COPY build.rs ./

RUN cargo run --release -- --manifest > /build/worker.yaml

RUN case "${TARGETARCH}" in \
amd64) \
TARGET_TRIPLE="x86_64-unknown-linux-gnu"; \
export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=x86_64-linux-gnu-gcc; \
;; \
arm64) \
TARGET_TRIPLE="aarch64-unknown-linux-gnu"; \
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc; \
;; \
*) \
echo "Unsupported TARGETARCH=${TARGETARCH}" >&2; \
exit 1; \
;; \
esac && \
cargo build --release --target "${TARGET_TRIPLE}" && \
cp "target/${TARGET_TRIPLE}/release/image-resize" /worker
Comment on lines +22 to +39
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

The generated manifest will advertise the build platform, not the target platform.

Line 22 runs cargo run --release -- --manifest before TARGETARCH is resolved, and image-resize/src/manifest.rs derives supported_targets from env!("TARGET"). An amd64 builder producing an arm64 image will still copy a manifest that says x86_64-unknown-linux-gnu.

Resolve TARGET_TRIPLE first and pass that into manifest generation instead of relying on the host build target.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@image-resize/Dockerfile` around lines 22 - 39, The manifest generation is
using the host compile-time TARGET (env!("TARGET")) because cargo run --release
-- --manifest is invoked before TARGET_TRIPLE is computed; resolve TARGET_TRIPLE
from TARGETARCH first (the same case block that sets TARGET_TRIPLE and the cargo
linker env vars) and then invoke the manifest generation with that target (pass
the computed TARGET_TRIPLE into the manifest step—e.g. export or pass as an
argument to the cargo run invocation that generates the manifest) so
image-resize/src/manifest.rs observes the intended target rather than the
builder host.


FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*

COPY --from=builder /worker /worker
COPY --from=builder /build/worker.yaml /iii/worker.yaml

ENV III_ENGINE_URL=ws://host.containers.internal:49134

ENTRYPOINT ["/worker"]
CMD ["--url", "ws://host.containers.internal:49134"]
Comment on lines +41 to +51
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Run the final image as a non-root user.

The runtime stage never drops root. For a sandbox worker, that's an unnecessary privilege boundary loss.

💡 Proposed fix 
 FROM debian:bookworm-slim
 
 RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+RUN useradd --system --uid 10001 --create-home iii \
+    && mkdir -p /iii \
+    && chown iii:iii /iii
 
-COPY --from=builder /worker /worker
-COPY --from=builder /build/worker.yaml /iii/worker.yaml
+COPY --from=builder --chown=iii:iii /worker /worker
+COPY --from=builder --chown=iii:iii /build/worker.yaml /iii/worker.yaml
 
 ENV III_ENGINE_URL=ws://host.containers.internal:49134
 
+USER iii
 ENTRYPOINT ["/worker"]
 CMD ["--url", "ws://host.containers.internal:49134"]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
COPY --from=builder /worker /worker
COPY --from=builder /build/worker.yaml /iii/worker.yaml
ENV III_ENGINE_URL=ws://host.containers.internal:49134
ENTRYPOINT ["/worker"]
CMD ["--url", "ws://host.containers.internal:49134"]
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
RUN useradd --system --uid 10001 --create-home iii \
&& mkdir -p /iii \
&& chown iii:iii /iii
COPY --from=builder --chown=iii:iii /worker /worker
COPY --from=builder --chown=iii:iii /build/worker.yaml /iii/worker.yaml
ENV III_ENGINE_URL=ws://host.containers.internal:49134
USER iii
ENTRYPOINT ["/worker"]
CMD ["--url", "ws://host.containers.internal:49134"]
🧰 Tools
🪛 Trivy (0.69.3)

[error] 43-43: 'apt-get' missing '--no-install-recommends'

'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*'

Rule: DS-0029

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@image-resize/Dockerfile` around lines 41 - 51, The final Dockerfile image
runs as root; create a non-root runtime user and switch to it before
ENTRYPOINT/CMD to reduce privileges: add a user (e.g., iii or workeruser) in the
final stage, chown the copied /worker binary and /iii/worker.yaml to that user
(ensure the COPY from=builder preserves ownership or perform chown), and add a
USER instruction so ENTRYPOINT ["/worker"] and CMD remain unchanged but run
unprivileged; also ensure the binary is executable by that user and any required
runtime dirs have appropriate permissions.

Comment on lines +48 to +51
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

III_ENGINE_URL cannot actually reconfigure this image.

image-resize/src/main.rs only consumes --url, and Line 51 hard-codes that flag in CMD. Setting III_ENGINE_URL from image-resize/example/iii.workers.yaml or the container environment has no effect.

Either bind the Clap arg to env = "III_ENGINE_URL" or expand the env in the entrypoint.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@image-resize/Dockerfile` around lines 48 - 51, The Dockerfile hard-codes the
--url flag so the ENV III_ENGINE_URL has no effect; either update the Clap
argument in image-resize/src/main.rs to read from the environment (e.g., add env
= "III_ENGINE_URL" to the struct field or use Arg::env("III_ENGINE_URL") for the
URL option) so the binary picks up III_ENGINE_URL, or change the Dockerfile’s
ENTRYPOINT/CMD to perform shell expansion of the env var (e.g., emit the --url
value from ${III_ENGINE_URL}) so the runtime URL comes from the environment.

34 changes: 16 additions & 18 deletions image-resize/example/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,34 +1,32 @@
port: 49134

workers:
- class: workers::image_resize::ImageResizeWorker
- name: iii-stream
config:
width: 200
height: 200
strategy: scale-to-fit
quality:
jpeg: 85
webp: 80
port: ${STREAM_PORT:3112}
host: 127.0.0.1
adapter:
name: kv
config:
store_method: file_based # Options: in_memory, file_based
file_path: ./data/stream_store

modules:
- class: modules::api::RestApiModule
- name: iii-http
config:
port: 3111
host: 127.0.0.1
default_timeout: 30000
concurrency_request_limit: 1024
cors:
allowed_origins:
- "*"
# To allow all origins, use '*':
- '*'
allowed_methods:
- GET
- POST
- PUT
- DELETE
- OPTIONS

- class: modules::stream::StreamModule
config:
port: 3112
host: 0.0.0.0

- class: modules::observability::OtelModule
- name: iii-observability
config:
# === Core Configuration (Required) ===
enabled: ${OTEL_ENABLED:true}
Expand Down
2 changes: 0 additions & 2 deletions image-resize/example/iii.toml
View file
Open in desktop

This file was deleted.

19 changes: 19 additions & 0 deletions image-resize/example/iii.worker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
iii: v1

name: image-resize-demo
version: 1.0.0

env:
MY_CUSTOM_VAR: "hello222"

runtime:
language: typescript
entry: src/index.ts

resources:
memory: 512
cpus: 1

scripts:
install: "npm install"
start: "npm run dev"
10 changes: 10 additions & 0 deletions image-resize/example/iii.workers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
workers:
image-resize:
image: docker.io/andersonofl/image-resize:latest
env:
III_ENGINE_URL: "ws://localhost:49134"
III_API_URL: "http://localhost:3111"
resources:
cpus: '0.5'
memory: 256Mi

5 changes: 3 additions & 2 deletions image-resize/example/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"name": "@iii-hq/image-resize-demo",
"name": "@iii/image-resize-demo",
"version": "1.0.0",
"private": true,
"scripts": {
"dev": "bun src/index.ts"
"dev": "node --import tsx src/index.ts"
},
"dependencies": {
"iii-sdk": "0.9.0"
},
"devDependencies": {
"tsx": "^4.21.0",
"@types/node": "^24.10.1",
"typescript": "^5.9.3"
}
Expand Down
2 changes: 2 additions & 0 deletions image-resize/example/src/iii.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ export const iii = registerWorker(engineWsUrl, {
serviceName: 'image-resize-demo',
},
})

console.info('III worker started', { myCustomVar: process.env.MY_CUSTOM_VAR })
2 changes: 1 addition & 1 deletion image-resize/src/manifest.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ mod tests {
let parsed: serde_json::Value = serde_json::from_str(&json).unwrap();
assert!(parsed.is_object(), "Manifest must be valid JSON object");
assert_eq!(parsed["name"], "image-resize");
assert_eq!(parsed["version"], "0.1.0");
assert_eq!(parsed["version"], env!("CARGO_PKG_VERSION"));
}

#[test]
Expand Down
Loading