Skip to content

fix(docker): DockerClient.create 添加 seccomp=unconfined 默认配置#498

Open
LUERUI wants to merge 1 commit intoagentscope-ai:mainfrom
LUERUI:fix/docker-seccomp-unconfined
Open

fix(docker): DockerClient.create 添加 seccomp=unconfined 默认配置#498
LUERUI wants to merge 1 commit intoagentscope-ai:mainfrom
LUERUI:fix/docker-seccomp-unconfined

Conversation

@LUERUI
Copy link
Copy Markdown

@LUERUI LUERUI commented Apr 30, 2026
edited
Loading

Summary

  • DockerClient.create 中,默认附加 security_opt: ["seccomp=unconfined"]
  • 用户显式传入 security_opt 时保留原值,不覆盖
  • 传入空列表 [] 视为 opt-out,不追加默认配置

问题背景

Node.js 沙箱容器在创建线程时需要通过 clone() 系统调用,
Docker 默认的 seccomp profile 会阻止该系统调用,导致容器运行异常。

修改范围

  • src/agentscope_runtime/common/container_clients/docker_client.pycreate 方法 +2 行
  • tests/unit/test_docker_client_seccomp.py:新增,7 个单元测试

Test plan

  • 7 个单元测试覆盖:默认追加、显式覆盖、空列表 opt-out、其他配置透传
  • flake8 无警告
  • pytest 全量通过

@claude
fix(docker): DockerClient.create 添加 seccomp=unconfined 默认配置
b84c733 
问题:Node.js 沙箱容器在创建线程时需要调用 clone() 系统调用,
Docker 默认 seccomp profile 会阻止该调用,导致容器异常。

修复:在 DockerClient.create 中,如果用户未显式指定 security_opt,
默认附加 security_opt: ["seccomp=unconfined"]。

策略:
- 未传入 security_opt 时默认启用
- 用户显式传入空列表 [] 可选择关闭(opt-out)
- 用户传入自定义值时保留原值,不覆盖

影响范围:
- 仅影响 DockerClient,KubernetesClient 不受影响
- tests/unit/test_docker_client_seccomp.py 新增 7 个单元测试覆盖

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@LUERUI LUERUI requested a review from a team April 30, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LUERUI