ibUdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z ddl mZejeZgdZdae eed<ejdZd eedzd eefd Zd edzd eeeffd Zd eeeffdZd e efdZgdZgdZde d eefdZ!d e efdZ"da#e e ed<ddZ$Gdde Z%dS)zDocker execution environment for sandboxed command execution. Security hardened (cap-drop ALL, no-new-privileges, PID limits), configurable resource limits (CPU, memory, disk), and optional filesystem persistence via bind mounts. N)Optional)BaseEnvironment _popen_bash)_HERMES_PROVIDER_ENV_BLOCKLIST)z/usr/local/bin/dockerz/opt/homebrew/bin/dockerz6/Applications/Docker.app/Contents/Resources/bin/docker_docker_executablez^[A-Za-z_][A-Za-z0-9_]*$ forward_envreturncg}t}|pgD]}t|tstd|3|}|sJt |std|||vr||| ||S)z?Return a deduplicated list of valid environment variable names.z0Ignoring non-string docker_forward_env entry: %rz-Ignoring invalid docker_forward_env entry: %r) set isinstancestrloggerwarningstrip_ENV_VAR_NAME_REmatchaddappend)r normalizedseenitemkeys >/home/ubuntu/.hermes/hermes-agent/tools/environments/docker.py_normalize_forward_env_namesr$sJUUD!r$$$  NNMt T T T jjll  %%c**  NNJD Q Q Q  $;;   # envc^|siSt|tstd|iSi}|D]\}}t|t r,t |std|b|}t|t sOt|tttfrt |}ntd|||||<|S)zValidate and normalize a docker_env dict to {str: str}. Filters out entries with invalid variable names or non-string values. zdocker_env is not a dict: %rz#Ignoring invalid docker_env key: %rz/Ignoring non-string docker_env value for %r: %r) r dictrritemsr rrrintfloatbool)rrrvalues r_normalize_env_dictr$=s  c4 5s;;; !#Jiikk   U#s## +;+A+A#))+++N+N  NN@# F F F iikk%%% %#ud!344 E PRUW\]]] 3 rcL ddlm}|piS#t$ricYSwxYw)zDLoad ~/.hermes/.env values without failing Docker command execution.rload_env)hermes_cli.configr' Exceptionr&s r_load_hermes_env_varsr*[sN......xzzR  s  ##cxttStjd}|r]tj|r>tj|tjr|atd||Stj d}|r|a|Stj d}|r|atd||StD]a}tj|r@tj|tjr!|atd||cSbdS)uLocate the docker (or podman) CLI binary. Resolution order: 1. ``HERMES_DOCKER_BINARY`` env var — explicit override (e.g. ``/usr/bin/podman``) 2. ``docker`` on PATH via ``shutil.which`` 3. ``podman`` on PATH via ``shutil.which`` 4. Well-known macOS Docker Desktop install locations Returns the absolute path, or ``None`` if neither runtime can be found. NHERMES_DOCKER_BINARYz'Using HERMES_DOCKER_BINARY override: %sdockerpodmanz%Using podman as container runtime: %sz%Found docker at non-PATH location: %s) rosgetenvpathisfileaccessX_OKrinfoshutilwhich_DOCKER_SEARCH_PATHS)overridefoundr1s r find_dockerr;es7%!!y/00HBGNN8,,8RW1M1M% =xHHH L " "E "  L " "E " ;UCCC % 7>>$   BIdBG$<$< !%  KK? F F FKKK 4r)z --cap-dropALL --cap-add DAC_OVERRIDEr=CHOWNr=FOWNERz--security-optzno-new-privilegesz --pids-limit256--tmpfsz/tmp:rw,nosuid,size=512mrBz#/var/tmp:rw,noexec,nosuid,size=256mrBz/run:rw,noexec,nosuid,size=64m)r=SETUIDr=SETGIDrun_as_host_userc|rttSttttzS)zBReturn the security/cap/tmpfs args tailored to the privilege mode.)list_BASE_SECURITY_ARGS_GOSU_CAP_ARGS)rEs r_build_security_argsrJs5)'((( # $ $tN';'; ;;rcttdd}ttdd}||dS |d|S#t$rYdSwxYw)auReturn ``:`` for the current host user, or ``None`` on platforms where this is not meaningful (e.g. Windows without posix ids). We intentionally read ``os.getuid()``/``os.getgid()`` directly rather than going through ``getpass``/``pwd`` so this stays cheap and never raises on nameless UIDs (nss lookups can fail inside sandboxed launchers). getuidNgetgid:)getattrr/r))get_uidget_gids r_resolve_host_user_specrRs{b(D))Gb(D))G'/t'))))ggii))) ttsA AA_storage_opt_okct}|s)tdtd t j|dgddd}|jdkrHtd||j|jtd dS#t$r-td |d td tj $r-td |d tdt$rtdd wxYw)zBest-effort check that the docker CLI is available before use. Reuses ``find_docker()`` so this preflight stays consistent with the rest of the Docker backend, including known non-PATH Docker Desktop locations. zDocker backend selected but no docker executable was found in PATH or known install locations. Install Docker Desktop and ensure the CLI is available.z|Docker executable not found in PATH or known install locations. Install Docker and ensure the 'docker' command is available.versionTcapture_outputtexttimeoutrzIDocker backend selected but '%s version' failed (exit code %d, stderr=%s)zXDocker command is available but 'docker version' failed. Check your Docker installation.zVDocker backend selected but the resolved docker executable '%s' could not be executed.)exc_infozHDocker executable could not be executed. Check your Docker installation.zYDocker backend selected but '%s version' timed out. The Docker daemon may not be running.zHDocker daemon is not responding. Ensure Docker is running and try again.z4Unexpected error while checking Docker availability.N) r;rerror RuntimeError subprocessrun returncodestderrrFileNotFoundErrorTimeoutExpiredr)) docker_exeresults r_ensure_docker_availablerfs J         K   -  #    B   ! ! LL,! ##%%    2  " !7             V     $      4      V     B      s B**BEceZdZdZ d#d ed ed ed ed edededededeedzde dzdedededeffd Z deefdZ dddddeded ededzde j f d Zedefd!Zd"ZxZS)$DockerEnvironmentuHardened Docker container execution with resource limits and persistence. Security: all capabilities dropped, no privilege escalation, PID limits, size-limited tmpfs for scratch dirs. The container itself is the security boundary — the filesystem inside is writable so agents can install packages (pip, npm, apt) as needed. Writable workspace via tmpfs or bind mounts. Persistence: when enabled, bind mounts preserve /workspace and /root across container restarts. /root<rFdefaultNTimagecwdrZcpumemorydiskpersistent_filesystemtask_idvolumesrrnetworkhost_cwdauto_mount_cwdrEc|dkrd}t||||_||_t | |_t | |_d|_t d| | 4t| tst d| g} tg}|dkr$|dt!|g|dkr|d|d g|dkrZt"jd krJ|r|d d |d gnt d | s|dddlm}g}d}| pgD]}t|t st d|5|}|sLd|vr|d|gd|vrd}nt d|d| r| rd?}(|(j2|_t d@|&dA|jddBdC|3|_4|5dS)DN~ri)rmrZzDockerEnvironment volumes: z%docker_volumes config is not a list: rz--cpusz--memorymdarwin --storage-optzsize=zDocker storage driver does not support per-container disk limits (requires overlay2 on XFS with pquota). Container will run without disk quota.z--network=none)get_sandbox_dirFz%Docker volume entry is not a string: rNz-vz :/workspaceTzDocker volume 'z' missing colon, skippingz>Skipping docker cwd mount: host_cwd is not a valid directory: r-home)exist_okz:/root workspacerBz/workspace:rw,exec,size=10g)rBz/home:rw,exec,size=1grBz/root:rw,exec,size=1gz,Mounting configured host cwd to /workspace: zDSkipping docker cwd mount: /workspace already mounted by user config)get_credential_file_mountsget_skills_directory_mountget_cache_directory_mounts host_pathcontainer_pathz:roz$Docker: mounting credential %s -> %sz$Docker: mounting skills dir %s -> %sz#Docker: mounting cache dir %s -> %sz1Docker: could not load credential file mounts: %s-e=z--userz)Docker: running container as host user %szdocker_run_as_host_user is enabled but this platform does not expose POSIX uid/gid; container will start as its image default user.zDocker volume_args: zDocker run_args: zhermes-r_z-dz--initz--namez-wsleepinfinityzStarting container:  x)rXrYrZcheckzStarted container z ( ))6super__init__ _persistent_task_idr _forward_envr$_env _container_idrr5r rGrrfextendr sysplatform_storage_opt_supportedrtools.environments.baser|rr/r1abspath expanduserr"isdirdebug_workspace_dir _home_dirmakedirstools.credential_filesrrrr)sortedrRrJr; _docker_exeuuiduuid4hexjoinr^r_stdout_build_init_env_args_init_env_args init_session)*selfrlrmrZrnrorprqrrrsrrrtrurvrE resource_argsr| volume_argsworkspace_explicitly_mountedvol host_cwd_abs bind_host_cwd writable_argssandboxrrr mount_entry skills_mount cache_mounteenv_argsr user_args user_spec security_args all_run_argscontainer_namerun_cmdre __class__s* rrzDockerEnvironment.__init__ss $ #::C S'2220 8EE',, ,0 ;';;<<<  z'4'@'@  NNN7NN O O OG !""" 77  (CHH!5 6 6 6 A::  *lll!; < < < !88 00**,, $$ot%GHHHHe 3  !1 2 2 2 <;;;;; ',$Mr Q QCc3'' NsNNOOO))++C czz""D#;/// C''370OOOOPPPPHPXrwrw'9'9('C'CDDDVX  1\"" 1 l++ 110   fh frw}}\/J/J f LLdZbdd e e e-1(,   %o''(2WN2OTTT$ : , 01!; : < <   ""#K0VV<@P3QVVV$ : - !12 :9;;   """;/TT+>N2OTTT$ 9 , 01  Q Q Q LLLa P P P P P P P P Q $)$$ ? ?C OOTc#<# > > > "  /11I$%y1  GSSSS*--=-Q$y//RR  8;88999            6 66777'==4H:4:<<#3BQB#799  eT  n #            ?CHHW,=,=??@@@     $]0022 UUU4;Mcrc;RUUUVVV #7799 s"D$U U6U11U6r ct|j}t|j}t} ddlm}t|}n#t $rYnwxYw||tz z}|rtni}t|D]4}tj |}|| |}||||<5g} t|D]$}| d|d||g%| S)zBuild -e KEY=VALUE args for injecting host env vars into init_session. These are used once during init_session() so that export -p captures them into the snapshot. Subsequent execute() calls don't need -e flags. r)get_all_passthroughNrr)rrr rtools.env_passthroughrr)rr*rr/r0getr) rexec_envexplicit_forward_keyspassthrough_keysr forward_keys hermes_envrr#argss rrz&DockerEnvironment._build_init_env_args s> $( ?? #D$5 6 6%(UU  A A A A A A"#6#6#8#899      D  -0@Ca0ab 0<D*,,," ,'' & &CIcNNE}"s++ % (## : :C KK#77 778 9 9 9 9 sA A#"A#r)loginrZ stdin_data cmd_stringrrcZ|js Jd|jdg}||d|r||j||jg|r|ddd|gn|dd|gt ||S)z1Spawn a bash process inside the Docker container.zContainer not startedexecNz-ibashz-lz-c)rrrrrr)rrrrZrcmds r _run_bashzDockerEnvironment._run_bash+s!::#:::!(  ! JJt     , JJt* + + + D&'(((  3 JJdJ7 8 8 8 8 JJj1 2 2 23 +++rcttS tpd}tj|dddgddd}|j}|d krd ad Stj|d d d dgddd}|jdkr8|j}|rtj|d|gdddand an#t$rd aYnwxYwt dttS)zCheck if Docker's storage driver supports --storage-opt size=. Only overlay2 on XFS with pquota supports per-container disk quotas. Ubuntu (and most distros) default to ext4, where this flag errors out. Nr-r5z--formatz {{.Driver}}T rWoverlay2Fcreater{zsize=1mz hello-worldrrmrV)rXrZz Docker --storage-opt support: %s) rSr;r^r_rrlowerr`r)rr)r-redriverprobe container_ids rrz(DockerEnvironment._storage_opt_supportedBsR  &" " $ ]].hF^];#$F]((**0022F##"'uN?I}M#$E1$$$|1133 CNFD,#?26CCCC"&"' $ $ $#OOO $ 7IIIsAC1A"C C#"C#c |jr d|jd|jd|jd|jd }tj|dn8#t$r+}t d|j|Yd }~nd }~wwxYw|js9 tjd |jd|jd dn#t$rYnwxYwd |_|js)|j|j fD]}|rtj |d d Sd S) zJStop and remove the container. Bind-mount dirs persist if persistent=True.z (timeout 60 z stop z || z rm -f z) >/dev/null 2>&1 &T)shellzFailed to stop container %s: %sNz sleep 3 && z >/dev/null 2>&1 &) ignore_errors) rrr^Popenr)rrrrrr6rmtree)rstop_cmdrds rcleanupzDockerEnvironment.cleanupjs   & YX4#3XX4;MXX'XX040BXXX 66666 Y Y Y@$BTVWXXXXXXXX Y# $ed&6eet?Qeee"!D!%D  9)4>: 9 99M!48888 9 9 9 9s)9A A8 !A33A8'B++ B87B8)rirjrrrFrkNNNTNFF)__name__ __module__ __qualname____doc__r r r!r"rGrrrr^rr staticmethodrr __classcell__)rs@rrhrhs  &+ (,$!&!kkkk k  k  kk $kkk#Y%kD[kkkk !kkkkkkZd3i@;@!$+/,,,C,4,,!Dj,4>4D,,,,.%D%%%\%N9999999rrh)r N)&rloggingr/rer6r^rrtypingrrrrtools.environments.localr getLoggerrrr8rr __annotations__compilerrGrrr$r*r;rHrIr"rJrRrSrfrhrrrsS  @@@@@@@@CCCCCC  8 $ $  %)HSM(((2:9::d3i$.>492TD[T#s(^<tCH~*Xc]****t    <4