Feat: launch sandbox from docker-compose (#7671)

### What problem does this PR solve? Launch sandbox from docker-compose. #4977 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update --------- Co-authored-by: writinwaters <93570324+writinwaters@users.noreply.github.com>
2025-12-08 12:32:30 +08:00 · 2025-05-16 11:14:57 +08:00
parent deb2faf7aa
commit c5826d4720
10 changed files with 90 additions and 24 deletions
--- a/docker/.env
+++ b/docker/.env
@ -1,11 +1,10 @@
 # The type of doc engine to use.
 # Available options:
-# - `elasticsearch` (default) 
+# - `elasticsearch` (default)
 # - `infinity` (https://github.com/infiniflow/infinity)
 # - `opensearch` (https://github.com/opensearch-project/OpenSearch)
 DOC_ENGINE=${DOC_ENGINE:-elasticsearch}

-
 # ------------------------------
 # docker env var for specifying vector db type at startup
 # (based on the vector db type, the corresponding docker
@ -19,11 +18,11 @@ STACK_VERSION=8.11.3
 # The hostname where the Elasticsearch service is exposed
 ES_HOST=es01

-# The port used to expose the Elasticsearch service to the host machine, 
+# The port used to expose the Elasticsearch service to the host machine,
 # allowing EXTERNAL access to the service running inside the Docker container.
 ES_PORT=1200

-# The password for Elasticsearch. 
+# The password for Elasticsearch.
 ELASTIC_PASSWORD=infini_rag_flow

 # the hostname where OpenSearch service is exposed, set it not the same as elasticsearch
@ -36,7 +35,7 @@ OS_HOST=opensearch01
 # At least one uppercase letter, one lowercase letter, one digit, and one special character
 OPENSEARCH_PASSWORD=infini_rag_flow_OS_01

-# The port used to expose the Kibana service to the host machine, 
+# The port used to expose the Kibana service to the host machine,
 # allowing EXTERNAL access to the service running inside the Docker container.
 KIBANA_PORT=6601
 KIBANA_USER=rag_flow
@ -54,40 +53,40 @@ INFINITY_THRIFT_PORT=23817
 INFINITY_HTTP_PORT=23820
 INFINITY_PSQL_PORT=5432

-# The password for MySQL. 
+# The password for MySQL.
 MYSQL_PASSWORD=infini_rag_flow
 # The hostname where the MySQL service is exposed
 MYSQL_HOST=mysql
 # The database of the MySQL service to use
 MYSQL_DBNAME=rag_flow
-# The port used to expose the MySQL service to the host machine, 
-# allowing EXTERNAL access to the MySQL database running inside the Docker container. 
+# The port used to expose the MySQL service to the host machine,
+# allowing EXTERNAL access to the MySQL database running inside the Docker container.
 MYSQL_PORT=5455

 # The hostname where the MinIO service is exposed
 MINIO_HOST=minio
-# The port used to expose the MinIO console interface to the host machine, 
-# allowing EXTERNAL access to the web-based console running inside the Docker container. 
+# The port used to expose the MinIO console interface to the host machine,
+# allowing EXTERNAL access to the web-based console running inside the Docker container.
 MINIO_CONSOLE_PORT=9001
-# The port used to expose the MinIO API service to the host machine, 
-# allowing EXTERNAL access to the MinIO object storage service running inside the Docker container. 
+# The port used to expose the MinIO API service to the host machine,
+# allowing EXTERNAL access to the MinIO object storage service running inside the Docker container.
 MINIO_PORT=9000
-# The username for MinIO. 
+# The username for MinIO.
 # When updated, you must revise the `minio.user` entry in service_conf.yaml accordingly.
 MINIO_USER=rag_flow
-# The password for MinIO. 
+# The password for MinIO.
 # When updated, you must revise the `minio.password` entry in service_conf.yaml accordingly.
 MINIO_PASSWORD=infini_rag_flow

 # The hostname where the Redis service is exposed
 REDIS_HOST=redis
-# The port used to expose the Redis service to the host machine, 
+# The port used to expose the Redis service to the host machine,
 # allowing EXTERNAL access to the Redis service running inside the Docker container.
 REDIS_PORT=6379
 # The password for Redis.
 REDIS_PASSWORD=infini_rag_flow

-# The port used to expose RAGFlow's HTTP API service to the host machine, 
+# The port used to expose RAGFlow's HTTP API service to the host machine,
 # allowing EXTERNAL access to the service running inside the Docker container.
 SVR_HTTP_PORT=9380

@ -97,7 +96,7 @@ RAGFLOW_IMAGE=infiniflow/ragflow:v0.18.0-slim
 #
 # To download the RAGFlow Docker image with embedding models, uncomment the following line instead:
 # RAGFLOW_IMAGE=infiniflow/ragflow:v0.18.0
-# 
+#
 # The Docker image of the v0.18.0 edition includes built-in embedding models:
 #   - BAAI/bge-large-zh-v1.5
 #   - maidalun1020/bce-embedding-base_v1
@ -151,3 +150,32 @@ TIMEZONE='Asia/Shanghai'
 # - Enable registration: 1
 # - Disable registration: 0
 REGISTER_ENABLED=1
+
+# Sandbox settings
+# Important: To enable sandbox, you must re-declare the compose profiles. See hints at the end of file.
+# Double check if you add `sandbox-executor-manager` to your `/etc/hosts`
+# Pull the required base images before running:
+#   docker pull infiniflow/sandbox-base-nodejs:latest
+#   docker pull infiniflow/sandbox-base-python:latest
+# Our default sandbox environments include:
+#   - Node.js base image: includes axios
+#   - Python base image: includes requests, numpy, and pandas
+# Specify custom executor images below if you're using non-default environments.
+# SANDBOX_ENABLED=1
+# SANDBOX_HOST=sandbox-executor-manager
+# SANDBOX_EXECUTOR_MANAGER_IMAGE=infiniflow/sandbox-executor-manager:latest
+# SANDBOX_EXECUTOR_MANAGER_POOL_SIZE=3
+# SANDBOX_BASE_PYTHON_IMAGE=infiniflow/sandbox-base-python:latest
+# SANDBOX_BASE_NODEJS_IMAGE=infiniflow/sandbox-base-nodejs:latest
+# SANDBOX_EXECUTOR_MANAGER_PORT=9385
+# SANDBOX_ENABLE_SECCOMP=false
+
+# Important: To enable sandbox, you must re-declare the compose profiles.
+# 1. Comment out the COMPOSE_PROFILES line above.
+# 2. Uncomment one of the following based on your chosen document engine:
+#    - For Elasticsearch:
+# COMPOSE_PROFILES=elasticsearch,sandbox
+#    - For Infinity:
+# COMPOSE_PROFILES=infinity,sandbox
+#    - For OpenSearch:
+# COMPOSE_PROFILES=opensearch,sandbox
--- a/docker/docker-compose-base.yml
+++ b/docker/docker-compose-base.yml
@ -103,6 +103,33 @@ services:
      retries: 120
    restart: on-failure

+  sandbox-executor-manager:
+    container_name: ragflow-sandbox-executor-manager
+    profiles:
+      - sandbox
+    image: ${SANDBOX_EXECUTOR_MANAGER_IMAGE}
+    privileged: true
+    ports:
+      - ${SANDBOX_EXECUTOR_MANAGER_PORT}:9385
+    env_file: .env
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - ragflow
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - TZ=${TIMEZONE}
+      - SANDBOX_EXECUTOR_MANAGER_POOL_SIZE=${SANDBOX_EXECUTOR_MANAGER_POOL_SIZE:-3}
+      - SANDBOX_BASE_PYTHON_IMAGE=${SANDBOX_BASE_PYTHON_IMAGE:-infiniflow/sandbox-base-python:latest}
+      - SANDBOX_BASE_NODEJS_IMAGE=${SANDBOX_BASE_NODEJS_IMAGE:-infiniflow/sandbox-base-nodejs:latest}
+      - SANDBOX_ENABLE_SECCOMP=${SANDBOX_ENABLE_SECCOMP:-false}
+    healthcheck:
+      test: ["CMD", "curl", "http://localhost:9385/healthz"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    restart: on-failure

  mysql:
    # mysql:5.7 linux/arm64 image is unavailable.