1  # Copyright 2025 Alibaba Group Holding Ltd.
 2  #
 3  # Licensed under the Apache License, Version 2.0 (the "License");
 4  # you may not use this file except in compliance with the License.
 5  # You may obtain a copy of the License at
 6  #
 7  #     http://www.apache.org/licenses/LICENSE-2.0
 8  #
 9  # Unless required by applicable law or agreed to in writing, software
10  # distributed under the License is distributed on an "AS IS" BASIS,
11  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  # See the License for the specific language governing permissions and
13  # limitations under the License.
14  
15  # Example Docker Runtime Configuration for OpenSandbox Server
16  #
17  # 完整配置参考：https://github.com/alibaba/OpenSandbox/blob/main/server/configuration.md
18  
19  [server]
20  host = "127.0.0.1"
21  port = 8080
22  max_sandbox_timeout_seconds = 86400
23  
24  # 可选：取消注释以启用 API Key 认证
25  # api_key = "your-secret-api-key"
26  # 若 api_key 为空，启动时需要显式确认：
27  # - 交互式 TTY：按提示输入 YES
28  # - 非交互环境：设置 OPENSANDBOX_INSECURE_SERVER=YES
29  
30  [log]
31  level = "INFO"
32  
33  [runtime]
34  type = "docker"
35  execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.13"
36  
37  [storage]
38  allowed_host_paths = []
39  
40  # 自动创建 Kubernetes PVC 时的默认存储大小（当调用方未指定时使用）。
41  volume_default_size = "1Gi"
42  
43  [docker]
44  # Supported values for network_mode: "host", "bridge"
45  network_mode = "bridge"
46  # Drop dangerous capabilities and block privilege escalation
47  drop_capabilities = ["AUDIT_WRITE", "MKNOD", "NET_ADMIN", "NET_RAW", "SYS_ADMIN", "SYS_MODULE", "SYS_PTRACE", "SYS_TIME", "SYS_TTY_CONFIG"]
48  no_new_privileges = true
49  # Optional: set an AppArmor profile name (e.g., "docker-default") when AppArmor is enabled
50  apparmor_profile = ""
51  # Limit process count to reduce host impact from fork bombs; set to null to disable
52  pids_limit = 4096
53  # Seccomp profile: empty string uses Docker default; set to an absolute path for a custom profile
54  seccomp_profile = ""
55  
56  [ingress]
57  mode = "direct"
58  
59  [egress]
60  image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.8"
61  mode = "dns"
62  
63  # 🧪 [EXPERIMENTAL] 按访问续期。默认关闭 — 见 server/README_zh.md。
64  [renew_intent]
65  enabled = false
66  min_interval_seconds = 60