Add Docker sandbox host mappings#488
Conversation
Greptile SummaryThis PR introduces
Confidence Score: 5/5Safe to merge; the feature is well-scoped, all edge cases in the parser are covered by tests, and the error-wrapping path works correctly for the intended scenario. The change is additive and isolated: a new env-var-driven config field, a small parsing method with complete test coverage, and a controlled error propagation path. The only non-blocking note is that the strix/runtime/docker_runtime.py — the placement of the Important Files Changed
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
strix/runtime/docker_runtime.py:142-186
The `except ValueError` block is positioned to catch any `ValueError` thrown anywhere in the `try` block, not just from `_get_extra_hosts()`. The Docker SDK's `containers.run()` can raise `ValueError` for invalid parameter types (e.g., a malformed port mapping), and there are other callers in the block (`existing.stop()`, `existing.remove()`, etc.). Any such error would be surfaced to the user as "Invalid Docker sandbox host mapping", which is misleading. Calling `_get_extra_hosts()` before the retry loop — since the env var doesn't change between retries and an invalid config is not retryable — would both narrow the catch scope and eliminate the redundant per-iteration parsing.
```suggestion
def _create_container(self, scan_id: str, max_retries: int = 2) -> Container:
container_name = f"strix-scan-{scan_id}"
image_name = Config.get("strix_image")
if not image_name:
raise ValueError("STRIX_IMAGE must be configured")
self._verify_image_available(image_name)
try:
extra_hosts = self._get_extra_hosts()
except ValueError as e:
raise SandboxInitializationError(
"Invalid Docker sandbox host mapping",
str(e),
) from e
last_error: Exception | None = None
for attempt in range(max_retries + 1):
try:
with contextlib.suppress(NotFound):
existing = self.client.containers.get(container_name)
with contextlib.suppress(Exception):
existing.stop(timeout=5)
existing.remove(force=True)
time.sleep(1)
self._tool_server_port = self._find_available_port()
self._caido_port = self._find_available_port()
self._tool_server_token = secrets.token_urlsafe(32)
execution_timeout = Config.get("strix_sandbox_execution_timeout") or "120"
container = self.client.containers.run(
image_name,
command="sleep infinity",
detach=True,
name=container_name,
hostname=container_name,
ports={
f"{CONTAINER_TOOL_SERVER_PORT}/tcp": self._tool_server_port,
f"{CONTAINER_CAIDO_PORT}/tcp": self._caido_port,
},
cap_add=["NET_ADMIN", "NET_RAW"],
labels={"strix-scan-id": scan_id},
environment={
"PYTHONUNBUFFERED": "1",
"TOOL_SERVER_PORT": str(CONTAINER_TOOL_SERVER_PORT),
"TOOL_SERVER_TOKEN": self._tool_server_token,
"STRIX_SANDBOX_EXECUTION_TIMEOUT": str(execution_timeout),
"HOST_GATEWAY": HOST_GATEWAY_HOSTNAME,
},
extra_hosts=extra_hosts,
tty=True,
)
```
Reviews (2): Last reviewed commit: "Address docker extra hosts review feedba..." | Re-trigger Greptile |
|
i have commit the changes suggested by the greptile .. please review the code and issue .. comment if any changes are needed .. thank you |
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary
STRIX_SANDBOX_EXTRA_HOSTSfor Docker sandbox/etc/hostsmappings.host.docker.internal -> host-gatewaymapping.Why
Fixes #481 by allowing users to resolve local or internal hostnames from inside the Docker sandbox without rebuilding the sandbox image. For example:
Validation
docker run --rm hello-worlddocker run --rm --add-host test.internal.lan:host-gateway alpine getent hosts test.internal.lanuv run pytest tests/runtime/test_docker_runtime.pyuv run ruff format --check strix/config/config.py strix/runtime/docker_runtime.py tests/runtime/test_docker_runtime.pyuv run ruff check strix/config/config.py strix/runtime/docker_runtime.py tests/runtime/test_docker_runtime.pyNote: I also ran
make check-all; it currently fails on existing repo-wide lint issues outside this PR's touched files.