Skip to content

Add Docker sandbox host mappings#488

Merged
0xallam merged 3 commits into
usestrix:mainfrom
Edneam:fix-docker-sandbox-extra-hosts
May 19, 2026
Merged

Add Docker sandbox host mappings#488
0xallam merged 3 commits into
usestrix:mainfrom
Edneam:fix-docker-sandbox-extra-hosts

Conversation

@Edneam

@Edneam Edneam commented May 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds STRIX_SANDBOX_EXTRA_HOSTS for Docker sandbox /etc/hosts mappings.
  • Preserves the existing host.docker.internal -> host-gateway mapping.
  • Adds runtime tests and README documentation for local/internal target domains.

Why

Fixes #481 by allowing users to resolve local or internal hostnames from inside the Docker sandbox without rebuilding the sandbox image. For example:

export STRIX_SANDBOX_EXTRA_HOSTS="test.internal.lan=host-gateway"

Validation

  • docker run --rm hello-world
  • docker run --rm --add-host test.internal.lan:host-gateway alpine getent hosts test.internal.lan
  • uv run pytest tests/runtime/test_docker_runtime.py
  • uv run ruff format --check strix/config/config.py strix/runtime/docker_runtime.py tests/runtime/test_docker_runtime.py
  • uv run ruff check strix/config/config.py strix/runtime/docker_runtime.py tests/runtime/test_docker_runtime.py

Note: I also ran make check-all; it currently fails on existing repo-wide lint issues outside this PR's touched files.

@greptile-apps

greptile-apps Bot commented May 14, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR introduces STRIX_SANDBOX_EXTRA_HOSTS, allowing users to inject custom /etc/hosts entries into the Docker sandbox at runtime without rebuilding the image. It adds a _get_extra_hosts() parser, wraps ValueError in SandboxInitializationError, promotes several lazy imports to module level, and ships tests and README docs.

  • _get_extra_hosts() correctly handles empty input, comma-separated entries, whitespace stripping, missing-separator and double-equals edge cases — all covered by new unit tests.
  • The except ValueError handler in _create_container is placed inside the retry loop and catches the entire try block rather than only the _get_extra_hosts() call, meaning an unrelated ValueError from the Docker SDK would surface as a misleading "Invalid Docker sandbox host mapping" error.

Confidence Score: 5/5

Safe to merge; the feature is well-scoped, all edge cases in the parser are covered by tests, and the error-wrapping path works correctly for the intended scenario.

The change is additive and isolated: a new env-var-driven config field, a small parsing method with complete test coverage, and a controlled error propagation path. The only non-blocking note is that the ValueError catch sits inside the retry loop and covers more of the try block than the one call it was written to guard, but this does not affect correctness for any current code path.

strix/runtime/docker_runtime.py — the placement of the except ValueError handler inside the retry loop is worth a quick look.

Important Files Changed

Filename Overview
strix/runtime/docker_runtime.py Adds _get_extra_hosts() parsing logic, wraps ValueError in SandboxInitializationError, and promotes lazy imports to module level; ValueError catch is slightly broader than the one code path it guards.
strix/config/config.py Adds strix_sandbox_extra_hosts = None class attribute; straightforward and consistent with existing config fields.
tests/runtime/test_docker_runtime.py New test file covering empty, merged, no-separator, and double-equals cases for _get_extra_hosts, plus container-creation integration tests for valid and invalid configs.
README.md Adds one-line example of STRIX_SANDBOX_EXTRA_HOSTS to the environment variable reference block; accurate and consistent.
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
strix/runtime/docker_runtime.py:142-186
The `except ValueError` block is positioned to catch any `ValueError` thrown anywhere in the `try` block, not just from `_get_extra_hosts()`. The Docker SDK's `containers.run()` can raise `ValueError` for invalid parameter types (e.g., a malformed port mapping), and there are other callers in the block (`existing.stop()`, `existing.remove()`, etc.). Any such error would be surfaced to the user as "Invalid Docker sandbox host mapping", which is misleading. Calling `_get_extra_hosts()` before the retry loop — since the env var doesn't change between retries and an invalid config is not retryable — would both narrow the catch scope and eliminate the redundant per-iteration parsing.

```suggestion
    def _create_container(self, scan_id: str, max_retries: int = 2) -> Container:
        container_name = f"strix-scan-{scan_id}"
        image_name = Config.get("strix_image")
        if not image_name:
            raise ValueError("STRIX_IMAGE must be configured")

        self._verify_image_available(image_name)

        try:
            extra_hosts = self._get_extra_hosts()
        except ValueError as e:
            raise SandboxInitializationError(
                "Invalid Docker sandbox host mapping",
                str(e),
            ) from e

        last_error: Exception | None = None
        for attempt in range(max_retries + 1):
            try:
                with contextlib.suppress(NotFound):
                    existing = self.client.containers.get(container_name)
                    with contextlib.suppress(Exception):
                        existing.stop(timeout=5)
                    existing.remove(force=True)
                    time.sleep(1)

                self._tool_server_port = self._find_available_port()
                self._caido_port = self._find_available_port()
                self._tool_server_token = secrets.token_urlsafe(32)
                execution_timeout = Config.get("strix_sandbox_execution_timeout") or "120"

                container = self.client.containers.run(
                    image_name,
                    command="sleep infinity",
                    detach=True,
                    name=container_name,
                    hostname=container_name,
                    ports={
                        f"{CONTAINER_TOOL_SERVER_PORT}/tcp": self._tool_server_port,
                        f"{CONTAINER_CAIDO_PORT}/tcp": self._caido_port,
                    },
                    cap_add=["NET_ADMIN", "NET_RAW"],
                    labels={"strix-scan-id": scan_id},
                    environment={
                        "PYTHONUNBUFFERED": "1",
                        "TOOL_SERVER_PORT": str(CONTAINER_TOOL_SERVER_PORT),
                        "TOOL_SERVER_TOKEN": self._tool_server_token,
                        "STRIX_SANDBOX_EXECUTION_TIMEOUT": str(execution_timeout),
                        "HOST_GATEWAY": HOST_GATEWAY_HOSTNAME,
                    },
                    extra_hosts=extra_hosts,
                    tty=True,
                )
```

Reviews (2): Last reviewed commit: "Address docker extra hosts review feedba..." | Re-trigger Greptile

Comment thread strix/runtime/docker_runtime.py Outdated
Comment thread strix/runtime/docker_runtime.py
Comment thread strix/runtime/docker_runtime.py Outdated
@Edneam

Edneam commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

i have commit the changes suggested by the greptile .. please review the code and issue .. comment if any changes are needed .. thank you

@0xallam

0xallam commented May 19, 2026

Copy link
Copy Markdown
Member
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@0xallam 0xallam merged commit dc39531 into usestrix:main May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants