Skip to content

[16] Per-tool container isolation #45

Description

@rfunix

Problem

All tools run in the same container process, sharing filesystem, network, and privileges. A vulnerable tool or malicious output could compromise the entire Tengu environment.

Implementation Steps

  1. Create `src/tengu/executor/isolated.py`:
    • `IsolationProfile` dataclass with `image`, `read_only`, `network_mode`, `capabilities`, `timeout`, `memory_limit`
    • `TOOL_PROFILES` dict mapping tool names to isolation profiles
    • `run_isolated(tool, args, target) -> tuple[str, str, int]` — runs in ephemeral container with `--read-only`, `--tmpfs /tmp`, memory/network limits
  2. Add `isolation_enabled: bool = False` to config (opt-in, default off)
  3. Update `@tengu_tool` decorator to route through `run_isolated()` when `isolation_enabled=True`
  4. Create `docker/tool-runner.Dockerfile` — minimal image with single tool binary
  5. Update `docker-compose.yml` to mount Docker socket or use Podman socket

Files to Modify

  • New: `src/tengu/executor/isolated.py`
  • `src/tengu/executor/base.py`
  • `src/tengu/config.py`
  • New: `docker/tool-runner.Dockerfile`
  • `docker-compose.yml`

Dependencies

None (standalone)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:infraInfrastructure and Dockerarea:securitySecurity controls and validationeffort:XLExtra-large effort (> 4 weeks)priority:P0Critical — must be done first

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions