LibreCodeInterpreter/docker-compose.yml at main · usnavy13/LibreCodeInterpreter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
services:
  # Code Interpreter API (unified image with nsjail sandboxing)
  api:
    build:
      context: .
      target: app
    image: ${API_IMAGE:-code-interpreter:nsjail}
    pull_policy: never
    container_name: code-interpreter-api
    restart: unless-stopped
    # tini init process reaps zombie nsjail/python child processes
    init: true
    # nsjail requires these capabilities to create namespaces and cgroups
    cap_add:
      - SYS_ADMIN
    security_opt:
      - apparmor:unconfined
    ports:
      - "${PORT:-8000}:8000"
    env_file:
      - .env
    environment:
      # Container-specific overrides (service discovery within compose network)
      - REDIS_HOST=redis
      - MINIO_ENDPOINT=minio:9000
    volumes:
      - sandbox-data:/var/lib/code-interpreter/sandboxes
      # SSL_CERTS_PATH is a host path; SSL_CERT_FILE and SSL_KEY_FILE must point
      # to the mounted files inside the container under /app/ssl.
      - ${SSL_CERTS_PATH:-./ssl}:/app/ssl:ro
    tmpfs:
      - /app/data:size=100m
    depends_on:
      redis:
        condition: service_healthy
      minio-init:
        condition: service_completed_successfully
    healthcheck:
      test: ["CMD-SHELL", "curl -fs http://localhost:8000/health || curl -fsk https://localhost:8000/health"]
      interval: 30s
      timeout: 15s
      retries: 3
      start_period: 30s
    # No /var/run/docker.sock mount needed

  # Redis for session management
  redis:
    image: redis:7-alpine
    container_name: code-interpreter-redis
    restart: unless-stopped
    ports:
      - "127.0.0.1:${REDIS_PORT:-6379}:6379"
    command: >
      redis-server
      --appendonly yes
      --appendfsync everysec
      --maxmemory 256mb
      --maxmemory-policy allkeys-lru
    volumes:
      - redis-data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

  # MinIO for file storage
  minio:
    image: minio/minio:latest
    container_name: code-interpreter-minio
    restart: unless-stopped
    ports:
      - "127.0.0.1:${MINIO_PORT:-9000}:9000"
      - "127.0.0.1:${MINIO_CONSOLE_PORT:-9001}:9001"
    environment:
      MINIO_ROOT_USER: ${MINIO_ACCESS_KEY:-minioadmin}
      MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY:-minioadmin}
    command: server /data --console-address ":9001"
    volumes:
      - minio-data:/data
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 10s
      timeout: 5s
      retries: 5

  # MinIO bucket initialization
  minio-init:
    image: minio/mc:latest
    depends_on:
      minio:
        condition: service_healthy
    entrypoint: >
      /bin/sh -c "
      mc alias set myminio http://minio:9000 $${MINIO_ACCESS_KEY:-minioadmin} $${MINIO_SECRET_KEY:-minioadmin};
      mc mb --ignore-existing myminio/$${MINIO_BUCKET:-code-interpreter-files};
      exit 0;
      "
    environment:
      MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY:-minioadmin}
      MINIO_SECRET_KEY: ${MINIO_SECRET_KEY:-minioadmin}
      MINIO_BUCKET: ${MINIO_BUCKET:-code-interpreter-files}

volumes:
  sandbox-data:
  redis-data:
  minio-data: