docs: add E2B API and Templates architecture design proposals#260
docs: add E2B API and Templates architecture design proposals#260MahaoAlex wants to merge 1 commit intovolcano-sh:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive architecture design for an E2B API compatible layer within AgentCube, covering sandbox lifecycle management, authentication, and data mapping. The review feedback identifies several areas for improvement, including a typo in the document title, a broken link to the Templates API design, and inconsistent JSON tagging for internet access settings. Additionally, there are concerns regarding the performance of the API key validation logic and the use of an incorrect method for updating sandbox timeouts in the provided code examples.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #260 +/- ##
==========================================
+ Coverage 43.37% 47.57% +4.19%
==========================================
Files 30 30
Lines 2610 2819 +209
==========================================
+ Hits 1132 1341 +209
+ Misses 1355 1338 -17
- Partials 123 140 +17
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
MahaoAlex
force-pushed
the
feature/e2b-api-rel
branch
from
518c341 to
bce97ed
Compare
|
@hzxuzhonghu @YaoZengzeng @kevin-wangzefeng Please take a look, thanks! |
MahaoAlex
force-pushed
the
feature/e2b-api-rel
branch
from
bce97ed to
d0950b1
Compare
MahaoAlex
force-pushed
the
feature/e2b-api-rel
branch
from
d0950b1 to
17f530e
Compare
|
|
||
| | E2B Concept | AgentCube Concept | Notes | | ||
| | -------------- | ---------------------------------- | ----------------------------------------------------- | | ||
| | **Template** | CodeInterpreter / AgentRuntime CRD | E2B template_id maps to AgentCube CRD name | |
There was a problem hiding this comment.
When is a template mapped to a CodeInterpreter and when is a template mapped to a AgentRuntime?
|
|
||
| **Template ID Format for Namespace Isolation:** | ||
|
|
||
| The `template_id` field supports namespace scoping using the format `{namespace}/{name}`: |
There was a problem hiding this comment.
This naming hierarchy differs from the original E2B protocol and will need to be emphasized in future documentation.
| # Keys must be valid DNS subdomain names (matching [-._a-zA-Z0-9]+). | ||
| # Here we use sha256(api_key) in hex as the key (safe format). | ||
| # key: hex(sha256(api_key)) → value: base64(namespace:client_id) | ||
| "a1b2c3d4e5f6789...": "ZGVmYXVsdDpjbGllbnQx" # hash(api_key_123) → default:client1 |
There was a problem hiding this comment.
For example, if a user has the api key map to "default:client1", then this user could do all the things to the sandboxes and templates in default ns?
Do we need to restrict client's permissions? Such as client1 only have read permissions and client2 have read and write permission to the sandbox and template resources. Also client1 could read and write resources created by client2?
|
|
||
| #### 5.2.3 Mapping to AgentCube CRDs | ||
|
|
||
| **E2B Template → CodeInterpreter/AgentRuntime CRD:** |
There was a problem hiding this comment.
seem to be only CodeInterpreterKind
hzxuzhonghu
left a comment
hzxuzhonghu
left a comment
There was a problem hiding this comment.
I donot see which api is handling run a command request
| ┌─────────────────────────────────────────────────────────────────────────────┐ | ||
| │ AgentCube Router │ | ||
| │ ┌─────────────────────────────────────────────────────────────────────┐ │ | ||
| │ │ E2B Compatible API Layer │ │ |
There was a problem hiding this comment.
I would suggest we separate this entry point by port from our default api listener
| │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌────────────┐ │ │ | ||
| │ │ │ Handlers │ │ Models │ │ Auth │ │ Middleware │ │ │ | ||
| │ │ │ │ │ │ │ │ │ │ │ │ | ||
| │ │ │ • POST /sand│ │ • Sandbox │ │ • API Key │ │ • Logging │ │ │ |
| ▼ | ||
| ┌─────────────────────────────────────────────────────────────────────────────┐ | ||
| │ Kubernetes │ | ||
| │ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │ | ||
| │ │ CodeInter- │ │ AgentRuntime │ │ agent-sandbox│ │ | ||
| │ │ preter CRD │ │ CRD │ │ (microVM) │ │ | ||
| │ └───────────────┘ └───────────────┘ └───────┬───────┘ │ | ||
| └─────────────────────────────────────────────────┼───────────────────────────┘ | ||
| │ | ||
| ▼ | ||
| ┌───────────────────┐ | ||
| │ PicoD │ | ||
| │ (sandbox runtime)│ | ||
| └───────────────────┘ |
There was a problem hiding this comment.
This is confusing and noisy
| └───────────────────┘ | ||
| ``` | ||
|
|
||
| ### 2.2 Request Flow |
There was a problem hiding this comment.
can you also document the template creation procedure
MahaoAlex
force-pushed
the
feature/e2b-api-rel
branch
from
17f530e to
e511b72
Compare
| | | `DELETE /sandboxes/{id}` | Kill sandbox | | ||
| | | `POST /sandboxes/{id}/refresh` | Refresh sandbox TTL (mapped to refreshes) | | ||
| | | `POST /sandboxes/{id}/timeout` | Set sandbox timeout | | ||
| | **Templates** | `POST /v3/templates` | Crate Template API. | |
| | **e2b_server.go** | E2B listener (`:8081`) setup, Platform API path routes, `engine.NoRoute` dispatch to `proxy.go` for Sandbox API. Receives shared `SessionManager`, `Store` and JWT manager via constructor injection from parent `pkg/router/`. | | ||
| | **handlers.go** | Platform API HTTP handlers (`/sandboxes`, `/templates`). Translates E2B requests via `mapper.go` + `resolver.go`, then delegates to the shared `SessionManager` (from `pkg/router/`) which performs the actual sandbox lifecycle operations. | | ||
| | **proxy.go** | Sandbox API proxy: Host parsing (`parseE2BHost`), Store lookup by `e2bSandboxID`, JWT signing. **Reuses `forwardToSandbox` / `configureProxyDirector` from `pkg/router/handlers.go`** for `req.Host` rewrite, `X-Forwarded-Host` propagation, and `Authorization: Bearer <JWT>` injection (see §2.3.3). | | ||
| | **models.go** | E2B wire-format structs (snake_case JSON) | |
| AutoPause bool `json:"autoPause,omitempty"` | ||
| AllowInternetAccess bool `json:"allow_internet_access,omitempty"` | ||
| Secure bool `json:"secure,omitempty"` |
| // pkg/router/e2b_proxy.go | ||
|
|
||
| func (s *Server) handleE2BSandboxProxy(c *gin.Context) { | ||
| port, e2bSandboxID, err := parseE2BHost(c.Request.Host) |
|
|
||
| | Scenario | Behavior | | ||
| | --------------------------------------------- | ------------------------------ | | ||
| | Missing port (e.g., `abc123.sb.e2b.app`) | Default port `80` | |
| envd.POST("/filesystem/move", s.EnvdMoveHandler) | ||
| envd.DELETE("/filesystem/remove", s.EnvdRemoveHandler) | ||
| envd.GET("/filesystem/stat", s.EnvdStatHandler) | ||
| envd.POST("/filesystem/compose", s.EnvdComposeHandler) |
| | **handlers.go** | Platform API HTTP handlers (`/sandboxes`, `/templates`). Translates E2B requests via `mapper.go` + `resolver.go`, then delegates to the shared `SessionManager` (from `pkg/router/`) which performs the actual sandbox lifecycle operations. | | ||
| | **proxy.go** | Sandbox API proxy: Host parsing (`parseE2BHost`), Store lookup by `e2bSandboxID`, JWT signing. **Reuses `forwardToSandbox` / `configureProxyDirector` from `pkg/router/handlers.go`** for `req.Host` rewrite, `X-Forwarded-Host` propagation, and `Authorization: Bearer <JWT>` injection (see §2.3.3). | | ||
| | **models.go** | E2B wire-format structs (snake_case JSON) | | ||
| | **auth.go** | API Key validation backed by a `SharedInformerFactory` watching the `e2b-api-keys` Secret and `e2b-api-key-config` ConfigMap (). The informer is bootstrapped once in `e2b_server.go` and shared with all handlers. | |
| envd.POST("/process/input", s.EnvdProcessInputHandler) | ||
| envd.POST("/process/close-stdin", s.EnvdProcessCloseStdinHandler) | ||
| envd.POST("/process/signal", s.EnvdProcessSignalHandler) | ||
| envd.POST("/process/update", s.EnvdProcessUpdateHandler) |
|
|
||
| // Environment | ||
| envd.GET("/env", s.EnvdEnvHandler) | ||
| envd.GET("/stats", s.EnvdStatsHandler) |
| | Category | API Endpoint | Description | | ||
| | ------------- | ------------------------------ | ----------------------------------------- | | ||
| | **Sandboxes** | `POST /sandboxes` | Create sandbox | | ||
| | | `GET /sandboxes` | List running sandboxes | | ||
| | | `GET /sandboxes/{id}` | Get sandbox details | | ||
| | | `GET /v2/sandboxes` | List running sandboxes (v2) | | ||
| | | `DELETE /sandboxes/{id}` | Kill sandbox | | ||
| | | `POST /sandboxes/{id}/refresh` | Refresh sandbox TTL (mapped to refreshes) | | ||
| | | `POST /sandboxes/{id}/timeout` | Set sandbox timeout | | ||
| | **Templates** | `POST /v3/templates` | Crate Template API. | | ||
| | | `GET /templates` | List current Templates | | ||
| | | `GET /templates/{id}` | Get template details. | | ||
| | | `DELETE /templates/{id}` | Delete specified template. | | ||
| | | `PATCH /v2/templates/{id}` | Update template. | |
This commit adds architecture design proposal for E2B API compatibility: - docs/design/e2b-api-architecture.md - E2B API Phase 1 architecture design This document describes the architecture and design decisions for implementing E2B-compatible REST API and Templates management in AgentCube. Signed-off-by: MahaoAlex <alexmahao319@gmail.com>
MahaoAlex
force-pushed
the
feature/e2b-api-rel
branch
from
e511b72 to
933dca3
Compare
hzxuzhonghu
left a comment
hzxuzhonghu
left a comment
There was a problem hiding this comment.
maybe we can have a discussion to further move it forward
Not sure how all these apis can be compatable, need to mark unsupported if not. https://github.com/MahaoAlex/agentcube/blob/933dca382d8f89de32ee9c5682ac86dd97e669e6/docs/design/e2b-api-architecture.md#sandbox-api--envd-api-support-status-picod-layer
|
|
||
| | Listener | Port | Traffic | Exposure | | ||
| | ---------- | ------- | ---------------------------------------------------------------------------- | ----------------------------- | | ||
| | **Native** | `:8080` | AgentCube Native API (`/v1/namespaces/...`, `/health`) | Internal (ClusterIP) | |
There was a problem hiding this comment.
Internal (ClusterIP)
I think this is not an enforcement
What type of PR is this?
What this PR does / why we need it:
This commit adds architecture design proposal for E2B API compatibility:
This document describes the architecture and design decisions for implementing E2B-compatible REST API and Templates management in AgentCube.
Which issue(s) this PR fixes:
Fixes #257
Special notes for your reviewer:
@hzxuzhonghu @kevin-wangzefeng @YaoZengzeng
Does this PR introduce a user-facing change?: