Skip to content

docs: design Docker Compose services integration#275

Draft
kingfs wants to merge 1 commit into
chaitin:mainfrom
kingfs:docs/docker-compose-services-design
Draft

docs: design Docker Compose services integration#275
kingfs wants to merge 1 commit into
chaitin:mainfrom
kingfs:docs/docker-compose-services-design

Conversation

@kingfs

@kingfs kingfs commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

Testing

Checklist

  • Documentation updated when behavior or configuration changed.
  • Tests added or updated for user-visible behavior.
  • No secrets, private endpoints, internal certificates, or local runtime state included.

@monkeyscan

monkeyscan Bot commented Jul 13, 2026

Copy link
Copy Markdown

PR Title: docs: design Docker Compose services integration

Commit: 45c1308

本次 PR 仅新增一份设计文档:docs/zh-CN/design/docker_compose_services_integration_design.md,用于规划 agent-compose.yml 中 Docker Compose Services 的集成方案。

核心设计决策:

  1. 采用 Compose Specification 的受控子集,而非全量兼容,对不支持的字段明确 "fail closed"。
  2. Service 生命周期由 daemon 统一 reconcile,支持 Docker/BoxLite/Microsandbox 三种 driver。
  3. Agent 通过 env 使用 service key + expose port 访问服务,不感知底层 runtime endpoint。
  4. 跨 driver 网络通过 project service gateway + guest loopback VIP + proxy 隧道实现,保持 postgres:5432 的统一寻址体验。
  5. 分三阶段落地:先 Docker backend,再统一 gateway,最后补齐 MicroVM service backend。

安全与可靠性亮点:

  • 明确禁止 privileged、host network、device、host bind mount、Docker socket 等高危字段。
  • 对未支持字段拒绝静默忽略,防止安全边界被绕过。
  • 使用 sandbox-scoped token 限制 proxy 跨 project 访问。
  • 保留 named volume 在 down 时不删除,避免数据丢失。

整体评估:
设计文档结构清晰,安全考量充分,边界定义明确,未发现高置信度的严重缺陷或引入的可行动风险。文档中提到的 SQLite 未加密存储 secret 属于现有已知约束,已在文档中明确披露。

@innomentats
innomentats marked this pull request as draft July 17, 2026 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant