feat(backend): sandbox snapshots & volumes for nsjail

[rubenfiszel]

Summary

Adds workspace-level sandbox snapshots and persistent volumes for nsjail-sandboxed script execution. This lets users:

• Snapshots: Pre-build custom rootfs images from Docker images + setup scripts (e.g., python:3.12 with pip install pandas numpy), stored on S3, mounted via overlayfs as the nsjail rootfs. Scripts reference them with # sandbox: python-env:latest annotations.
• Volumes: Persistent directories synced to/from S3 before/after each job. Scripts reference them with # volume: data:/workspace/data annotations.

Architecture

Script code annotations:
  # sandbox: python-env:latest     →  overlayfs rootfs (read-only base + writable per-job layer)
  # volume: data:/workspace/data   →  S3-synced bind mount into nsjail

Worker flow:
  1. Parse annotations from script content (no schema changes needed)
  2. Download snapshot from S3 (cached locally by content_hash)
  3. Mount overlayfs: lower=snapshot, upper=per-job writable
  4. Download volumes from S3, bind-mount into sandbox
  5. Execute job in nsjail with custom rootfs
  6. Upload volumes back to S3, unmount overlay

Key design decisions

• No schema changes to scripts/jobs: annotations parsed from script content at runtime
• Minimal executor changes: sandbox mounts encoded into existing shared_mount string; nsjail config post-processed via finalize_nsjail_config() to swap system dir mounts for overlay root
• S3 operations gated behind parquet feature: matches existing object store infrastructure
• Last-writer-wins for volumes: simple, no locking needed

Changes

Area	Files	Description
Migration	migrations/20260217*	sandbox_snapshot + sandbox_volume tables
Common	windmill-common/src/sandbox.rs	Types + parse_sandbox_config() annotation parser
API	windmill-api/src/sandbox.rs	CRUD endpoints for snapshots & volumes (admin-only)
Worker	windmill-worker/src/sandbox_setup.rs	S3 cache, overlayfs, volume sync, nsjail config post-processing, snapshot build
Worker	worker.rs	Parse annotations, setup/teardown around executor dispatch
Executors	12 executor files	Wrap nsjail config with finalize_nsjail_config()

Example usage

Python script with custom snapshot + persistent volume:

# sandbox: python-ml:gpu
# volume: models:/workspace/models
# volume: data:/workspace/data
import pandas as pd
import torch

def main():
    df = pd.read_csv("/workspace/data/input.csv")
    model = torch.load("/workspace/models/model.pt")
    return model.predict(df).tolist()

Bash script with custom runtime:

#!/bin/bash
# sandbox: custom-runtime:latest
# volume: output:/mnt/output
echo "Running in custom rootfs with persistent output"

TypeScript/Go (// comment style):

// sandbox: node-env:v2
// volume: cache:/tmp/cache
export async function main() { /* ... */ }

Test plan

• 14 unit tests for annotation parsing (windmill-common::sandbox::tests) — all comment styles, edge cases, mixed annotations
• 14 unit + integration tests for nsjail config generation (windmill-worker::sandbox_setup::tests) — including 4 end-to-end tests against real proto templates:
  • Bash with snapshot + 2 volumes: verifies system dirs stripped, overlay + volumes mounted, non-system mounts preserved
  • Python with snapshot only: verifies Python-specific mounts preserved
  • Volumes only (no snapshot): verifies system dirs kept, volume mounted
  • No annotations: verifies config passes through unchanged
• cargo check — clean
• RUSTFLAGS="-D warnings" cargo check — clean
• RUSTFLAGS="-D warnings" cargo check --features parquet — clean
• Manual: create snapshot via API → build → run script with annotation → verify overlayfs + volumes

🤖 Generated with Claude Code

[claude]

Claude finished @rubenfiszel's task in 3m 13s —— View job

---

Review: Sandbox Snapshots & Volumes for nsjail

• Read and analyze all changed files
• Review migration files
• Review common types and parser (windmill-common/src/sandbox.rs)
• Review API endpoints (windmill-api/src/sandbox.rs)
• Review worker sandbox setup (windmill-worker/src/sandbox_setup.rs)
• Review worker.rs changes
• Review executor changes (all 12 nsjail executors)
• Check for security issues
• Provide inline comments for specific issues
• Post final review

---

General Observations

Architecture is clean and well-structured. The separation of concerns is good: annotation parsing in windmill-common, CRUD in windmill-api, and mount/overlay/S3 logic in windmill-worker. The finalize_nsjail_config() approach is a pragmatic way to post-process configs without changing every executor's signature.

Test coverage is solid. 14 parser tests + 14 worker tests including 4 end-to-end tests against real proto templates is thorough. The tests cover edge cases well (mixed comment styles, nested colons, no annotations passthrough).

Executor changes are consistent and mechanical. All 12 nsjail-using executors are updated identically — wrapping the config string through finalize_nsjail_config() before writing to disk. Deno doesn't use nsjail, so it's correctly excluded.

Issues Found (10 inline comments posted)

High Priority:

1. No input validation on snapshot/volume names (sandbox.rs:96-100) — Names are used in S3 keys and filesystem cache paths. Path traversal (../) could write to arbitrary S3 locations. Admin-only mitigates but doesn't eliminate the risk.
2. Volume auto-creation bypasses admin restriction (sandbox_setup.rs:312-326) — Any user can force-create volume DB records by adding # volume: annotations to scripts, circumventing the admin-only API.
3. Volume mount path not validated (sandbox_setup.rs:37-39) — User-controlled mount paths from script annotations are injected directly into nsjail config without sanitization.

Medium Priority:
4. TOCTOU race on snapshot cache (sandbox_setup.rs:156-165) — Concurrent workers downloading the same snapshot could serve a partially-unpacked directory. Use atomic rename pattern.
5. Entire snapshot loaded into memory (sandbox_setup.rs:176) — Large Docker images (GB+) loaded fully into RAM before unpacking. Consider streaming for v2.
6. No cache eviction for snapshots (sandbox_setup.rs:121) — /tmp/windmill/snapshots grows unboundedly.

Low Priority / Suggestions:
7. Status column lacks CHECK constraint (migration:12) — Use CHECK (status IN ('pending', 'building', 'ready', 'failed')).
8. Sync fs call in async context (worker.rs:4184-4186) — std::fs::create_dir_all vs tokio::fs used elsewhere.
9. Volume upload failures are silent (worker.rs:4664-4681) — Logged but not surfaced to users; could cause silent data loss.
10. Sandbox name colon ambiguity (sandbox.rs:75-82) — Document that sandbox names can't contain colons.

What Looks Good

• The finalize_nsjail_config text-processing approach is clever and avoids changes to executor signatures
• Proper feature-gating behind parquet for all S3 operations with clean no-op fallbacks
• Good error handling pattern in build_snapshot — wrapping the build in an async block with status updates on failure
• Overlay mount/unmount lifecycle is properly managed with cleanup on both success and failure paths
• The OVERLAY_MARKER approach for communicating between mount generation and config finalization is simple and effective

---

Test Instructions

This feature is entirely backend/API-driven with no frontend UI. To verify:

1. API setup: Start the backend with the parquet feature enabled and S3 object store configured. Run the migration to create sandbox_snapshot and sandbox_volume tables.

2. Create a snapshot: As an admin user, POST /api/w/{workspace}/sandbox/snapshots with body {"name": "python-env", "tag": "latest", "docker_image": "python:3.12", "setup_script": "pip install pandas"}. Verify it returns status pending. Then trigger a build (the build_snapshot function needs to be called by the worker — check if a rebuild endpoint triggers it via POST /api/w/{workspace}/sandbox/snapshots/python-env/latest/rebuild).

3. Create a volume: POST /api/w/{workspace}/sandbox/volumes with {"name": "data"}. Verify via GET /api/w/{workspace}/sandbox/volumes.

4. Run a script with annotations: Create a Python script containing # sandbox: python-env:latest and # volume: data:/workspace/data at the top. Run it on a worker with nsjail sandboxing enabled. Check worker logs for overlayfs mount messages and volume download/upload activity.

5. Verify CRUD: List (GET .../snapshots, GET .../volumes), get individual resources, delete them, and verify S3 cleanup happens.

6. Verify no-annotation passthrough: Run a normal script without any sandbox/volume annotations and confirm it executes identically to before (no overlay, no volume mounts).

[ellipsis-dev]

Ensure that tar archive extraction (via Archive::unpack) safely handles path traversal. Validate that entries do not escape the intended extraction directory.

[ellipsis-dev]

Double-check that inputs used to build the mount options (e.g. snapshot_path) are properly sanitized to prevent injection vulnerabilities in the mount command.

[ellipsis-dev]

Typographical consistency: The object_store dependency has a missing space before the closing brace (i.e. { workspace = true, optional = true}) compared to the other dependency definitions. Consider updating it to { workspace = true, optional = true } for consistency.

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	9a06b26
Status:	✅  Deploy successful!
Preview URL:	https://251e8042.windmill.pages.dev
Branch Preview URL:	https://feat-sandbox-snapshots-volum.windmill.pages.dev

View logs

[claude]

Security: No input validation on name, tag, or docker_image

The name and tag fields are used directly in S3 key construction (format!("sandbox/snapshots/{}/{}/{}.tar.gz", w_id, body.name, body.tag)). A malicious admin could inject path traversal characters (e.g., ../../../) to write to arbitrary S3 paths, or use special characters that cause issues with the filesystem cache path construction in ensure_snapshot_cached.

Similarly, docker_image is passed directly to crane export in build_snapshot — while this is admin-only, it would be defensive to validate the format.

Consider adding validation:

fn validate_resource_name(name: &str) -> error::Result<()> {
    if name.is_empty() || name.len() > 128 
        || !name.chars().all(|c| c.is_alphanumeric() || c == '-' || c == '_' || c == '.') {
        return Err(Error::BadRequest("Invalid name: must be 1-128 chars, alphanumeric/dash/underscore/dot only".into()));
    }
    Ok(())
}

[claude]

Bug: TOCTOU race on cache directory

There's a race condition here: between checking cache_path.exists() (line 163) and the download/unpack, another worker could be downloading the same snapshot concurrently. This could result in a partially-unpacked snapshot being served to one worker while another is still writing.

Consider using a lockfile or atomic rename pattern (download to a temp dir, then rename into the cache path).

[claude]

Performance: Entire snapshot loaded into memory

attempt_fetch_bytes loads the entire tar.gz into memory before unpacking. For large Docker images (e.g., Python ML images can be 1-5+ GB compressed), this could cause OOM on workers with limited memory.

Consider streaming the download directly to disk or using a streaming decompressor. This may not be critical for v1 but worth noting for large snapshot use cases.

[claude]

Security: Volume mount path not validated

The mount_path originates from user-provided script annotations (e.g., # volume: data:/workspace/data). While nsjail itself provides sandboxing, the mount_path string is injected directly into the nsjail config without validation. A carefully crafted path could potentially escape the intended mount namespace or overwrite critical nsjail mount points.

Consider validating that mount_path:

1. Is an absolute path
2. Does not contain .. components
3. Does not target sensitive directories like /proc, /sys, /dev

[claude]

Potential issue: Hardcoded cache path

/tmp/windmill/snapshots is hardcoded but could conflict with the existing TMP_DIR constant used elsewhere in the worker. Also, there's no cache eviction strategy — over time this directory will grow unboundedly as new snapshot versions are built.

Consider:

1. Using a path derived from existing config constants
2. Adding a cache size limit or LRU eviction

[claude]

Bug: Ambiguous parsing for # sandbox: with colons in tag names

The parser uses split_once(':') on the spec after sandbox:. This means a sandbox name like registry.example.com/image:v1 would be split incorrectly — name = "registry.example.com/image" and tag = "v1", which could be confusing depending on intent.

More importantly, the volume parsing at line 82 uses split_once(':') too, so # volume: name:/path works correctly. But the sandbox parsing treats sandbox: name:tag where the first colon separates name from tag — this means sandbox names cannot contain colons. Worth documenting this constraint explicitly.

[claude]

Note: std::fs::create_dir_all (sync) used in async context

This uses the synchronous std::fs::create_dir_all instead of tokio::fs::create_dir_all. While it's a minor filesystem op that likely won't block the runtime noticeably, the rest of the codebase in sandbox_setup.rs consistently uses tokio::fs::create_dir_all. Would be cleaner to use the async version here too for consistency.

[claude]

Reliability: Volume upload errors are logged but don't fail the job

If volume upload fails, the error is logged with tracing::error! but the job still succeeds. This is a reasonable design choice for resilience, but could lead to silent data loss if users depend on volume persistence. Consider whether this should be configurable or at minimum more prominently surfaced (e.g., appended to job logs visible to the user).

[claude]

Suggestion: Use an ENUM or CHECK constraint for status

The status column is VARCHAR(20) with no constraint on allowed values. The code uses 'pending', 'building', 'ready', 'failed' — consider using a CHECK constraint to enforce valid states:

Suggested change

	status VARCHAR(20) NOT NULL DEFAULT 'pending',
	status VARCHAR(20) NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'building', 'ready', 'failed')),

[claude]

Design: Auto-creating volumes from worker is surprising

When a script references # volume: foo:/path but the volume doesn't exist in the DB, the worker silently auto-creates it with created_by = 'system'. This bypasses the admin-only restriction on the API layer. A non-admin user could effectively create volume records by adding annotations to their scripts.

Consider requiring that volumes be pre-created via the admin API, and returning an error here instead of auto-creating.

[windmill-internal-app]

🤖 Updated ee-repo-ref.txt to 592848d59ca2304926fb2bd85d000668a7f46a77 after windmill-ee-private PR #420 was merged.