light-runner
Run untrusted code in hardened Docker containers from Node.js.
light-runner is a single-responsibility Node.js library that runs code inside a hardened Docker container and returns the exit code plus any files you ask for. Domain-agnostic: no magic filenames, no forced output schema.
Install
npm install light-runnerQuick taste
import { DockerRunner } from 'light-runner';
const runner = new DockerRunner();
const execution = runner.run({
image: 'python:3.12-alpine',
entrypoint: 'python main.py', // shell command, run via `sh -c` (there is no `command` field)
dir: './my-project', // host folder copied into the container workdir
input: { task: 'compute', n: 20 }, // any JSON value, piped to stdin
timeout: 30_000,
extract: [{ from: '/app/result.json', to: './out' }],
// detached: true, // decouple from the launcher, resume later with DockerRunner.attach(id)
// networks: ['my-net'], // attach to one or more existing networks
});
const result = await execution.result;
console.log(result.exitCode, result.extracted);Start with the Quick start, then explore Extract files, Detached runs, the Security model, and gVisor & Kata.
See also: light-run — HTTP wrapper around light-runner, and light-process — DAG orchestration layer.