light-runner

light-runner

Run untrusted code in hardened Docker containers from Node.js.

light-runner is a single-responsibility Node.js library that runs code inside a hardened Docker container and returns the exit code plus any files you ask for. Domain-agnostic: no magic filenames, no forced output schema.

Install

npm install light-runner

Quick taste

import { DockerRunner } from 'light-runner';

const runner = new DockerRunner();

const execution = runner.run({
  image: 'python:3.12-alpine',
  entrypoint: 'python main.py',       // shell command, run via `sh -c` (there is no `command` field)
  dir: './my-project',                // host folder copied into the container workdir
  input: { task: 'compute', n: 20 },  // any JSON value, piped to stdin
  timeout: 30_000,
  extract: [{ from: '/app/result.json', to: './out' }],
  // detached: true,                  // decouple from the launcher, resume later with DockerRunner.attach(id)
  // networks: ['my-net'],            // attach to one or more existing networks
});

const result = await execution.result;
console.log(result.exitCode, result.extracted);

Start with the Quick start, then explore Extract files, Detached runs, the Security model, and gVisor & Kata.

See also: light-run — HTTP wrapper around light-runner, and light-process — DAG orchestration layer.

On this page