chore(execd): complete the work for #332, and fix the linter errors.

Pangjiping · Pangjiping · commit 5edd6e4b94e1 · 2026-03-12T22:46:28.000+08:00
diff --git a/components/execd/main.go b/components/execd/main.go
@@ -17,14 +17,15 @@ package main
 import (
 	"fmt"
 
+	"github.com/alibaba/opensandbox/internal/version"
+
 	_ "go.uber.org/automaxprocs/maxprocs"
 
 	"github.com/alibaba/opensandbox/execd/pkg/flag"
 	"github.com/alibaba/opensandbox/execd/pkg/log"
 	_ "github.com/alibaba/opensandbox/execd/pkg/util/safego"
 	"github.com/alibaba/opensandbox/execd/pkg/web"
 	"github.com/alibaba/opensandbox/execd/pkg/web/controller"
-	"github.com/alibaba/opensandbox/internal/version"
 )
 
 // main initializes and starts the execd server.
diff --git a/components/execd/pkg/runtime/command.go b/components/execd/pkg/runtime/command.go
@@ -37,7 +37,7 @@ import (
 
 func buildCredential(uid, gid *uint32) (*syscall.Credential, error) {
 	if uid == nil && gid == nil {
-		return nil, nil
+		return nil, nil //nolint:nilnil
 	}
 
 	cred := &syscall.Credential{}
@@ -95,9 +95,20 @@ func (c *Controller) runCommand(ctx context.Context, request *ExecuteCodeRequest
 	log.Info("received command: %v", request.Code)
 	cmd := exec.CommandContext(ctx, "bash", "-c", request.Code)
 
+	// Configure credentials and process group
+	cred, err := buildCredential(request.Uid, request.Gid)
+	if err != nil {
+		return fmt.Errorf("failed to build credential: %w", err)
+	}
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Setpgid:    true,
+		Credential: cred,
+	}
+
 	cmd.Stdout = stdout
 	cmd.Stderr = stderr
 	cmd.Env = mergeEnvs(os.Environ(), loadExtraEnvFromFile())
+	cmd.Dir = request.Cwd
 
 	done := make(chan struct{}, 1)
 	var wg sync.WaitGroup
@@ -111,20 +122,7 @@ func (c *Controller) runCommand(ctx context.Context, request *ExecuteCodeRequest
 		c.tailStdPipe(stderrPath, request.Hooks.OnExecuteStderr, done)
 	})
 
-	cmd.Dir = request.Cwd
-
-	// Configure credentials and process group
-	cred, err := buildCredential(request.Uid, request.Gid)
-	if err != nil {
-		log.Error("failed to build credentials: %v", err)
-	}
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Setpgid:    true,
-		Credential: cred,
-	}
-
 	err = cmd.Start()
-
 	if err != nil {
 		request.Hooks.OnExecuteInit(session)
 		request.Hooks.OnExecuteError(&execute.ErrorOutput{EName: "CommandExecError", EValue: err.Error()})
@@ -219,9 +217,7 @@ func (c *Controller) runBackgroundCommand(ctx context.Context, cancel context.Ca
 	startAt := time.Now()
 	log.Info("received command: %v", request.Code)
 	cmd := exec.CommandContext(ctx, "bash", "-c", request.Code)
-
 	cmd.Dir = request.Cwd
-
 	// Configure credentials and process group
 	cred, err := buildCredential(request.Uid, request.Gid)
 	if err != nil {
@@ -233,7 +229,6 @@ func (c *Controller) runBackgroundCommand(ctx context.Context, cancel context.Ca
 	}
 
 	cmd.Stdout = pipe
-
 	cmd.Stderr = pipe
 	cmd.Env = mergeEnvs(os.Environ(), loadExtraEnvFromFile())
 
diff --git a/components/execd/pkg/runtime/types.go b/components/execd/pkg/runtime/types.go
@@ -34,16 +34,17 @@ type ExecuteResultHook struct {
 
 // ExecuteCodeRequest represents a code execution request with context and hooks.
 type ExecuteCodeRequest struct {
-        Language Language          `json:"language"`
-        Code     string            `json:"code"`
-        Context  string            `json:"context"`
-        Timeout  time.Duration     `json:"timeout"`
-        Cwd      string            `json:"cwd"`
-        Envs     map[string]string `json:"envs"`
-        Uid      *uint32           `json:"uid,omitempty"`
-        Gid      *uint32           `json:"gid,omitempty"`
-        Hooks    ExecuteResultHook
+	Language Language          `json:"language"`
+	Code     string            `json:"code"`
+	Context  string            `json:"context"`
+	Timeout  time.Duration     `json:"timeout"`
+	Cwd      string            `json:"cwd"`
+	Envs     map[string]string `json:"envs"`
+	Uid      *uint32           `json:"uid,omitempty"`
+	Gid      *uint32           `json:"gid,omitempty"`
+	Hooks    ExecuteResultHook
 }
+
 // SetDefaultHooks installs stdout logging fallbacks for unset hooks.
 func (req *ExecuteCodeRequest) SetDefaultHooks() {
 	if req.Hooks.OnExecuteResult == nil {
diff --git a/components/execd/pkg/web/controller/command.go b/components/execd/pkg/web/controller/command.go
@@ -133,13 +133,17 @@ func (c *CodeInterpretingController) buildExecuteCommandRequest(request model.Ru
 			Code:     request.Command,
 			Cwd:      request.Cwd,
 			Timeout:  timeout,
+			Gid:      request.Gid,
+			Uid:      request.Uid,
 		}
 	} else {
 		return &runtime.ExecuteCodeRequest{
 			Language: runtime.Command,
 			Code:     request.Command,
 			Cwd:      request.Cwd,
 			Timeout:  timeout,
+			Gid:      request.Gid,
+			Uid:      request.Uid,
 		}
 	}
 }
diff --git a/components/execd/pkg/web/model/codeinterpreting.go b/components/execd/pkg/web/model/codeinterpreting.go
@@ -16,6 +16,7 @@ package model
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -53,11 +54,20 @@ type RunCommandRequest struct {
 	Background bool   `json:"background,omitempty"`
 	// TimeoutMs caps execution duration; 0 uses server default.
 	TimeoutMs int64 `json:"timeout,omitempty" validate:"omitempty,gte=1"`
+
+	Uid *uint32 `json:"uid,omitempty"`
+	Gid *uint32 `json:"gid,omitempty"`
 }
 
 func (r *RunCommandRequest) Validate() error {
 	validate := validator.New()
-	return validate.Struct(r)
+	if err := validate.Struct(r); err != nil {
+		return err
+	}
+	if r.Gid != nil && r.Uid == nil {
+		return errors.New("uid is required when gid is provided")
+	}
+	return nil
 }
 
 type ServerStreamEventType string
diff --git a/components/execd/pkg/web/model/codeinterpreting_test.go b/components/execd/pkg/web/model/codeinterpreting_test.go
@@ -60,6 +60,28 @@ func TestRunCommandRequestValidate(t *testing.T) {
 	}
 }
 
+func ptr32(v uint32) *uint32 { return &v }
+
+func TestRunCommandRequestValidateUidGid(t *testing.T) {
+	// uid-only: valid
+	req := RunCommandRequest{Command: "id", Uid: ptr32(1000)}
+	if err := req.Validate(); err != nil {
+		t.Fatalf("expected success with uid only: %v", err)
+	}
+
+	// uid + gid: valid
+	req = RunCommandRequest{Command: "id", Uid: ptr32(1000), Gid: ptr32(1000)}
+	if err := req.Validate(); err != nil {
+		t.Fatalf("expected success with uid and gid: %v", err)
+	}
+
+	// gid-only: must be rejected
+	req = RunCommandRequest{Command: "id", Gid: ptr32(1000)}
+	if err := req.Validate(); err == nil {
+		t.Fatalf("expected validation error when gid is set without uid")
+	}
+}
+
 func TestServerStreamEventToJSON(t *testing.T) {
 	event := ServerStreamEvent{
 		Type:           StreamEventTypeStdout,

Original file line number	Diff line number	Diff line change
`@@ -133,13 +133,17 @@ func (c *CodeInterpretingController) buildExecuteCommandRequest(request model.Ru`
`133`	`133`	`Code: request.Command,`
`134`	`134`	`Cwd: request.Cwd,`
`135`	`135`	`Timeout: timeout,`
	`136`	`+ Gid: request.Gid,`
	`137`	`+ Uid: request.Uid,`
`136`	`138`	`}`
`137`	`139`	`} else {`
`138`	`140`	`return &runtime.ExecuteCodeRequest{`
`139`	`141`	`Language: runtime.Command,`
`140`	`142`	`Code: request.Command,`
`141`	`143`	`Cwd: request.Cwd,`
`142`	`144`	`Timeout: timeout,`
	`145`	`+ Gid: request.Gid,`
	`146`	`+ Uid: request.Uid,`
`143`	`147`	`}`
`144`	`148`	`}`
`145`	`149`	`}`