A powerful and flexible command execution library for Go, supporting multiple execution engines (host, docker, ssh, caas) with built-in sandbox mode for secure execution of untrusted code.
To install the package, run:
go get -u github.com/go-zoox/commandpackage main
import (
"fmt"
"log"
"strings"
"github.com/go-zoox/command"
)
func main() {
// Simple command execution
cfg := &command.Config{
Command: "echo hello world",
}
cmd, err := command.New(cfg)
if err != nil {
log.Fatal(err)
}
var buf strings.Builder
cmd.SetStdout(&buf)
if err := cmd.Run(); err != nil {
log.Fatal(err)
}
fmt.Println(buf.String()) // Output: hello world
}cfg := &command.Config{
Command: "echo 'Running in Docker'",
Engine: "docker",
Image: "alpine:latest",
}
cmd, err := command.New(cfg)
if err != nil {
log.Fatal(err)
}
if err := cmd.Run(); err != nil {
log.Fatal(err)
}Sandbox mode provides a secure environment for executing untrusted code with strict security settings:
cfg := &command.Config{
Command: "echo 'Running in sandbox'",
Sandbox: true, // Enable sandbox mode
// Automatically uses docker engine with strict security settings
}
cmd, err := command.New(cfg)
if err != nil {
log.Fatal(err)
}
if err := cmd.Run(); err != nil {
log.Fatal(err)
}📖 For detailed sandbox mode documentation, see Sandbox Mode Guide
- host: Execute commands directly on the host system (default)
- docker: Execute commands in Docker containers
- ssh: Execute commands on remote servers via SSH
- caas: Execute commands on Container-as-a-Service platforms
Sandbox mode is designed for executing untrusted code securely. When enabled, it:
- Automatically uses Docker engine - Forces execution in isolated containers
- Applies strict security settings:
- Non-privileged mode (forced)
- Read-only root filesystem
- Capability restrictions (drops dangerous capabilities)
- Network isolation (disabled by default)
- Resource limits (512MB memory, 1 CPU core by default)
- No new privileges allowed
- Temporary directories mounted as tmpfs (noexec, nosuid)
| Feature | Description |
|---|---|
| Non-privileged | Container runs without root privileges |
| Read-only rootfs | Root filesystem is read-only, writable directories use tmpfs |
| Capability dropping | Drops all capabilities, only adds minimal necessary ones |
| Network isolation | Network disabled by default (can be enabled if needed) |
| Resource limits | Default: 512MB memory, 1 CPU core (configurable) |
| Security options | no-new-privileges:true prevents privilege escalation |
cfg := &command.Config{
Command: "python3 -c 'print(\"Hello from sandbox\")'",
Sandbox: true,
// Optional: Override default resource limits
Memory: 1024, // 1GB memory limit
CPU: 2.0, // 2 CPU cores
// Optional: Enable network if needed
DisableNetwork: false,
Network: "bridge",
}
cmd, err := command.New(cfg)
if err != nil {
log.Fatal(err)
}
if err := cmd.Run(); err != nil {
log.Fatal(err)
}- Linux only: Sandbox mode uses Linux-specific security features (seccomp, capabilities)
- Docker required: Sandbox mode requires Docker to be installed and running
- Docker engine: Sandbox mode automatically uses docker engine (cannot use other engines)
cfg := &command.Config{
Command: "your command here",
WorkDir: "/path/to/workdir",
Shell: "/bin/bash",
User: "username",
}cfg := &command.Config{
Command: "your command",
Engine: "docker",
Image: "alpine:latest",
Memory: 512, // MB
CPU: 1.0, // cores
Platform: "linux/amd64",
}cfg := &command.Config{
Command: "your command",
Engine: "docker",
Image: "custom-image:tag",
// Resource limits
Memory: 1024, // MB
CPU: 2.0, // cores
// Network configuration
Network: "custom-network",
DisableNetwork: false,
// Security
Privileged: false,
// Docker registry
ImageRegistry: "registry.example.com",
ImageRegistryUsername: "username",
ImageRegistryPassword: "password",
// Data directories
DataDirOuter: "/host/path",
DataDirInner: "/container/path",
}cmd, err := command.New(&command.Config{
Command: "echo hello",
})// Run and wait for completion
err := cmd.Run()
// Or start and wait separately
err := cmd.Start()
if err != nil {
log.Fatal(err)
}
err = cmd.Wait()var stdout, stderr strings.Builder
cmd.SetStdout(&stdout)
cmd.SetStderr(&stderr)
err := cmd.Run()
if err != nil {
log.Fatal(err)
}
fmt.Println("Output:", stdout.String())
fmt.Println("Error:", stderr.String())output, err := cmd.Output()
if err != nil {
log.Fatal(err)
}
fmt.Println(string(output))cfg := &command.Config{
Command: "ls -la",
}
cmd, _ := command.New(cfg)
cmd.Run()cfg := &command.Config{
Command: "cat /etc/os-release",
Engine: "docker",
Image: "ubuntu:20.04",
}
cmd, _ := command.New(cfg)
cmd.Run()cfg := &command.Config{
Command: userProvidedCode, // Untrusted code
Sandbox: true, // Enable sandbox mode
}
cmd, err := command.New(cfg)
if err != nil {
log.Fatal("Failed to create sandbox:", err)
}
if err := cmd.Run(); err != nil {
log.Fatal("Command failed:", err)
}cfg := &command.Config{
Command: "compute-intensive-task",
Sandbox: true,
Memory: 2048, // 2GB
CPU: 4.0, // 4 cores
}
cmd, _ := command.New(cfg)
cmd.Run()- Sandbox mode is designed for executing untrusted code
- Always use sandbox mode when executing user-provided code
- Sandbox mode provides strong isolation but is not a replacement for proper security auditing
- Resource limits help prevent resource exhaustion attacks
- Always use sandbox mode for untrusted code execution
- Set appropriate resource limits based on your use case
- Monitor container execution and set timeouts
- Use read-only mounts for data that shouldn't be modified
- Regularly update Docker images to include security patches
GoZoox is released under the MIT License.