support attaching docker runners to multiple networks

nicktrn · nicktrn · commit f103f025368e · 2025-05-16T02:49:15.000+01:00
diff --git a/apps/supervisor/src/env.ts b/apps/supervisor/src/env.ts
@@ -29,6 +29,17 @@ const Env = z.object({
   RUNNER_SNAPSHOT_POLL_INTERVAL_SECONDS: z.coerce.number().optional(),
   RUNNER_ADDITIONAL_ENV_VARS: AdditionalEnvVars, // optional (csv)
   RUNNER_DOCKER_AUTOREMOVE: BoolEnv.default(true),
+  /**
+   * Network mode to use for all runners. Supported standard values are: `bridge`, `host`, `none`, and `container:<name|id>`.
+   * Any other value is taken as a custom network's name to which all runners should connect to.
+   *
+   * Accepts a list of comma-separated values to attach to multiple networks. Additional networks are interpreted as network names and will be attached after container creation.
+   *
+   * **WARNING**: Specifying multiple networks will slightly increase startup times.
+   *
+   * @default "host"
+   */
+  RUNNER_DOCKER_NETWORKS: z.string().default("host"),
 
   // Dequeue settings (provider mode)
   TRIGGER_DEQUEUE_ENABLED: BoolEnv.default("true"),
@@ -43,7 +54,6 @@ const Env = z.object({
   TRIGGER_METADATA_URL: z.string().optional(),
 
   // Used by the workload manager, e.g docker/k8s
-  DOCKER_NETWORK: z.string().default("host"),
   OTEL_EXPORTER_OTLP_ENDPOINT: z.string().url(),
   ENFORCE_MACHINE_PRESETS: z.coerce.boolean().default(false),
   KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
diff --git a/apps/supervisor/src/workloadManager/docker.ts b/apps/supervisor/src/workloadManager/docker.ts
@@ -7,11 +7,14 @@ import {
 import { env } from "../env.js";
 import { getDockerHostDomain, getRunnerId } from "../util.js";
 import Docker from "dockerode";
+import { tryCatch } from "@trigger.dev/core";
 
 export class DockerWorkloadManager implements WorkloadManager {
   private readonly logger = new SimpleStructuredLogger("docker-workload-manager");
   private readonly docker: Docker;
 
+  private readonly runnerNetworks: string[];
+
   constructor(private opts: WorkloadManagerOptions) {
     this.docker = new Docker();
 
@@ -20,6 +23,8 @@ export class DockerWorkloadManager implements WorkloadManager {
         domain: opts.workloadApiDomain,
       });
     }
+
+    this.runnerNetworks = env.RUNNER_DOCKER_NETWORKS.split(",");
   }
 
   async create(opts: WorkloadManagerCreateOptions) {
@@ -67,10 +72,16 @@ export class DockerWorkloadManager implements WorkloadManager {
     }
 
     const hostConfig: Docker.HostConfig = {
-      NetworkMode: env.DOCKER_NETWORK,
       AutoRemove: !!this.opts.dockerAutoremove,
     };
 
+    const [firstNetwork, ...remainingNetworks] = this.runnerNetworks;
+
+    // Always attach the first network at container creation time. This has the following benefits:
+    // - If there is only a single network to attach, this will prevent having to make a separate request.
+    // - If there are multiple networks to attach, this will ensure the runner won't also be connected to the bridge network
+    hostConfig.NetworkMode = firstNetwork;
+
     if (env.ENFORCE_MACHINE_PRESETS) {
       envVars.push(`TRIGGER_MACHINE_CPU=${opts.machine.cpu}`);
       envVars.push(`TRIGGER_MACHINE_MEMORY=${opts.machine.memory}`);
@@ -94,12 +105,71 @@ export class DockerWorkloadManager implements WorkloadManager {
       // Create container
       const container = await this.docker.createContainer(containerCreateOpts);
 
+      // If there are multiple networks to attach to we need to attach the remaining ones after creation
+      if (remainingNetworks.length > 0) {
+        await this.attachContainerToNetworks({
+          containerId: container.id,
+          networkNames: remainingNetworks,
+        });
+      }
+
       // Start container
       const startResult = await container.start();
 
-      this.logger.debug("create succeeded", { opts, startResult, container, containerCreateOpts });
+      this.logger.debug("create succeeded", {
+        opts,
+        startResult,
+        containerId: container.id,
+        containerCreateOpts,
+      });
     } catch (error) {
       this.logger.error("create failed:", { opts, error, containerCreateOpts });
     }
   }
+
+  private async attachContainerToNetworks({
+    containerId,
+    networkNames,
+  }: {
+    containerId: string;
+    networkNames: string[];
+  }) {
+    this.logger.debug("Attaching container to networks", { containerId, networkNames });
+
+    const [error, networkResults] = await tryCatch(
+      this.docker.listNetworks({
+        filters: {
+          // Full name matches only to prevent unexpected results
+          name: networkNames.map((name) => `^${name}$`),
+        },
+      })
+    );
+
+    if (error) {
+      this.logger.error("Failed to list networks", { networkNames });
+      return;
+    }
+
+    const results = await Promise.allSettled(
+      networkResults.map((networkInfo) => {
+        const network = this.docker.getNetwork(networkInfo.Id);
+        return network.connect({ Container: containerId });
+      })
+    );
+
+    if (results.some((r) => r.status === "rejected")) {
+      this.logger.error("Failed to attach container to some networks", {
+        containerId,
+        networkNames,
+        results,
+      });
+      return;
+    }
+
+    this.logger.debug("Attached container to networks", {
+      containerId,
+      networkNames,
+      results,
+    });
+  }
 }
