Token-protected web service that executes posted R scripts in ephemeral Docker containers.
- Web API runs in a small Python image.
- Each
POST /runrequest runs in its own R container (sandboxed per request).
GET /health→ health probeGET /system→ package inventory metadataPOST /run→ execute an R script
POST /run attempts to pre-pull the configured runtime image before launching the container, but it will continue with an already-cached local image if the pull fails transiently. Successful runs return only script stdout/stderr; non-fatal Docker warnings are suppressed from runtime_stderr, which is populated only when the runtime fails before the script starts.
Set RUNNER_TOKEN on the server and send:
Authorization: Bearer <RUNNER_TOKEN>Dockerfile→ web API image (r-runner-web)Dockerfile.r-base→ tiny R image for CI request execution checksDockerfile.r-full→ full R image (analytics/modeling packages) for deployment/runtime
The API uses RUNNER_SCRIPT_IMAGE to select the script runtime image.
docker build -f Dockerfile -t r-runner-web .
docker build -f Dockerfile.r-base -t r-runner-r-base .
docker run --rm -p 8000:8000 \
-e RUNNER_TOKEN=supersecret \
-e RUNNER_SCRIPT_IMAGE=r-runner-r-base \
-e PUBLIC_BASE_URL=http://localhost:8000 \
-e RUNNER_SHARED_DIR=/tmp/r-runner-shared \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp/r-runner-shared:/tmp/r-runner-shared \
r-runner-webcompose.yaml expects these values in .env:
RUNNER_TOKEN=replace-me
WEB_IMAGE=ghcr.io/your-org/r-runner-web:latest
SCRIPT_IMAGE=ghcr.io/your-org/r-runner-r-full:latest
RUNNER_DOCKER_BIN=/usr/bin/docker
SITE_DOMAIN=example.com
PUBLIC_BASE_URL=example.com
RUNNER_SHARED_DIR=/tmp/r-runner-sharedSITE_DOMAINis used by Caddy to select the served host (defaults toPUBLIC_BASE_URLwhen unset).PUBLIC_BASE_URLis used by FastAPI/OpenAPI server metadata (set host only, no scheme, when relying on it forSITE_DOMAINfallback).RUNNER_SHARED_DIRmust be mounted at the same absolute path in the web container and host so script files are visible to Docker-launched runtime containers./usr/bin/dockeris mounted read-only into the web container and used byRUNNER_DOCKER_BINso/runcan launch per-request runtime containers via the host Docker daemon.
- PR workflow builds
r-runner-r-base+ web image and validates/healthplus/run. - Deploy workflow builds/pushes
r-runner-webandr-runner-r-full. - Build caches for both R Dockerfiles are stored in GHCR and reused automatically.
- Deploy checks run with the full R image to match runtime behavior.
RUNNER_TOKEN(required)RUNNER_SCRIPT_IMAGE(defaultr-runner-r-base:latest)RUNNER_DOCKER_BIN(defaultdocker)PUBLIC_BASE_URL(defaulthttp://localhost:8000)RUNNER_SHARED_DIR(default/tmp/r-runner-shared)RUN_TIMEOUT_SECONDS(default30)MAX_SCRIPT_BYTES(default500000)MAX_ARTIFACT_COUNT(default10)MAX_ARTIFACT_BYTES(default5000000per artifact)SITE_DOMAIN(used by Caddy; set in compose env)