Make sandbox traffic routable over ingress

[sitole]

• Load balancer setup for sharing sbx connections between client-proxy directly and ingress
• Expose cpu and memory envs for ingress
• Expose env for configuring ingress traffic weight
• Default weight is zero

INGRESS_SANDBOX_TRAFFIC_WEIGHT works are the handbrake when it's set to 0.
Configuration change is not affecting already established connections.

[cursor]

PR Summary

Medium Risk
Changes GCP load balancer routing for wildcard sandbox traffic to optionally split between session and ingress backends, which can affect live connection distribution and troubleshooting if misconfigured. Also introduces new ingress resource tunables, but defaults preserve current behavior when unset.

Overview
Adds configurable ingress CPU/memory settings (plumbed through AWS and GCP Terraform and Makefiles) while keeping the prior defaults when omitted. On GCP, introduces ingress_sandbox_traffic_weight to gradually shift wildcard sandbox/session traffic between the existing session backend and the ingress backend via weighted routing, enabling sandbox connections to be served through ingress without forcing an immediate cutover.

^{Reviewed by Cursor Bugbot for commit a33b42b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[codecov]

❌ 4 Tests Failed:

Tests completed	Failed	Passed	Skipped
2652	4	2648	5

View the full list of 7 ❄️ flaky test(s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestSnapshotTemplateList

Flake rate in main: 54.16% (Passed 314 times, Failed 371 times)

Stack Traces | 0s run time

=== RUN   TestSnapshotTemplateList
=== PAUSE TestSnapshotTemplateList
=== CONT  TestSnapshotTemplateList
--- FAIL: TestSnapshotTemplateList (0.00s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestSnapshotTemplateList/list_snapshots_filtered_by_sandbox_ID

Flake rate in main: 54.16% (Passed 314 times, Failed 371 times)

Stack Traces | 15.7s run time

=== RUN   TestSnapshotTemplateList/list_snapshots_filtered_by_sandbox_ID
=== PAUSE TestSnapshotTemplateList/list_snapshots_filtered_by_sandbox_ID
=== CONT  TestSnapshotTemplateList/list_snapshots_filtered_by_sandbox_ID
    snapshot_template_test.go:146: 
        	Error Trace:	.../api/sandboxes/snapshot_template_test.go:37
        	            				.../api/sandboxes/snapshot_template_test.go:146
        	Error:      	Not equal: 
        	            	expected: 201
        	            	actual  : 500
        	Test:       	TestSnapshotTemplateList/list_snapshots_filtered_by_sandbox_ID
--- FAIL: TestSnapshotTemplateList/list_snapshots_filtered_by_sandbox_ID (15.66s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestUpdateNetworkConfig

Flake rate in main: 76.47% (Passed 324 times, Failed 1053 times)

Stack Traces | 61.2s run time

=== RUN   TestUpdateNetworkConfig
=== PAUSE TestUpdateNetworkConfig
=== CONT  TestUpdateNetworkConfig
--- FAIL: TestUpdateNetworkConfig (61.20s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false

Flake rate in main: 76.99% (Passed 312 times, Failed 1044 times)

Stack Traces | 31.4s run time

=== RUN   TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false
Executing command curl in sandbox in3dgxo3amb7tg4ctehe7
    sandbox_network_update_test.go:399: Command [curl] output: event:{start:{pid:1358}}
    sandbox_network_update_test.go:399: Command [curl] output: event:{end:{exit_code:35  exited:true  status:"exit status 35"  error:"exit status 35"}}
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:399: Command [curl] output: event:{start:{pid:1359}}
    sandbox_network_update_test.go:399: Command [curl] output: event:{end:{exit_code:35  exited:true  status:"exit status 35"  error:"exit status 35"}}
Executing command curl in sandbox iw764txrbcxmnz0f6iied
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1360}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:36:55 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1361}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:36:56 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1362}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:36:57 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1363}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:36:58 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1364}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:36:59 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox i0sver7s9fo5fbp95jlw9
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1365}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:00 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1366}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:01 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox idtgwxfn8b4xhyavd7rr4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1367}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:02 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1368}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:03 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1369}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:04 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1370}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:05 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1371}}
Executing command curl in sandbox i4i8x1kfc7uh1rwyu0s1r
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:06 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1372}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:08 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1373}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:08 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1374}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 16:37:09 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox iwx96xbjd7jvat6nj0fou
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1375}}
Executing command curl in sandbox iwx96xbjd7jvat6nj0fou
    sandbox_network_update_test.go:417: 
        	Error Trace:	.../api/sandboxes/sandbox_network_update_test.go:26
        	            				.../api/sandboxes/sandbox_network_update_test.go:417
        	Error:      	Condition never satisfied
        	Test:       	TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false
        	Messages:   	connectivity did not match expected state in time
--- FAIL: TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false (31.35s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/templates::TestTemplateBuildCOPY

Flake rate in main: 54.32% (Passed 312 times, Failed 371 times)

Stack Traces | 41.5s run time

=== RUN   TestTemplateBuildCOPY
=== PAUSE TestTemplateBuildCOPY
=== CONT  TestTemplateBuildCOPY
    build_template_test.go:134: test-ubuntu-copy: [info] Building template n55ykreeiphzqwh947qd/4c53e6f4-8a59-4bb1-8000-d9b846d8baaf
    build_template_test.go:134: test-ubuntu-copy: [info] [base] FROM ubuntu:24.04 [33c3d1f55ae33f402733ec22d91cfbce7572f860c9bb4d15b497c19d978167b5]
    build_template_test.go:134: test-ubuntu-copy: [info] Base Docker image size: 30 MB
    build_template_test.go:134: test-ubuntu-copy: [info] Creating file system and pulling Docker image
    build_template_test.go:134: test-ubuntu-copy: [info] Uncompressing layer sha256:b40150c1c2717d324cdb17278c8efdfa4dfcd2ffe083e976f0bcedf31115f081 30 MB
    build_template_test.go:134: test-ubuntu-copy: [info] Uncompressing layer sha256:1b55864450808a974b672d2c00837cd1e36cd6ac3d8040c721e7fdee52f72205 12 MB
    build_template_test.go:134: test-ubuntu-copy: [info] Uncompressing layer sha256:8c4b1b28875140ed3abacaf16ad0d696f6bef912f52d2148f261a23e3349465b 168 B
    build_template_test.go:134: test-ubuntu-copy: [info] Layers extracted
    build_template_test.go:134: test-ubuntu-copy: [info] Root filesystem structure: bin, boot, dev, etc, home, lib, lib64, media, mnt, opt, proc, root, run, sbin, srv, sys, tmp, usr, var
    build_template_test.go:134: test-ubuntu-copy: [error] Build failed: An internal error occurred. Please try again or contact support with the build ID.
    build_template_test.go:1153: Build failed: {<nil> An internal error occurred. Please try again or contact support with the build ID. <nil>}
--- FAIL: TestTemplateBuildCOPY (41.52s)

github.com/e2b-dev/infra/tests/integration/internal/tests/orchestrator::TestSandboxMemoryIntegrity

Flake rate in main: 65.70% (Passed 319 times, Failed 611 times)

Stack Traces | 84.9s run time

=== RUN   TestSandboxMemoryIntegrity
=== PAUSE TestSandboxMemoryIntegrity
=== CONT  TestSandboxMemoryIntegrity
    sandbox_memory_integrity_test.go:26: Build completed successfully
--- FAIL: TestSandboxMemoryIntegrity (84.87s)

github.com/e2b-dev/infra/tests/integration/internal/tests/orchestrator::TestSandboxMemoryIntegrity/tmpfs_hash

Flake rate in main: 66.19% (Passed 309 times, Failed 605 times)

Stack Traces | 37.5s run time

=== RUN   TestSandboxMemoryIntegrity/tmpfs_hash
=== PAUSE TestSandboxMemoryIntegrity/tmpfs_hash
=== CONT  TestSandboxMemoryIntegrity/tmpfs_hash
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{start:{pid:1272}}
Executing command bash in sandbox irwd8futhoz80fegdrv1f (user: root)
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stdout:"Total memory: 985 MB\nUsed memory before tmpfs mount: 184 MB\nFree memory before tmpfs mount: 800 MB\nMemory to use in integrity test (80% of free, min 64MB): 640 MB\n"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"640+0 records in\n640+0 records out\n671088640 bytes (671 MB, 640 MiB) copied, 3.60288 s, 186 MB/s\n"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"\tCommand being timed: \"dd if=/dev/urandom of=/mnt/testfile bs=1M count=640\"\n\tUser time (seconds): 0.00\n\tSystem time (seconds): 3.55\n\tPercent of CPU this job got: 98%\n\tElapsed (wall clock) time (h:mm:ss or m:ss): 0:03.60\n\tAverage shared text size (kbytes): 0\n\tAverage unshared data size (kbytes): 0\n\tAverage stack size (kbytes): 0\n\tAverage total size (kbytes): 0\n\tMaximum resident set size (kbytes): 2612\n\tAverage resident set size (kbytes): 0\n\tMajor (requiring I/O) page faults: 3\n\tMinor (reclaiming a frame) page faults: 339\n\tVoluntary context switches: 4\n\tInvoluntary context switches: 18\n\tSwaps: 0\n\tFile system inputs: 176\n\tFile system outputs: 0\n\tSocket messages sent: 0\n\tSocket messages received: 0"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"\n\tSignals deliv"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"ered: "}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"0\n\tP"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"age "}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"size"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:" (by"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"tes)"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:": "}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"4096\n\tE"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"xit "}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"sta"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:"tus:"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stderr:" 0\n"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{data:{stdout:"Used memory after tmpfs mount and file fill: 831 MB\n"}}
    sandbox_memory_integrity_test.go:69: Command [bash] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_memory_integrity_test.go:69: Command [bash] completed successfully in sandbox ijdjgf2k3pw8syxzm4bql
Executing command bash in sandbox ijdjgf2k3pw8syxzm4bql (user: root)
    sandbox_memory_integrity_test.go:73: Command [bash] output: event:{start:{pid:1289}}
    sandbox_memory_integrity_test.go:73: Command [bash] output: event:{data:{stdout:"02e54ad34126f0e2ca7949e2e75cb76a57072fbda5d80127eb8eecf10dd92fb7\n"}}
    sandbox_memory_integrity_test.go:73: Command [bash] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_memory_integrity_test.go:73: Command [bash] completed successfully in sandbox ijdjgf2k3pw8syxzm4bql
Executing command bash in sandbox ijdjgf2k3pw8syxzm4bql (user: root)
    sandbox_memory_integrity_test.go:98: Command [bash] output: event:{start:{pid:1292}}
    sandbox_memory_integrity_test.go:99: 
        	Error Trace:	.../tests/orchestrator/sandbox_memory_integrity_test.go:99
        	Error:      	Received unexpected error:
        	            	failed to execute command bash in sandbox ijdjgf2k3pw8syxzm4bql: invalid_argument: protocol error: incomplete envelope: unexpected EOF
        	Test:       	TestSandboxMemoryIntegrity/tmpfs_hash
--- FAIL: TestSandboxMemoryIntegrity/tmpfs_hash (37.45s)

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[gemini-code-assist]

Code Review

The ingress_sandbox_traffic_weight variable lacks validation to ensure it remains within the 0-100 range, which can result in negative weights and deployment failures in Google Cloud backend services if the value exceeds 100. Adding a validation block and setting nullable to false is necessary to ensure the routing logic remains correct.

[cursor]

Stale comment

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 744000af19

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep sandbox throttling when routing session traffic to ingress

Routing session-paths to google_compute_backend_service.ingress sends a fraction of wildcard sandbox traffic through the ingress backend, but the sandbox rate-limit rules are only attached to the session policy (google_compute_security_policy_rule.sandbox-throttling-host/ip target google_compute_security_policy.default["session"]). Because the ingress backend uses a different policy (google_compute_security_policy.ingress), requests routed by this new weighted branch bypass those throttles, which weakens abuse protection whenever ingress_sandbox_traffic_weight > 0.

Useful? React with 👍 / 👎.

[sitole]

this is relevant, blocking merge

[djeebus]

why the extra effort around defaults? passing nulls at the root and then setting defaults in code in the module hides what those defaults are, and complicates the code. if you set the defaults at the root, we may have to do it in two places (aws and gcp) but keeping all the defaults at the root simplifies reading the code.

[sitole]

good point i will re do it that way

[djeebus]

If it's out of 100, probably makes more sense to call it a percentage instead of a weight.