fix: increase container limits and add startup cleanup

echobt · echobt · commit 93878641b9dc · 2026-01-05T00:36:35.000Z
- Increase max_containers_per_challenge from 10 to 100
- Increase max_containers_per_owner from 50 to 200
- Add cleanup_stale_containers() on broker startup to remove
  leftover containers from previous runs (force remove)
diff --git a/crates/secure-container-runtime/src/broker.rs b/crates/secure-container-runtime/src/broker.rs
@@ -85,6 +85,11 @@ impl ContainerBroker {
         // Ensure network exists
         self.ensure_network().await?;
 
+        // Cleanup stale containers from previous runs
+        if let Err(e) = self.cleanup_stale_containers().await {
+            warn!("Failed to cleanup stale containers: {}", e);
+        }
+
         loop {
             match listener.accept().await {
                 Ok((stream, _)) => {
@@ -872,6 +877,52 @@ impl ContainerBroker {
         Ok(())
     }
 
+    /// Cleanup stale containers from previous runs
+    async fn cleanup_stale_containers(&self) -> anyhow::Result<()> {
+        use bollard::container::ListContainersOptions;
+
+        // Find all containers managed by this broker
+        let label_filter = format!("{}=true", labels::MANAGED);
+        let mut filters = HashMap::new();
+        filters.insert("label", vec![label_filter.as_str()]);
+
+        let options = ListContainersOptions {
+            all: true,
+            filters,
+            ..Default::default()
+        };
+
+        let containers = self.docker.list_containers(Some(options)).await?;
+        let count = containers.len();
+
+        if count == 0 {
+            info!("No stale containers to cleanup");
+            return Ok(());
+        }
+
+        info!("Cleaning up {} stale containers from previous run", count);
+
+        for container in containers {
+            if let Some(id) = container.id {
+                let short_id = &id[..12.min(id.len())];
+                debug!("Removing stale container: {}", short_id);
+
+                // Force remove (stop + remove)
+                let options = RemoveContainerOptions {
+                    force: true,
+                    ..Default::default()
+                };
+
+                if let Err(e) = self.docker.remove_container(&id, Some(options)).await {
+                    warn!("Failed to remove stale container {}: {}", short_id, e);
+                }
+            }
+        }
+
+        info!("Stale container cleanup complete");
+        Ok(())
+    }
+
     /// Ensure the challenge network exists
     async fn ensure_network(&self) -> anyhow::Result<()> {
         let networks = self.docker.list_networks::<String>(None).await?;
diff --git a/crates/secure-container-runtime/src/policy.rs b/crates/secure-container-runtime/src/policy.rs
@@ -62,8 +62,8 @@ impl Default for SecurityPolicy {
             max_memory_bytes: 8 * 1024 * 1024 * 1024, // 8GB
             max_cpu_cores: 4.0,
             max_pids: 512,
-            max_containers_per_challenge: 10,
-            max_containers_per_owner: 50,
+            max_containers_per_challenge: 100,
+            max_containers_per_owner: 200,
             allowed_mount_prefixes: vec!["/tmp/".to_string(), "/var/lib/platform/".to_string()],
             forbidden_mount_paths: forbidden,
             allow_privileged: false,
