Dify 调用包时出现 “operation not permitted“ 报错

在dify 中，创建 code 代码块 ，如果引入到一些包的时候，可能会遇到权限不足的问题， 报错如下。
"operation not permitted"

code 会运行在 sandbox 中，在 docker 中会有相应的权限配置 (./dify/docker/volumes/sandbox/conf/config.yaml)。 表示系统调用的权限。 我们可以将需要的权限给到 allowed_syscalls 字段。

测试环境中可以先都添加。

app:
  port: 8194
  debug: True
  key: dify-sandbox
max_workers: 4
max_requests: 50
worker_timeout: 5
python_path: /usr/local/bin/python3
enable_network: True # please make sure there is no network risk in your environment
  #allowed_syscalls: # please leave it empty if you have no idea how seccomp works
allowed_syscalls: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336]
proxy:
  socks5: ''
  http: ''
  https: ''

以下是 allowed_syscalls 编号所代表的权限。

allowed_syscalls:
  # 基础文件操作
  - 0   # read - 从文件描述符读取数据
  - 1   # write - 向文件描述符写入数据
  - 2   # open - 打开文件
  - 3   # close - 关闭文件描述符
  - 4   # stat - 获取文件状态
  - 5   # fstat - 获取文件描述符状态
  - 6   # lstat - 获取符号链接状态
  - 7   # poll - 等待文件描述符上的事件
  - 8   # lseek - 重新定位读/写文件偏移量
  - 9   # mmap - 将文件或设备映射到内存
  - 10  # mprotect - 设置内存区域的保护
  - 11  # munmap - 取消内存映射
  - 12  # brk - 改变数据段大小
  
  # 系统操作