Backends
Kubernetes vs Docker sandboxes for Harbor trials
Every trial runs in a fresh sandbox. LiveRL supports two interchangeable
backends, selected by HARBOR_ENVIRONMENT_IMPORT_PATH (and the matching backend
variables) at the top of the launch script.
Kubernetes (production)
Each trial is a pod. This is the default for large, parallel runs.
HARBOR_ENVIRONMENT_IMPORT_PATH=harbor_patch.environments.kubernetes.kubernetes:KubernetesEnvironment
K8S_KUBECONFIG=/path/to/kubeconfig.yaml
K8S_NAMESPACE=default
K8S_POD_STARTUP_TIMEOUT=1200 # seconds to wait for a pod to start
K8S_POD_ACTIVE_DEADLINE_SECONDS=6000 # hard per-pod deadlinePods are labeled harbor-managed=true; scripts/cleanup_before_run.sh reaps only
finished pods (phase Failed / Succeeded / Unknown) by that label, never running ones.
Docker (minimal)
Each trial is a local or remote container — no cluster required.
Remote Docker (sandbox on a separate machine):
HARBOR_ENVIRONMENT_IMPORT_PATH=harbor_patch.environments.remote_docker:RemoteDockerEnvironment
DOCKER_HOST=tcp://<docker-host-ip>:2376Local Docker uses the host's own daemon (unix:///var/run/docker.sock).
Docker daemon security
tcp://<ip>:2375 is the unencrypted Docker daemon port — anyone who can
reach it has root-equivalent access to that host. Use TLS (:2376 with
dockerd --tlsverify) for shared/production environments; :2375 is acceptable
only on isolated test networks.
The docker SDK
Docker mode needs the Python docker SDK in the venv
(uv pip install --python .venv/bin/python docker) — the docker CLI is not
enough. Watch for namespace shadowing: a docker/ directory on sys.path (e.g.
verl/docker/) can mask the real SDK. Verify with
.venv/bin/python -c "from docker import DockerClient; print('ok')".
The K8s variables are ignored in Docker mode, and vice versa.