feat(cli): add --volume flag for host directory bind mounts in Docker sandboxes#1348
feat(cli): add --volume flag for host directory bind mounts in Docker sandboxes#1348ericcurtin wants to merge 1 commit into
Conversation
ericcurtin
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
|
This is for the simple coding agent use case ($PWD == /Users/ecurtin/git/OpenShell): so we don't have to upload/download code in and out of the sandbox, which is not so pragmatic, it's tempting to create "openshell run" that's shorthand for above: |
… sandboxes Add a new --volume HOST_PATH[:SANDBOX_PATH][:ro] flag to sandbox create that bind-mounts a host directory into the sandbox at create time. This is the live-edit alternative to --upload: changes made inside the sandbox are immediately visible on the host and vice versa, with no upload/download cycle required. Key design decisions: - Only supported by local Docker-backed gateways. Kubernetes and VM drivers reject a non-empty mounts list at ValidateSandboxCreate time with a clear error pointing to sandbox upload as the alternative. - Proto: adds SandboxMount / DriverSandboxMount messages (host_path, sandbox_path, read_only) and mounts fields to SandboxTemplate (field 11) and DriverSandboxTemplate (field 12). - Server: when mounts are present, automatically injects each sandbox_path into the persisted FilesystemPolicy (seeded from restrictive_default_policy so the supervisor receives a complete Landlock allowlist rather than a sparse one that locks it out of system paths). - Landlock: Docker Desktop on macOS uses a fakeowner filesystem for host bind mounts whose ReadDir enforcement is incompatible with Landlock rules (rules are applied but the kernel-side lookup fails at access time). Fix by excluding ReadDir from the Landlock restriction mask so directory listing is unrestricted while all file-level access controls remain enforced. - Validation: max 32 mounts per sandbox, path length <= 4096 bytes. Tested end-to-end: ls and cat of files in the bind-mounted repo directory work correctly inside the sandbox.
ericcurtin
force-pushed
the
sandbox-volume-mounts/ecurtin
branch
from
ce0e72f to
b359953
Compare
|
Oh GitHub, let me run CI without approval every time 😅 |
|
We've been hesitant to add this in for a few reasons
This is still an area of exploration/research, but our current thinking is to lean in on providers for getting data in and out of sandboxes. For example, if you want to work on a Git repository you could pull or push using a remote and the Github/Gitlab provider. |
It's the docker/podman local single-node use-case this is useful for. I wouldn't recommend users do this for k8s, even if it was possible.
I think the push/pull technique is fine for a "Remote Kubernetes cluster" as defined in this document: https://docs.nvidia.com/openshell/about/how-it-works For the "local machine" coding agent use case, OpenShell becomes unsuitable for that use case for many if it's a requirement to push/pull full git repos in and out of the sandbox. It's important iterations are quick for that use case. It's simply too slow for development to push/pull iteratively and continue being useful. I'm ok with this being shot down. If OpenShell is prioritising k8s, with local machines an afterthought I think it's ok to shoot this down. But for local machines, I think people will look for other sandboxing tools if they can't do this at least optionally, openshell won't be popular there if people have to push/pull whole repos to use it locally. |
|
hello, IMHO I think podman and VM drivers ( the one providing local experience) should have the support of this as for local machine experience you need access to your local directories. ( Upload is not really working as there is no sync back) would it be possible that arguments are possible or not based on what the driver authorize or not ? |
3 participants
Summary
Add a
--volume HOST_PATH[:SANDBOX_PATH][:ro]flag toopenshell sandbox createthat bind-mounts a host directory into a Docker-backed sandbox at create time. This is the live-edit alternative to--upload: changes inside the sandbox are immediately visible on the host and vice versa, with no upload/download cycle.Related Issue
N/A (new feature, discovered gap during development workflow research)
Changes
SandboxMount/DriverSandboxMountmessages (host_path,sandbox_path,read_only) andmountsfields toSandboxTemplate(field 11) andDriverSandboxTemplate(field 12)--volume HOST_PATH[:SANDBOX_PATH][:ro], repeatable; parses docker-style spec; rejects unknown options; no short flag (avoids collision with-v/--verbose)build_binds()ashost:sandbox[:ro]bind strings; validateshost_pathnon-empty; accepts multiple mountsmountsatValidateSandboxCreatetime — cloud gateway nodes don't have the local host pathsandbox_pathinto the persistedFilesystemPolicy, seeded fromrestrictive_default_policy()so the supervisor receives a complete Landlock allowlist rather than a sparse policy that locks it out of system pathsopenshell-sandbox): Docker Desktop on macOS uses a proprietaryfakeownerfilesystem for host bind mounts. Landlock rules forfakeownerdirectories are added successfully but the kernel-sideReadDirenforcement fails at access time, causinglsto returnEACCESeven with a rule present. Fix: excludeReadDirfrom the Landlock restriction mask so directory listing is unrestricted while all file-level access controls (ReadFile, WriteFile, Execute, write operations) remain fully enforcedcli-reference.mdwith--volumeflagTesting
mise run pre-commitpassesvolumesparam)lsandcatof files in a bind-mounted repo directory succeed inside the sandboxChecklist