Skip to content

feat: complete Docker and Podman runtime identity injection #2331

Description

@matthewgrossman

Problem Statement

OpenShell already accepts trusted driver-provided numeric sandbox identities in policy and the supervisor, and Kubernetes and VM use that path. Docker and Podman do not resolve or inject an identity, so they fall back to the policy’s named sandbox:sandbox account. A bring-your-own image with no baked sandbox user therefore fails on those local drivers.

This is the OpenShell runtime portion of umbrella issue #1959. It must be independently shippable before OpenShell-Community publishes images that omit the named account.

Proposed Design

Add operator-only sandbox_uid and sandbox_gid configuration to the Docker and Podman compute drivers. Each driver resolves a safe local default of 10001:10001 when unset, validates configured values against the existing policy range, and injects OPENSHELL_SANDBOX_UID and OPENSHELL_SANDBOX_GID after user-provided environment values. The supervisor remains root for setup, then launches the agent under the resolved numeric identity.

Normalize the agent child environment in the supervisor so primary commands and SSH sessions receive HOME=/sandbox plus deliberate USER and LOGNAME values after privilege drop. This avoids Docker’s supervisor HOME=/root leaking into the agent process.

Add a checked-in userless image fixture and validate it on Docker and rootless Podman. The test must prove the agent UID/GID, HOME=/sandbox, and workspace write behavior. Retain existing Kubernetes and VM tests as regression coverage.

Document the new Docker and Podman gateway configuration, operator override and rootless UID/GID mapping constraint, and update BYOC guidance to remove the named-user requirement for supported OpenShell versions.

Alternatives Considered

  • Continue requiring images to create sandbox:sandbox: rejected because it prevents arbitrary numeric runtime identities and leaves Docker/Podman inconsistent with Kubernetes and VM.
  • Let sandbox creators select the UID/GID: rejected because identity is an operator/platform concern, not an end-user sandbox API.
  • Discover arbitrary remote Docker/Podman subordinate-ID mappings: deferred. Operators can override the default; remote map discovery is separate work.
  • Migrate OpenShell-Community images in this change: deferred to a dependent issue so no-user images are not published before compatible runtime support is released.

Agent Investigation

Metadata

Metadata

Labels

area:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementationstate:in-progressWork is currently in progress

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions