docs: troubleshooting section for bwrap sandbox failures on restricted hosts#318
Open
AZERIA-IT wants to merge 1 commit into
Open
docs: troubleshooting section for bwrap sandbox failures on restricted hosts#318AZERIA-IT wants to merge 1 commit into
AZERIA-IT wants to merge 1 commit into
Conversation
…d hosts Adds a Troubleshooting section to the README covering bubblewrap (bwrap) sandbox initialization failures on capability-restricted hosts (VPS, restricted LXC, kernels with kernel.unprivileged_userns_clone=0, runtimes dropping CAP_NET_ADMIN or CAP_SYS_ADMIN). Documents the symptom (tasks complete with apply_patch and shell tool failures, bwrap loopback RTM_NEWADDR error in worker logs), a one-line diagnostic, and two workarounds: - Host-side: enable unprivileged user namespaces via sysctl. - Reduced sandboxing: set danger-full-access in ~/.codex/config.toml, with the caveat that codex-companion.mjs currently overrides this per-turn until one of the in-flight code PRs lands (openai#147, openai#226, openai#241, openai#260). Cross-links issues openai#240 and openai#304 for context. Docs-only change. No code, manifest, or schema files touched. Signed-off-by: Ubuntu <ubuntu@vps-bba8e540.vps.ovh.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
## Troubleshootingsection to the rootREADME.mdcovering bubblewrap (bwrap) sandbox initialization failures on capability-restricted hosts (VPS, restricted LXC, kernels withkernel.unprivileged_userns_clone=0, runtimes that dropCAP_NET_ADMIN/CAP_SYS_ADMIN).completedbutapply_patchand shell tool calls fail, withbwrap: loopback: Failed RTM_NEWADDR: Operation not permittedin Codex worker logs), gives a one-line diagnostic, and two workarounds.Why docs-only, not code
There are already four open PRs proposing different code fixes for the same underlying behavior:
--full-accessflag (addresses #145)--sandboxflag +CODEX_SANDBOXenv var (addresses #167)danger-full-accessIssues #240 and #304 track the underlying problem. Adding a fifth code variant would be noise. This PR only adds user-facing documentation so people hitting the bug today can diagnose it and apply an interim workaround while maintainers decide which fix to merge.
Repro environment
main, commit807e03a).bwrap --bind / / --dev /dev --proc /proc --unshare-net truefails on the host with the loopbackRTM_NEWADDRerror.danger-full-accessconfig + running outside the companion), the same task completed in ~43s and wrote the expected file.Test plan
kernel.unprivileged_userns_clone=1) resolves it locallydanger-full-access+ running outside the companion) resolves it locallyContext
This was first reported downstream; see
AZERIA-IT/claude-code-codex-task#1for additional repro details and logs.If this repo requires a CLA, please tag the PR and I'll sign it. Commits are DCO
Signed-off-by:already.