Problem Statement
OpenShell already accepts trusted driver-provided numeric sandbox identities in policy and the supervisor, and Kubernetes and VM use that path. Docker and Podman do not resolve or inject an identity, so they fall back to the policy’s named sandbox:sandbox account. A bring-your-own image with no baked sandbox user therefore fails on those local drivers.
This is the OpenShell runtime portion of umbrella issue #1959. It must be independently shippable before OpenShell-Community publishes images that omit the named account.
Proposed Design
Add operator-only sandbox_uid and sandbox_gid configuration to the Docker and Podman compute drivers. Each driver resolves a safe local default of 10001:10001 when unset, validates configured values against the existing policy range, and injects OPENSHELL_SANDBOX_UID and OPENSHELL_SANDBOX_GID after user-provided environment values. The supervisor remains root for setup, then launches the agent under the resolved numeric identity.
Normalize the agent child environment in the supervisor so primary commands and SSH sessions receive HOME=/sandbox plus deliberate USER and LOGNAME values after privilege drop. This avoids Docker’s supervisor HOME=/root leaking into the agent process.
Add a checked-in userless image fixture and validate it on Docker and rootless Podman. The test must prove the agent UID/GID, HOME=/sandbox, and workspace write behavior. Retain existing Kubernetes and VM tests as regression coverage.
Document the new Docker and Podman gateway configuration, operator override and rootless UID/GID mapping constraint, and update BYOC guidance to remove the named-user requirement for supported OpenShell versions.
Alternatives Considered
- Continue requiring images to create
sandbox:sandbox: rejected because it prevents arbitrary numeric runtime identities and leaves Docker/Podman inconsistent with Kubernetes and VM.
- Let sandbox creators select the UID/GID: rejected because identity is an operator/platform concern, not an end-user sandbox API.
- Discover arbitrary remote Docker/Podman subordinate-ID mappings: deferred. Operators can override the default; remote map discovery is separate work.
- Migrate OpenShell-Community images in this change: deferred to a dependent issue so no-user images are not published before compatible runtime support is released.
Agent Investigation
Problem Statement
OpenShell already accepts trusted driver-provided numeric sandbox identities in policy and the supervisor, and Kubernetes and VM use that path. Docker and Podman do not resolve or inject an identity, so they fall back to the policy’s named
sandbox:sandboxaccount. A bring-your-own image with no bakedsandboxuser therefore fails on those local drivers.This is the OpenShell runtime portion of umbrella issue #1959. It must be independently shippable before OpenShell-Community publishes images that omit the named account.
Proposed Design
Add operator-only
sandbox_uidandsandbox_gidconfiguration to the Docker and Podman compute drivers. Each driver resolves a safe local default of10001:10001when unset, validates configured values against the existing policy range, and injectsOPENSHELL_SANDBOX_UIDandOPENSHELL_SANDBOX_GIDafter user-provided environment values. The supervisor remains root for setup, then launches the agent under the resolved numeric identity.Normalize the agent child environment in the supervisor so primary commands and SSH sessions receive
HOME=/sandboxplus deliberateUSERandLOGNAMEvalues after privilege drop. This avoids Docker’s supervisorHOME=/rootleaking into the agent process.Add a checked-in userless image fixture and validate it on Docker and rootless Podman. The test must prove the agent UID/GID,
HOME=/sandbox, and workspace write behavior. Retain existing Kubernetes and VM tests as regression coverage.Document the new Docker and Podman gateway configuration, operator override and rootless UID/GID mapping constraint, and update BYOC guidance to remove the named-user requirement for supported OpenShell versions.
Alternatives Considered
sandbox:sandbox: rejected because it prevents arbitrary numeric runtime identities and leaves Docker/Podman inconsistent with Kubernetes and VM.Agent Investigation
openshell-policyand the supervisor already accept numeric identities in[1000, 2_000_000_000], honorOPENSHELL_SANDBOX_UID/OPENSHELL_SANDBOX_GID, and drop child privileges numerically.sandboxaccount.HOME=/root; SSH has separate identity environment logic. Both need one shared child-environment contract.