Vouch Request: waynesun09 #2073
waynesun09
started this conversation in
Vouch Request
Replies: 2 comments
-
|
/vouch |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
@waynesun09 has been vouched by @maxamillion. You can now submit pull requests to OpenShell. Welcome aboard. Please read CONTRIBUTING.md before submitting. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi — I filed #2069 (supervisor v0.0.73 crashes in rootless Podman due to
cap_drop_bound()EPERM with non-empty bounding set) and @johntmyers asked if I could send a PR.I have a fix ready in PR #2072 (auto-closed by the vouch gate). The change adds a fourth match arm to
validate_capability_bounding_set_clear()forEPERM+ non-empty bounding set — logs a warning and continues instead of crashing. It also adds arootless-capsCI job that runs the supervisor capability tests as an unprivileged user on ubuntu-24.04 to prevent regressions.I tested the fix locally by building the supervisor binary from the fix branch, packaging it into a local supervisor OCI image, and running it through the OpenShell gateway on macOS + Podman machine. The sandbox reached Ready and the supervisor logged the expected warning instead of crashing. I also ran it through a downstream fullsend agent pipeline end-to-end — sandbox creation, bootstrap, and code injection all succeeded.
I am a software engineer at Red Hat working on AI agent infrastructure. We use OpenShell as the sandbox runtime in our agent pipelines and hit this crash across all our organizations when supervisor :latest was re-tagged to v0.0.73.
Beta Was this translation helpful? Give feedback.
All reactions