Problem Statement
The sandbox always runs sleep infinity — hardcoded in the k8s driver. There's no API field to override this.
I'm integrating Coder workspaces with OpenShell sandboxes via the Terraform provider. The e2e flow works but the Coder agent has to be manually bootstrapped after sandbox creation — there's no way to run a custom entrypoint at startup. The only workaround is openshell sandbox exec after the sandbox reaches Ready, which can't be expressed declaratively in Terraform.
I imagine this would affect any orchestrator that needs to run a process inside the sandbox at creation time.
Proposed Design
I think the minimal change would be adding a command field to SandboxSpec and threading it through to the k8s driver. When set, the driver writes it to OPENSHELL_SANDBOX_COMMAND instead of sleep infinity. When empty, behavior is unchanged.
The sandbox supervisor already reads from OPENSHELL_SANDBOX_COMMAND and supports arbitrary commands — the gap is just that the k8s driver always overwrites it.
The files I think would need changes (though I might be missing something):
proto/openshell.proto — add repeated string command to SandboxSpecproto/compute_driver.proto — add the same to DriverSandboxSpeccrates/openshell-server/src/compute/mod.rs — pass it through driver_sandbox_spec_from_publiccrates/openshell-driver-kubernetes/src/driver.rs — use spec.command in apply_required_env instead of the hardcoded value
Alternatives Considered
- Override via environment map — I tried passing
OPENSHELL_SANDBOX_COMMAND through the sandbox's environment field in Terraform. Doesn't work — upsert_env in apply_required_env overwrites user-provided values.
- Post-creation exec — Using
openshell sandbox exec after the sandbox reaches Ready. This works but adds latency, requires polling, and can't be automated declaratively through Terraform.
- Bake into the image — Tried building a custom image with an entrypoint. The sandbox supervisor ignores the image's
ENTRYPOINT/CMD and runs OPENSHELL_SANDBOX_COMMAND directly.
Agent Investigation
- Traced
OPENSHELL_SANDBOX_COMMAND from the supervisor (crates/openshell-sandbox/src/main.rs) through the k8s driver (driver.rs:1284) — confirmed the hardcoding
- The supervisor already supports arbitrary commands (CLI args → env var →
/bin/bash fallback), so no supervisor changes should be needed
- The gateway maps public spec → driver spec in
driver_sandbox_spec_from_public (crates/openshell-server/src/compute/mod.rs:617)
- Tested all three alternatives above against a live gateway (v0.0.28)
Checklist
Problem Statement
The sandbox always runs
sleep infinity— hardcoded in the k8s driver. There's no API field to override this.I'm integrating Coder workspaces with OpenShell sandboxes via the Terraform provider. The e2e flow works but the Coder agent has to be manually bootstrapped after sandbox creation — there's no way to run a custom entrypoint at startup. The only workaround is
openshell sandbox execafter the sandbox reaches Ready, which can't be expressed declaratively in Terraform.I imagine this would affect any orchestrator that needs to run a process inside the sandbox at creation time.
Proposed Design
I think the minimal change would be adding a
commandfield toSandboxSpecand threading it through to the k8s driver. When set, the driver writes it toOPENSHELL_SANDBOX_COMMANDinstead ofsleep infinity. When empty, behavior is unchanged.The sandbox supervisor already reads from
OPENSHELL_SANDBOX_COMMANDand supports arbitrary commands — the gap is just that the k8s driver always overwrites it.The files I think would need changes (though I might be missing something):
proto/openshell.proto— addrepeated string commandtoSandboxSpecproto/compute_driver.proto— add the same toDriverSandboxSpeccrates/openshell-server/src/compute/mod.rs— pass it throughdriver_sandbox_spec_from_publiccrates/openshell-driver-kubernetes/src/driver.rs— usespec.commandinapply_required_envinstead of the hardcoded valueAlternatives Considered
OPENSHELL_SANDBOX_COMMANDthrough the sandbox'senvironmentfield in Terraform. Doesn't work —upsert_envinapply_required_envoverwrites user-provided values.openshell sandbox execafter the sandbox reaches Ready. This works but adds latency, requires polling, and can't be automated declaratively through Terraform.ENTRYPOINT/CMDand runsOPENSHELL_SANDBOX_COMMANDdirectly.Agent Investigation
OPENSHELL_SANDBOX_COMMANDfrom the supervisor (crates/openshell-sandbox/src/main.rs) through the k8s driver (driver.rs:1284) — confirmed the hardcoding/bin/bashfallback), so no supervisor changes should be neededdriver_sandbox_spec_from_public(crates/openshell-server/src/compute/mod.rs:617)Checklist