diff --git a/Dockerfile.codex b/Dockerfile.codex index cb621ef2..32fc6a25 100644 --- a/Dockerfile.codex +++ b/Dockerfile.codex @@ -8,7 +8,7 @@ RUN touch src/main.rs && cargo build --release # --- Runtime stage --- FROM node:22-bookworm-slim -RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl procps ripgrep tini && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl procps ripgrep tini bubblewrap && rm -rf /var/lib/apt/lists/* # Pre-install codex-acp and codex CLI globally ARG CODEX_ACP_VERSION=0.14.0 diff --git a/docs/codex.md b/docs/codex.md index 50d1b693..ca6e23ee 100644 --- a/docs/codex.md +++ b/docs/codex.md @@ -250,6 +250,46 @@ codex exec --dangerously-bypass-approvals-and-sandbox ... Do not use this flag on an untrusted host. +### `bubblewrap is unavailable: no system bwrap was found on PATH` + +Codex's Linux sandbox modes (read-only / workspace-write) rely on `bwrap` +(bubblewrap) to create an inner sandbox. If the runtime image does not include +bubblewrap, even basic commands like `pwd` or `ls` will fail before execution +with this error. + +This commonly happens in OpenAB deployments where Codex already runs inside an +isolated container or VM — the outer runtime provides the desired isolation, so +the inner sandbox is redundant. + +**Solution — Disable Codex's inner sandbox** (recommended when the outer OpenAB +runtime already provides isolation): + +```toml +# /home/node/.codex/config.toml +[sandbox] +sandbox_mode = "danger-full-access" +approval_policy = "on-request" +``` + +Or launch with: + +```bash +codex --sandbox danger-full-access +``` + +Or via Helm: + +```bash +helm install openab openab/openab \ + --set-json 'agents.codex.extraConfig={"sandbox":{"sandbox_mode":"danger-full-access","approval_policy":"on-request"}}' +``` + +> **Important:** `danger-full-access` disables only Codex's *inner* sandbox. It +> does **not** remove the outer OpenAB container/VM isolation. The agent remains +> confined by the runtime's own security boundary. Ensure the outer runtime is a +> non-privileged container (no `--privileged` flag or excessive capabilities) for +> this security model to hold. + ### Imagegen appears to hang Check whether an image was generated even if the CLI has not returned yet: