feat(sandbox): Landlock PTY + direct TCP + DNS (+ #708 basic auth credential resolve)#2
Open
kosaku-sim wants to merge 5 commits intobase/upstream-syncedfrom
Open
feat(sandbox): Landlock PTY + direct TCP + DNS (+ #708 basic auth credential resolve)#2kosaku-sim wants to merge 5 commits intobase/upstream-syncedfrom
kosaku-sim wants to merge 5 commits intobase/upstream-syncedfrom
Conversation
The sandbox iptables rules unconditionally REJECT all UDP traffic, which blocks DNS resolution for libraries that bypass HTTP_PROXY (e.g. Node.js ws used by @slack/socket-mode). Add an ACCEPT rule for UDP port 53 to the nameserver from /etc/resolv.conf (or OPENSHELL_DNS_SERVER env override) before the blanket UDP REJECT, so sandboxed processes can resolve external hostnames without opening a broad UDP hole. Fixes: NVIDIA/NemoClaw#409 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The DNS ACCEPT iptables rule alone is insufficient because the sandbox netns routes everything via 10.200.0.1 (host veth). DNS UDP packets reach the host side but the pod network cannot route responses back to 10.200.0.2 (sandbox IP). Enable IP forwarding on the host veth and add MASQUERADE so DNS packets appear to come from the pod IP, allowing CoreDNS to respond correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Libraries like Node.js ws (used by @slack/socket-mode) resolve DNS then connect directly to the resolved IP on TCP 443, ignoring HTTP_PROXY. The sandbox iptables REJECT all bypass TCP, breaking these connections even after DNS resolution succeeds. Add OPENSHELL_DIRECT_TCP_HOSTS env var (comma-separated hostnames). At sandbox netns setup, resolve these hosts and install: - iptables ACCEPT for TCP 443 to resolved IPs (sandbox side) - MASQUERADE + FORWARD rules (host side) for return routing This pairs with the DNS ACCEPT rule from the previous commit to provide full direct connectivity for proxy-unaware libraries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
DNS round-robin causes Google API IPs to change frequently, breaking per-IP iptables ACCEPT rules and causing 401/timeout errors. Replace per-IP filtering with broad TCP 443 ACCEPT when OPENSHELL_DIRECT_TCP_HOSTS is set — apps still route through HTTPS_PROXY for non-NO_PROXY hosts, so per-IP iptables filtering adds brittleness without security benefit. Also adds OPENSHELL_DIRECT_TCP_HOSTS entries to NO_PROXY env var so HTTP clients skip the proxy for those hosts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
VS Code Remote-SSH launches its server under the sandbox policy, and the server later allocates PTYs for the integrated terminal via node-pty. Landlock blocks device-file opens unless explicitly whitelisted, so PTY allocation fails with EACCES unless both the PTY multiplexer (/dev/ptmx) and the slave PTY directory (/dev/pts) are writable. Also extend unit tests: baseline_read_write_includes_core_runtime_and_pty_paths, enrich_proto_baseline_paths_adds_pty_paths_for_proxy_mode, and runtime_device_paths_are_not_prepared_for_chown. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Custom patches on top of NVIDIA upstream for simount's AutoDev sandbox deployment. Base branch
base/upstream-syncedis a snapshot ofnvidia/OpenShell:main(commit3dd6d51c) to keep the diff clean (5 commits).Commits (latest first)
feat(sandbox): add PTY devices to proxy-mode baseline read-write paths (
6be4e01b)/dev/ptmxand/dev/ptstoPROXY_BASELINE_READ_WRITEso Landlock does not block VS Code Remote-SSH'snode-ptyallocation for integrated terminals.fix: broad TCP 443 ACCEPT instead of per-IP rules for direct hosts (
4cb2f388)OPENSHELL_DIRECT_TCP_HOSTSis set. Google API DNS round-robin invalidates per-IP rules.feat: allow direct TCP 443 for
OPENSHELL_DIRECT_TCP_HOSTS(b91ae834)fix: add IP forwarding and NAT for DNS through sandbox veth (
59ecdd67)fix: allow UDP DNS to cluster nameserver in sandbox netns (
e63ada7c)Why a fork branch (not upstream PR)
Deployment status
Build `0.0.18-dev.57+g4cb2f388` is currently running in production sandbox. This branch is already rebased on top of upstream PR NVIDIA#708 (L7 credential injection for Basic auth) which resolves git-over-HTTPS 401 for private repos.
Test plan