Skip to content

Add Brev E2E test: verify sandbox container starts under OpenShell no-new-privileges #851

Open
Open
Add Brev E2E test: verify sandbox container starts under OpenShell no-new-privileges#851
Assignees
jyaunches
Labels
CI/CDUse this label to identify issues with NemoClaw CI/CD pipeline or GitHub Actions.enhancement: testingUse this label to identify requests to improve NemoClaw test coverage.status: triageFor new items that haven't been reviewed yet.
@jyaunches

Description

@jyaunches
jyaunches
opened on Mar 25, 2026

Context

PR #721 added gosu-based gateway process isolation, which broke sandbox startup on Brev (and anywhere OpenShell manages containers) because OpenShell runs containers with --security-opt=no-new-privileges, blocking gosu's setuid syscall. This was fixed in PR #846 by adding a non-root fallback path.

The existing Brev E2E infrastructure (PR #813) did not catch this because there is no explicit test that verifies the sandbox container starts successfully under OpenShell's no-new-privileges security policy.

Ref: Slack thread — Aaron called out this gap.

Problem

  • The gateway isolation E2E test (test/e2e-gateway-isolation.sh) runs in CI on ubuntu-latest, where Docker runs containers as root — it never hits the no-new-privileges codepath.
  • brev-e2e.test.js bootstraps on Brev and runs test scripts, but does not explicitly assert that the sandbox container starts successfully after a fresh docker build under real OpenShell security constraints.

Proposed Solution

Add a test case to the Brev E2E suite (test/e2e/brev-e2e.test.js or a new script callable from it) that:

  1. Builds the Docker image on the Brev instance
  2. Verifies the container starts successfully under OpenShell's no-new-privileges policy
  3. Asserts that the gateway process is running and reachable
  4. Verifies the non-root fallback message appears in logs ("Running as non-root") when privilege separation is unavailable

This is a sandbox startup smoke test — the kind of test that would have prevented the #846 regression from shipping in #721.

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

CI/CDUse this label to identify issues with NemoClaw CI/CD pipeline or GitHub Actions.enhancement: testingUse this label to identify requests to improve NemoClaw test coverage.status: triageFor new items that haven't been reviewed yet.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions