chore(sandbox): add iptables to base image for bypass diagnostics#36
Merged
johntmyers merged 1 commit intomainfrom Mar 15, 2026
Merged
Conversation
The sandbox supervisor will use iptables to install LOG + REJECT rules in the network namespace, providing immediate ECONNREFUSED (instead of 30s timeout) and structured diagnostic events when processes attempt direct connections that bypass the HTTP CONNECT proxy. Ref: NVIDIA/OpenShell#268
drew
approved these changes
Mar 15, 2026
This was referenced Mar 15, 2026
factory-octavian
pushed a commit
to factory-octavian/OpenShell-Community
that referenced
this pull request
Apr 1, 2026
Closes NVIDIA#20, NVIDIA#36, NVIDIA#46 ## Summary - Replace the external `rsync` dependency with built-in tar-over-SSH for file synchronization, using the `tar` crate to stream archives through the existing SSH proxy tunnel - Add a new `nav sandbox sync` subcommand supporting bidirectional file transfer (`--up` to push local files, `--down` to pull sandbox files) - Add sync workflow example in `examples/sync-files.md` ## Changes | File | Change | |---|---| | `crates/navigator-cli/Cargo.toml` | Add `tar = "0.4"` dependency | | `crates/navigator-cli/src/ssh.rs` | Remove `sandbox_rsync()`, add `sandbox_sync_up()`, `sandbox_sync_down()`, `sandbox_sync_up_files()` | | `crates/navigator-cli/src/run.rs` | Add `sandbox_sync_command()` dispatcher, update re-exports, update `--sync` call site | | `crates/navigator-cli/src/main.rs` | Add `Sync` variant to `SandboxCommands` with `--up`/`--down` flags | | `architecture/sandbox-connect.md` | Rewrite File Sync section for tar-over-SSH and new command | | `examples/sync-files.md` | New example walkthrough for sync workflows | ## New UX ```bash # Push local files up to sandbox nav sandbox sync my-sandbox --up ./src /sandbox/src # Pull sandbox files down to local nav sandbox sync my-sandbox --down /sandbox/output ./output # Existing --sync flag on create still works (now uses tar internally) nav sandbox create --sync -- python main.py ``` ## Design - **No new host dependencies**: `tar` crate handles archive creation/extraction in Rust; `ssh` is already required. The sandbox side uses the `tar` binary from the base image. - **No new server-side infrastructure**: reuses the existing SSH tunnel, no new gRPC RPCs or gateway changes. - **Bidirectional**: the same tar-pipe pattern works for both push and pull by reversing which side produces and which consumes the archive. - **No compression** for v1 — the SSH tunnel is local-network; can add gzip via `flate2` later. ## Test Plan - All existing tests pass (`mise run pre-commit` green: fmt, clippy, 206 Rust tests, 6 Python tests) - Manual e2e testing required for actual sandbox sync operations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
iptablespackage to the base sandbox image. The OpenShell sandbox supervisor will use this to install LOG + REJECT rules in the network namespace for proxy bypass detection.Related Issue
Ref: NVIDIA/OpenShell#268
Changes
sandboxes/base/Dockerfile: Addiptablesto the core system dependenciesapt-get installlineContext
When a sandbox process attempts a direct outbound connection that bypasses the HTTP CONNECT proxy (e.g., Node.js
fetch()withoutNODE_USE_ENV_PROXY=1), the connection currently hangs silently for 30+ seconds. Withiptablesavailable, the supervisor can:The supervisor already has
CAP_NET_ADMINand runs as root — this is purely a package availability change. Ifiptablesis not present, the feature degrades gracefully (warning logged, namespace still isolates via routing).Same pattern as
iproute2which is already a required dependency.Checklist