fix(podman): deliver sandbox JWTs as secrets#2156
Merged
Merged
Conversation
Signed-off-by: Adam Miller <admiller@redhat.com>
10 tasks
TaylorMutch
approved these changes
Jul 6, 2026
Collaborator
|
/ok to test 6b45b14 |
5 tasks
jameswnl
added a commit
to jameswnl/lightspeed-cloud-agents
that referenced
this pull request
Jul 11, 2026
…tials, filesystem policy, MCP secrets (#105) * RSPEED-0000: Close OpenShell spawner production gaps (issue #104) Implement all missing features in OpenShellSpawner: - Skills image loading via Podman CLI extraction + exec_stream tar - Credential injection via OpenShell Provider API with file-based fallback - Read-only filesystem via SandboxPolicy with injection-target allowlist - MCP secret file injection with correct mount_path/key handling - TLS certs and service_account skip with info log - Provider cleanup in _do_destroy() Remove Podman 5.8.x JWT workaround (issue #82): - OpenShell v0.0.79+ delivers sandbox JWTs natively via Podman secrets when gateway_jwt is configured (PR NVIDIA/OpenShell#2156) - Removed _inject_podman_token and all helpers/constants - Removed podman_cli/podman_socket constructor params - History documented in spawner docstring E2E verified on EC2 (RHEL 9, m5.xlarge): - OpenShell gateway v0.0.80 with Podman driver - All 6 example workflows pass through OpenShell spawner - Sandbox lifecycle: create → wait_ready → exec → destroy confirmed Closes #104 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix review findings: cross-platform skills, credential validation, _podman_cli init beesarmy: - Skills image extraction now cross-platform: uses Podman Python SDK (works in any container) with CLI fallback. Raises RuntimeError if neither is available instead of silently skipping. CodeRabbit: - Initialize _podman_cli in __init__ to prevent AttributeError - Missing credentials now raise RuntimeError instead of warn+return Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jameswnl
added a commit
to jameswnl/lightspeed-cloud-agents
that referenced
this pull request
Jul 11, 2026
…is (#108) * RSPEED-0000: Close OpenShell spawner production gaps (issue #104) Implement all missing features in OpenShellSpawner: - Skills image loading via Podman CLI extraction + exec_stream tar - Credential injection via OpenShell Provider API with file-based fallback - Read-only filesystem via SandboxPolicy with injection-target allowlist - MCP secret file injection with correct mount_path/key handling - TLS certs and service_account skip with info log - Provider cleanup in _do_destroy() Remove Podman 5.8.x JWT workaround (issue #82): - OpenShell v0.0.79+ delivers sandbox JWTs natively via Podman secrets when gateway_jwt is configured (PR NVIDIA/OpenShell#2156) - Removed _inject_podman_token and all helpers/constants - Removed podman_cli/podman_socket constructor params - History documented in spawner docstring E2E verified on EC2 (RHEL 9, m5.xlarge): - OpenShell gateway v0.0.80 with Podman driver - All 6 example workflows pass through OpenShell spawner - Sandbox lifecycle: create → wait_ready → exec → destroy confirmed Closes #104 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix review findings: cross-platform skills, credential validation, _podman_cli init beesarmy: - Skills image extraction now cross-platform: uses Podman Python SDK (works in any container) with CLI fallback. Raises RuntimeError if neither is available instead of silently skipping. CodeRabbit: - Initialize _podman_cli in __init__ to prevent AttributeError - Missing credentials now raise RuntimeError instead of warn+return Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * RSPEED-0000: Skills image via Podman driver_config + fragility analysis Skills image handling per OpenShell driver: - Podman driver: native image mount via SandboxSpec.template.driver_config (no extraction, no tar streaming — Podman mounts OCI image directly) - K8s driver: tar streaming fallback with crane → Podman SDK → CLI chain - New OPENSHELL_DRIVER env var ("podman"|"kubernetes") selects the path Spike doc updates: - Fragility analysis for all 7 production features - Updated Resolved section (JWT workaround removed, production gaps closed) - Spawner comparison table with accurate skills_image status - OpenShell convention: bake skills into sandbox image for production (FROM scratch + COPY skills — per NVIDIA community sandboxes docs) Refs #106 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix credential lookup: try K8s-normalized and original env key credential_secret_name is K8s-normalized (e.g. "openai-api-key") by _to_k8s_secret_name(), but env dict has the original key ("OPENAI_API_KEY"). Try both forms before raising RuntimeError. E2E verified: all 7 workflows pass with Podman driver, 3 with K8s driver. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: trigger CI * Fix CodeRabbit findings: tar traversal, posixpath, provider cleanup - Harden crane tar extraction: reject symlinks/hardlinks, validate resolved paths stay within tmp_dir (prevents path traversal) - Use posixpath.join for MCP secret file paths instead of f-string concatenation (correct regardless of trailing slash) - Provider cleanup: only remove _provider_ids entry after successful detach, retain for retry on failure Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: trigger CI on new branch * chore: whitespace to trigger CI --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deliver Podman sandbox JWTs through per-sandbox Podman secrets instead of host bind-mounted token files. This keeps bearer tokens out of host state files while preserving the supervisor's file-based token loading path.
Related Issue
Issue: #1909
PR: #2111
Changes
Testing
mise run pre-commitpassesAdditional validation:
cargo test -p openshell-driver-podmanChecklist