jcarr
/
gemini-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor_sandbox_command (#121)

This commit is contained in:
Olcan 2025-04-22 13:51:50 -07:00 committed by GitHub
parent 60fc979332
commit 5e34d9e276
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 90 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -76,7 +76,7 @@ Chances are you will need to manually address errors output. You can also try `n
## Sandboxing ## Sandboxing
To enable sandboxing, set `GEMINI_CODE_SANDBOX=true` in your environment or `.env` file. Once enabled, `npm run build` will build a minimal container ("sandbox") image and `npm start` will launch inside a fresh instance of that container. Requires either `docker` or `podman` to be installed on host machine. To enable sandboxing, set `GEMINI_CODE_SANDBOX=true|docker|podman|<command>` in your environment or `.env` file. Once enabled, `npm run build` will build a minimal container ("sandbox") image and `npm start` will launch inside a fresh instance of that container. Requires the specified command (or if `true` then either `docker` or `podman`) to be available on host machine.
The sandbox (container) mounts the current directory with read-write access and is started/stopped/removed automatically as you start/stop Gemini Code. You can tell you are inside the sandbox with the `cwd` being reported as `/sandbox/<project>`. Files created within the sandbox should be automatically mapped to your user/group on host machine. The sandbox (container) mounts the current directory with read-write access and is started/stopped/removed automatically as you start/stop Gemini Code. You can tell you are inside the sandbox with the `cwd` being reported as `/sandbox/<project>`. Files created within the sandbox should be automatically mapped to your user/group on host machine.
@ -86,4 +86,4 @@ You can customize the sandbox in `Dockerfile` (e.g. for pre-installed utilities)
### Attaching from VSCode ### Attaching from VSCode
You can have VSCode (or forks) attach to a running sandbox using the [Dev Containers](https://marketplace.cursorapi.com/items?itemName=ms-vscode-remote.remote-containers) extension. Simply use `Dev Containers: Attach to Running Container ...` command and select your container named `gemini-code-sandbox-#`. Once attached you can open the project folder at `/sandbox/<project>`. You may need the VSCode setting `dev.containers.dockerPath` to be `podman` if using `podman`. Without this setting you may be prompted to install Docker. You can have VSCode (or forks) attach to a running sandbox using the [Dev Containers](https://marketplace.cursorapi.com/items?itemName=ms-vscode-remote.remote-containers) extension. Simply use `Dev Containers: Attach to Running Container ...` command and select your container named `gemini-code-sandbox-#`. Once attached you can open the project folder at `/sandbox/<project>`. You may need to set the VSCode setting `dev.containers.dockerPath` (e.g. to `podman`) if you are not using Docker, and otherwise you may be prompted by the extension to install Docker if missing from your system.

5
scripts/build.sh
View File

@ -23,9 +23,8 @@ fi
# build all workspaces/packages # build all workspaces/packages
npm run build --workspaces npm run build --workspaces
# also build container image if GEMINI_CODE_SANDBOX is set (can be in .env file) # also build container image if sandboxing is enabled
# skip (-s) npm install + build since we did that above # skip (-s) npm install + build since we did that above
if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || \ if scripts/sandbox_command.sh -q; then
{ [ -f .env ] && grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; }; then
scripts/build_sandbox.sh -s scripts/build_sandbox.sh -s
fi fi

19
scripts/build_sandbox.sh
View File

@ -15,6 +15,14 @@
set -euo pipefail set -euo pipefail
if ! scripts/sandbox_command.sh -q; then
echo "ERROR: sandboxing disabled. See README.md to enable sandboxing."
exit 1
fi
CMD=$(scripts/sandbox_command.sh)
echo "using $CMD for sandboxing"
IMAGE=gemini-code-sandbox IMAGE=gemini-code-sandbox
SKIP_NPM_INSTALL_BUILD=false SKIP_NPM_INSTALL_BUILD=false
@ -30,17 +38,6 @@ while getopts "s" opt; do
done done
shift $((OPTIND - 1)) shift $((OPTIND - 1))
# use docker if installed, otherwise try to use podman instead
if command -v docker &> /dev/null; then
CMD=docker
elif command -v podman &> /dev/null; then
CMD=podman
else
echo "ERROR: missing docker or podman for sandboxing"
exit 1
fi
echo "using $CMD for sandboxing"
# npm install + npm run build unless skipping via -s option # npm install + npm run build unless skipping via -s option
if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then
npm install npm install

17
scripts/sandbox.sh
View File

@ -15,6 +15,11 @@
set -euo pipefail set -euo pipefail
if ! scripts/sandbox_command.sh -q; then
echo "ERROR: sandboxing disabled. See README.md to enable sandboxing."
exit 1
fi
# parse flags # parse flags
interactive=false interactive=false
while getopts "i" opt; do while getopts "i" opt; do
@ -36,18 +41,8 @@ while getopts "i" opt; do
done done
shift $((OPTIND - 1)) shift $((OPTIND - 1))
IMAGE=gemini-code-sandbox IMAGE=gemini-code-sandbox
CMD=$(scripts/sandbox_command.sh)
# use docker if installed, otherwise try to use podman instead
if command -v docker &> /dev/null; then
CMD=docker
elif command -v podman &> /dev/null; then
CMD=podman
else
echo "ERROR: missing docker or podman for sandboxing"
exit 1
fi
# list all containers running on sandbox image # list all containers running on sandbox image
sandboxes=() sandboxes=()

63
scripts/sandbox_command.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# usage: scripts/sandbox_command.sh [-q]
# -q: quiet mode (do not print command, just exit w/ code 0 or 1)
set -euo pipefail
# parse flags
QUIET=false
while getopts ":q" opt; do
case ${opt} in
q ) QUIET=true ;;
\? ) echo "Usage: $0 [-q]"
exit 1
;;
esac
done
shift $((OPTIND - 1))
# if GEMINI_CODE_SANDBOX is not set, try to source .env in case set there
if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then source .env; fi
# if GEMINI_CODE_SANDBOX is still not set, then exit immediately w/ code 1
if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then exit 1; fi
# lowercase GEMINI_CODE_SANDBOX
GEMINI_CODE_SANDBOX=$(echo "${GEMINI_CODE_SANDBOX:-}" | tr '[:upper:]' '[:lower:]')
# if GEMINI_CODE_SANDBOX is set to 1 or true, then try to use docker or podman
if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]]; then
if command -v docker &> /dev/null; then
if [ "$QUIET" = false ]; then echo "docker"; fi
exit 0
elif command -v podman &> /dev/null; then
if [ "$QUIET" = false ]; then echo "podman"; fi
exit 0
else
echo "ERROR: install docker or podman or specify command in GEMINI_CODE_SANDBOX" >&2
exit 1
fi
fi
if ! command -v "$GEMINI_CODE_SANDBOX" &> /dev/null; then
echo "ERROR: missing sandbox command '$GEMINI_CODE_SANDBOX' (from GEMINI_CODE_SANDBOX)" >&2
exit 1
fi
if [ "$QUIET" = false ]; then echo "$GEMINI_CODE_SANDBOX"; fi
exit 0

8
scripts/start.sh
View File

@ -18,13 +18,11 @@ set -euo pipefail
# check build status, write warnings to file for app to display if needed # check build status, write warnings to file for app to display if needed
node ./scripts/check-build-status.js node ./scripts/check-build-status.js
# if GEMINI_CODE_SANDBOX is set (can be in .env file), start in sandbox container # if sandboxing is enabled, start in sandbox container
if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || \ if scripts/sandbox_command.sh -q; then
{ [ -f .env ] && grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; }; then
echo "Running in sandbox container ..."
scripts/start_sandbox.sh "$@" scripts/start_sandbox.sh "$@"
else else
echo "WARNING: running outside of sandbox. Set GEMINI_CODE_SANDBOX to enable sandbox." echo "WARNING: OUTSIDE SANDBOX. See README.md to enable sandboxing."
if [ -n "${DEBUG:-}" ]; then if [ -n "${DEBUG:-}" ]; then
node --inspect-brk node_modules/@gemini-code/cli "$@" node --inspect-brk node_modules/@gemini-code/cli "$@"
else else

16
scripts/start_sandbox.sh
View File

@ -15,21 +15,17 @@
set -euo pipefail set -euo pipefail
if ! scripts/sandbox_command.sh -q; then
echo "ERROR: sandboxing disabled. See README.md to enable sandboxing."
exit 1
fi
CMD=$(scripts/sandbox_command.sh)
IMAGE=gemini-code-sandbox IMAGE=gemini-code-sandbox
WORKDIR=/sandbox/$(basename "$PWD") WORKDIR=/sandbox/$(basename "$PWD")
CLI_PATH=/usr/local/share/npm-global/lib/node_modules/\@gemini-code/cli CLI_PATH=/usr/local/share/npm-global/lib/node_modules/\@gemini-code/cli
DEBUG_PORT=9229 DEBUG_PORT=9229
# use docker if installed, otherwise try to use podman instead
if command -v docker &> /dev/null; then
CMD=docker
elif command -v podman &> /dev/null; then
CMD=podman
else
echo "ERROR: missing docker or podman for sandboxing"
exit 1
fi
# use interactive tty mode and auto-remove container on exit # use interactive tty mode and auto-remove container on exit
run_args=(-it --rm) run_args=(-it --rm)