jcarr
/
gemini-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hop into sandbox (#186)

This commit is contained in:
Olcan 2025-04-26 21:27:36 -07:00 committed by GitHub
parent 688b2d0da7
commit 7828e813a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 150 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
packages/cli/src/gemini.ts
View File

@ -4,6 +4,9 @@
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
import os from 'os';
import path from 'path';
import fs from 'fs';
import React from 'react'; import React from 'react';
import { render } from 'ink'; import { render } from 'ink';
import { App } from './ui/App.js'; import { App } from './ui/App.js';
@ -13,20 +16,159 @@ import { GeminiClient } from '@gemini-code/server';
import { readPackageUp } from 'read-package-up'; import { readPackageUp } from 'read-package-up';
import { fileURLToPath } from 'node:url'; import { fileURLToPath } from 'node:url';
import { dirname } from 'node:path'; import { dirname } from 'node:path';
import { execSync, spawnSync } from 'child_process';
const __filename = fileURLToPath(import.meta.url); const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename); const __dirname = dirname(__filename);
// node.js equivalent of scripts/sandbox_command.sh
function sandbox_command(): string {
const sandbox = process.env.GEMINI_CODE_SANDBOX?.toLowerCase().trim() ?? '';
const opts: object = { stdio: 'ignore' };
if (['1', 'true'].includes(sandbox)) {
// look for docker or podman, in that order
if (spawnSync('command', ['-v', 'docker'], opts).status === 0) {
return 'docker'; // Set sandbox to 'docker' if found
} else if (spawnSync('command', ['-v', 'podman'], opts).status === 0) {
return 'podman'; // Set sandbox to 'podman' if found
} else {
console.error(
'ERROR: failed to determine command for sandbox; ' +
'install docker or podman or specify command in GEMINI_CODE_SANDBOX',
);
process.exit(1);
}
} else if (sandbox) {
// confirm that specfied command exists
if (spawnSync('command', ['-v', sandbox], opts).status !== 0) {
console.error(
`ERROR: missing sandbox command '${sandbox}' (from GEMINI_CODE_SANDBOX)`,
);
process.exit(1);
}
return sandbox;
} else {
return ''; // no sandbox
}
}
// node.js equivalent of scripts/start_sandbox.sh
function start_sandbox(sandbox: string) {
// determine full path for gemini-code to distinguish linked vs installed setting
const gcPath = execSync(`realpath $(which gemini-code)`).toString().trim();
// stop if image is missing
const image = 'gemini-code-sandbox';
if (!execSync(`${sandbox} images -q ${image}`).toString().trim()) {
const remedy = gcPath.includes('gemini-code/packages/')
? 'Try `scripts/build_sandbox.sh` under gemini-code repo.'
: 'Please notify gemini-code-dev@google.com.';
console.error(`ERROR: ${image} is missing. ${remedy}`);
process.exit(1);
}
// stop if debugging in sandbox using linked/installed gemini-code
// note this is because it does not work (unclear why, parent process interferes somehow)
// note `npm run debug` runs sandbox directly and avoids any interference from parent process
if (process.env.DEBUG) {
console.error(
'ERROR: cannot debug in sandbox using linked/installed gemini-code; ' +
'use `npm run debug` under gemini-code repo instead',
);
process.exit(1);
}
// if project is gemini-code, then run sandboxed CLI from ${workdir}/packages/cli
// otherwise refuse debug mode (see comments in launch.json around remoteRoot)
const project = path.basename(process.cwd());
const workdir = `/sandbox/${project}`;
let cliPath = '/usr/local/share/npm-global/lib/node_modules/@gemini-code/cli';
if (project === 'gemini-code') {
cliPath = `${workdir}/packages/cli`;
} else if (process.env.DEBUG) {
console.error('ERROR: cannot debug in sandbox outside gemini-code repo');
process.exit(1);
}
// use interactive tty mode and auto-remove container on exit
// run init binary inside container to forward signals & reap zombies
const args = ['run', '-it', '--rm', '--init', '--workdir', workdir];
// mount current directory as ${workdir} inside container
args.push('-v', `${process.cwd()}:${workdir}`);
// mount os.tmpdir() as /tmp inside container
args.push('-v', `${os.tmpdir()}:/tmp`);
// name container after image, plus numeric suffix to avoid conflicts
let index = 0;
while (
execSync(
`${sandbox} ps -a --format "{{.Names}}" | grep "${image}-${index}" || true`,
)
.toString()
.trim()
) {
index++;
}
args.push('--name', `${image}-${index}`, '--hostname', `${image}-${index}`);
// copy GEMINI_API_KEY
if (process.env.GEMINI_API_KEY) {
args.push('--env', `GEMINI_API_KEY=${process.env.GEMINI_API_KEY}`);
}
// copy GEMINI_CODE_MODEL
if (process.env.GEMINI_CODE_MODEL) {
args.push('--env', `GEMINI_CODE_MODEL=${process.env.GEMINI_CODE_MODEL}`);
}
// copy SHELL_TOOL to optionally enable shell tool
if (process.env.SHELL_TOOL) {
args.push('--env', `SHELL_TOOL=${process.env.SHELL_TOOL}`);
}
// copy TERM and COLORTERM to try to maintain terminal setup
if (process.env.TERM) {
args.push('--env', `TERM=${process.env.TERM}`);
}
if (process.env.COLORTERM) {
args.push('--env', `COLORTERM=${process.env.COLORTERM}`);
}
// set SANDBOX as container name
args.push('--env', `SANDBOX=${image}-${index}`);
// for podman, use empty --authfile to skip unnecessary auth refresh overhead
const emptyAuthFilePath = path.join(os.tmpdir(), 'empty_auth.json');
fs.writeFileSync(emptyAuthFilePath, '{}', 'utf-8');
args.push('--authfile', emptyAuthFilePath);
// enable debugging via node --inspect-brk if DEBUG is set
const nodeArgs = [];
const debugPort = process.env.DEBUG_PORT || '9229';
if (process.env.DEBUG) {
args.push('-p', `${debugPort}:${debugPort}`);
nodeArgs.push('--inspect-brk', `0.0.0.0:${debugPort}`);
}
// append remaining args (image, node, node args, cli path, cli args)
args.push(image, 'node', ...nodeArgs, cliPath, ...process.argv.slice(2));
// spawn child and let it inherit stdio
spawnSync(sandbox, args, { stdio: 'inherit' });
}
async function main() { async function main() {
const config = loadCliConfig(); const config = loadCliConfig();
let input = config.getQuestion(); let input = config.getQuestion();
const sandboxEnabled = // hop into sandbox if enabled but outside
process.env.GEMINI_CODE_SANDBOX && const sandbox = sandbox_command();
!['0', 'false'].includes(process.env.GEMINI_CODE_SANDBOX.toLowerCase()); if (sandbox && !process.env.SANDBOX) {
if (sandboxEnabled && !process.env.SANDBOX) { console.log('hopping into sandbox ...');
console.log('WARNING: sandboxing is enabled, but still OUTSIDE sandbox'); start_sandbox(sandbox);
// TODO: get inside sandbox process.exit(0);
} }
// Render UI, passing necessary config values. Check that there is no command line question. // Render UI, passing necessary config values. Check that there is no command line question.

4
scripts/build_sandbox.sh
View File

@ -24,7 +24,7 @@ CMD=$(scripts/sandbox_command.sh)
echo "using $CMD for sandboxing" echo "using $CMD for sandboxing"
IMAGE=gemini-code-sandbox IMAGE=gemini-code-sandbox
DOCKERFILE=${DOCKERFILE:-Dockerfile} DOCKERFILE=Dockerfile
SKIP_NPM_INSTALL_BUILD=false SKIP_NPM_INSTALL_BUILD=false
while getopts "sd" opt; do while getopts "sd" opt; do
@ -44,7 +44,7 @@ shift $((OPTIND - 1))
# npm install + npm run build unless skipping via -s option # npm install + npm run build unless skipping via -s option
if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then
npm install npm install
npm run build npm run build --workspaces
fi fi
# if using Dockerfile-dev, then skip rebuild unless REBUILD_SANDBOX is set # if using Dockerfile-dev, then skip rebuild unless REBUILD_SANDBOX is set