Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: LocalBox has been removed from 0.9.0 #3903

Open
2 tasks done
yaroslavkasatikov opened this issue Sep 16, 2024 · 4 comments
Open
2 tasks done

[Bug]: LocalBox has been removed from 0.9.0 #3903

yaroslavkasatikov opened this issue Sep 16, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@yaroslavkasatikov
Copy link

yaroslavkasatikov commented Sep 16, 2024
edited
Loading

Is there an existing issue for the same bug?

Describe the bug

Hey team,

We built our setup based on local sandbox in Openshift with restricted permission. We did it after this discusion #2675

But we found there is no local sandbox in v. 0.9.0+ and it brakes our setup :(

Is there a replacement for it or would it be possible to revert this changes?

Many thanks!

Current OpenHands version

0.9.0+

Installation and Configuration

We 've written own Dockerfile based on yours:

FROM ghcr.io/opendevin/opendevin:0.7
RUN chmod 777 -R /app
ENTRYPOINT []
USER root

# install basic packages
RUN apt-get update && apt-get install -y \
    curl \
    wget \
    git \
    vim \
    nano \
    unzip \
    zip \
    python3 \
    python3-pip \
    python3-venv \
    python3-dev \
    build-essential \
    openssh-server \
    sudo \
    gcc \
    jq \
    g++ \
    make \
    iproute2 \
    && rm -rf /var/lib/apt/lists/*

RUN mkdir -p -m0755 /var/run/sshd

# symlink python3 to python
RUN ln -s /usr/bin/python3 /usr/bin/python

# ==== OpenDevin Runtime Client ====
RUN mkdir -p /opendevin && mkdir -p /opendevin/logs && chmod 777 /opendevin/logs
RUN wget "https://github.com/conda-forge/miniforge/releases/latest/download/Miniforge3-$(uname)-$(uname -m).sh"
RUN bash Miniforge3-$(uname)-$(uname -m).sh -b -p /opendevin/miniforge3
RUN chmod -R g+w /opendevin/miniforge3
RUN bash -c ". /opendevin/miniforge3/etc/profile.d/conda.sh && conda config --set changeps1 False && conda config --append channels conda-forge"
RUN echo "" > /opendevin/bash.bashrc

# - agentskills dependencies
RUN /opendevin/miniforge3/bin/pip install --upgrade pip
RUN /opendevin/miniforge3/bin/pip install jupyterlab notebook jupyter_kernel_gateway flake8
RUN /opendevin/miniforge3/bin/pip install python-docx PyPDF2 python-pptx pylatexenc openai
RUN chmod 777 -R /opendevin
RUN mkdir -p /opt/workspace_base && chmod -R 777 /opt/workspace_base
RUN sed "s/config.sandbox_type/\'local\'/g" -i /app/opendevin/runtime/runtime.py && sed '24,27{/.*/d}' -i /app/opendevin/runtime/plugins/mixin.py && mkdir /opendevin/plugins/ && cp -av /app/opendevin/runtime/plugins/jupyter /opendevin/plugins/ && cp -av /app/opendevin/runtime/plugins/agent_skills /opendevin/plugins/
RUN export PATH=/opendevin/miniforge3/bin:/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
RUN echo $PATH
RUN cd /app && playwright install
CMD ["uvicorn", "opendevin.server.listen:app", "--host", "0.0.0.0", "--port", "3000"]

We combined opendevin and sandbox into the same container, changed paths and permission.

This image works without root/docker etc so we were able to start it under restrictedv2 Openshift SCC



### Model and Agent

_No response_

### Operating System

_No response_

### Reproduction Steps

_No response_

### Logs, Errors, Screenshots, and Additional Context

_No response_
@yaroslavkasatikov yaroslavkasatikov added the bug Something isn't working label Sep 16, 2024
@mamoodi
Copy link
Collaborator

mamoodi commented Sep 16, 2024

Tagging @enyst since he was involved in he initial discussion to see if he is able to help.

@enyst
Copy link
Collaborator

enyst commented Sep 16, 2024

Local box has been removed a while ago when we have completely rewrote our images, there is no more "SSH box" either, and we have switched to a runtime to which we connect via a REST API. I'm not sure how that can play with your restrictions. 🤔 @xingyaoww what do you think?

@xingyaoww
Copy link
Contributor

Yeah.. I think it will be pretty tricky to do all these, though technically not impossible.

To execute things locally, the hard requirement is to at least have an "openhands" poetry environment setup (i.e., everything in poetry.lock) plus a few things like playwright. Then start a process locally like this so a Runtime API server is accessible by the backend.

The challenge here is it can be very challenging to maintain a consistent playwright across different local setups (e.g., MacOS probably need a different way to install the chromium required by playwright than WSL, etc.) - would love any idea/contribution here!

@aelbarkani
Copy link

Well if the sandbox is remote it is ok too, for example if we start it manually somehow and pass some args like the API URL or something like that. Our restriction basically is we cannot run things as root for security reasons, so the backend shouldn't build or run a container.
Is this option easier to implement ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@enyst @yaroslavkasatikov @aelbarkani @xingyaoww @mamoodi