v0.14.1 -> v0.14.2
Summary
Fix bwrap sandbox failure on Ubuntu 24.04+ by adding runtime availability probe with automatic fallback to direct execution, and include script output in cron/task error logs for better diagnostics.
翻譯
修正 Ubuntu 24.04+ 上 bwrap 沙箱因 AppArmor 限制導致執行失敗的問題,新增執行期可用性探測與自動 fallback 機制,並在排程錯誤日誌中附加腳本輸出以利除錯。Changes
FIX
- Add bwrap runtime probe (
checkBwrap) withsync.Onceto detect namespace permission failures on Ubuntu 24.04+ wherekernel.apparmor_restrict_unprivileged_userns=1blocks unprivileged user namespace creation - Fallback to direct execution (bypass sandbox) when bwrap is unavailable, instead of failing with
Permission denied - Temporarily remove
--unshare-allflag from bwrap arguments to avoid namespace isolation conflicts on restricted environments; enhanced isolation will be re-introduced in a future release - Include script stdout/stderr output in error logs and return value when cron/task script execution fails, previously only
exit status Nwas logged with actual error discarded - Related issue: openai/codex#14919 — Ubuntu 24.04 AppArmor restricts unprivileged user namespaces via
/etc/apparmor.d/unprivileged_userns, causing bwrap sandbox to fail withCreating new namespace failed: Permission denied
翻譯
- 新增 bwrap 執行期探測(
checkBwrap),透過sync.Once偵測 Ubuntu 24.04+ 因kernel.apparmor_restrict_unprivileged_userns=1導致的 namespace 權限錯誤 - 當 bwrap 不可用時自動 fallback 為直接執行,不再回傳
Permission denied錯誤 - 暫時移除 bwrap 的
--unshare-all參數以避免受限環境下的 namespace 隔離衝突,後續版本將重新引入強化隔離機制 - 排程腳本執行失敗時,將 stdout/stderr 輸出納入錯誤日誌與回傳值,先前僅記���
exit status N而丟棄實際錯誤訊息 - 相關 issue:openai/codex#14919 — Ubuntu 24.04 AppArmor 透過
/etc/apparmor.d/unprivileged_userns限制非特權 user namespace,導致 bwrap 沙箱執行失敗
Files Changed
| File | Status | Tag |
|---|---|---|
internal/sandbox/linux.go |
Modified | FIX |
internal/scheduler/scheduler.go |
Modified | FIX |
Generated by SKILL