@madarco/agentbox 0.4.1 → 0.6.0

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-dockerd-start

@@ -1,9 +1,10 @@
 #!/usr/bin/env bash
 # Start the in-box dockerd. Launched by the host via
-# `docker exec -d --user root` after the FUSE overlay is up. Idempotent — safe
-# to call again on `agentbox start`. Storage driver is fuse-overlayfs (set in
-# /etc/docker/daemon.json baked into the image) so the inner daemon doesn't
-# need the kernel `overlay` driver, which an unprivileged container can't load.
+# `docker exec -d --user root`. Idempotent — safe to call again on
+# `agentbox start`. The storage driver is selected at runtime (see
+# select_storage_driver below): the kernel-native `overlay2` when a probe
+# proves it works on the data-root filesystem, otherwise `fuse-overlayfs`.
+# The chosen driver is written to /etc/docker/daemon.json before launch.
 
 set -euo pipefail
 
@@ -33,14 +34,93 @@ rm -f /var/run/docker.pid /var/run/docker.sock
 mount -o remount,rw /sys/fs/cgroup 2>/dev/null || true
 mount -o remount,rw /proc/sys 2>/dev/null || true
 
+# --- Storage-driver selection -------------------------------------------------
+# The inner dockerd's data root (/var/lib/docker, a Docker named volume) used
+# to be pinned to fuse-overlayfs. fuse-overlayfs is broken on recent kernels
+# (e.g. Docker Desktop's 6.x linuxkit kernel): inner `docker run` fails at
+# execve() with "exec ...: invalid argument". The kernel-native overlay2
+# driver works when the data-root filesystem can carry an overlay mount, which
+# the ext4 named volume can. We pick overlay2 when a probe proves it works,
+# else fall back to fuse-overlayfs.
+#
+# dockerd refuses to switch drivers once its data root is populated, so if the
+# data root is already initialized under one driver we reuse that driver and
+# skip the probe — a box created under one driver never switches.
+DOCKER_DATA_ROOT=/var/lib/docker
+DAEMON_JSON=/etc/docker/daemon.json
+
+probe_overlay2() {
+  # The kernel overlay filesystem has to exist at all.
+  grep -qw overlay /proc/filesystems 2>/dev/null || return 1
+
+  local probe lower upper work merged ok=1
+  # The probe dir MUST live inside the data root so the test overlay is mounted
+  # on the SAME filesystem the real graph will use. A probe under /tmp would
+  # test the container's overlayfs writable layer — the wrong filesystem.
+  probe="$(mktemp -d "$DOCKER_DATA_ROOT/.overlay2-probe.XXXXXX" 2>/dev/null)" || return 1
+  lower="$probe/lower"; upper="$probe/upper"; work="$probe/work"; merged="$probe/merged"
+  mkdir -p "$lower" "$upper" "$work" "$merged" || { rm -rf "$probe"; return 1; }
+
+  # Stage a known-good executable so the merged view exposes it.
+  cp /bin/true "$lower/probe-bin" 2>/dev/null || { rm -rf "$probe"; return 1; }
+  chmod 0755 "$lower/probe-bin" 2>/dev/null || true
+
+  if mount -t overlay overlay \
+       -o "lowerdir=$lower,upperdir=$upper,workdir=$work" "$merged" 2>/dev/null; then
+    # The actual fuse-overlayfs failure mode: execve from the merged dir. A
+    # successful mount is not enough — fuse-overlayfs mounts fine and only
+    # fails here.
+    "$merged/probe-bin" >/dev/null 2>&1 || ok=0
+    umount "$merged" 2>/dev/null || umount -l "$merged" 2>/dev/null || true
+  else
+    ok=0
+  fi
+  rm -rf "$probe"
+  [ "$ok" = 1 ]
+}
+
+select_storage_driver() {
+  # 1. Reuse an already-initialized data root's driver — dockerd cannot switch
+  #    a populated data root, and this script reruns on every `agentbox start`.
+  local has_overlay2=0 has_fuse=0
+  [ -d "$DOCKER_DATA_ROOT/overlay2" ] \
+    && [ -n "$(ls -A "$DOCKER_DATA_ROOT/overlay2" 2>/dev/null)" ] && has_overlay2=1
+  [ -d "$DOCKER_DATA_ROOT/fuse-overlayfs" ] \
+    && [ -n "$(ls -A "$DOCKER_DATA_ROOT/fuse-overlayfs" 2>/dev/null)" ] && has_fuse=1
+  if [ "$has_overlay2" = 1 ]; then echo "overlay2"; return 0; fi
+  if [ "$has_fuse" = 1 ]; then echo "fuse-overlayfs"; return 0; fi
+
+  # 2. Fresh data root: probe overlay2 against the data-root filesystem.
+  if probe_overlay2; then echo "overlay2"; return 0; fi
+  echo "fuse-overlayfs"
+}
+
+# Sweep any leaked probe dir from a hard-killed previous run (cosmetic; the
+# driver subdir checks above ignore it, and dockerd ignores non-driver dirs).
+rm -rf "$DOCKER_DATA_ROOT"/.overlay2-probe.* 2>/dev/null || true
+
+STORAGE_DRIVER="$(select_storage_driver)"
+
+# Write daemon.json with the resolved driver. `iptables: true` stays for inner
+# bridge networking. Rewritten every start, but the driver is stable (step 1
+# above), so this never causes a mid-life driver switch.
+mkdir -p /etc/docker
+printf '%s\n' \
+  "{ \"storage-driver\": \"$STORAGE_DRIVER\", \"iptables\": true }" \
+  > "$DAEMON_JSON"
+# Truncate dockerd.log fresh for this start, marker line first; dockerd appends.
+echo "agentbox-dockerd-start: storage-driver=$STORAGE_DRIVER" \
+  > /var/log/agentbox/dockerd.log
+# --- end storage-driver selection --------------------------------------------
+
 # nohup + & + disown lets us survive the `docker exec -d` returning. dockerd
 # reads /etc/docker/daemon.json on its own; no flags here keeps the start path
 # debuggable from inside the container (just edit the file and restart).
-nohup dockerd >/var/log/agentbox/dockerd.log 2>&1 &
+nohup dockerd >>/var/log/agentbox/dockerd.log 2>&1 &
 
 # Wait for the socket to become accept()-able. Bound by ~30s — first start has
-# to initialize iptables chains and the fuse-overlayfs graphdriver, which is
-# noticeably slower than overlay2.
+# to initialize iptables chains and the storage graphdriver (fuse-overlayfs is
+# noticeably slower to initialize than overlay2).
 for _ in $(seq 1 300); do
   if [ -S /var/run/docker.sock ] \
      && docker -H unix:///var/run/docker.sock info >/dev/null 2>&1; then

package/runtime/docker/packages/sandbox-docker/scripts/agentbox-open

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Routes in-box URL opens to the *host's* default browser via the agentbox
+# relay. The box has no real browser of its own. This script is installed at
+# /usr/local/bin (earlier in PATH than xdg-utils' /usr/bin/xdg-open, which it
+# is also symlinked over) and is the box's $BROWSER, so `xdg-open`, Claude
+# Code's OAuth flow, `gh`, `git web--browse`, python's webbrowser, etc. all
+# land here.
+#
+# Only http(s) URLs are forwarded to the host. Anything else (a file path,
+# another scheme) falls through to the real xdg-open, which resolves it
+# locally inside the box.
+
+set -uo pipefail
+
+target="${1:-}"
+
+case "$target" in
+  http://* | https://*)
+    exec agentbox-ctl open "$target"
+    ;;
+  *)
+    if [[ -x /usr/bin/xdg-open ]]; then
+      exec /usr/bin/xdg-open "$@"
+    fi
+    echo "agentbox-open: not an http(s) URL: $target" >&2
+    exit 1
+    ;;
+esac

package/runtime/docker/packages/sandbox-docker/scripts/custom-system-CLAUDE.md

@@ -1,21 +1,27 @@
 # AgentBox sandbox
 
 You are running inside an AgentBox sandbox: a Linux Docker container with
-docker-in-docker (run `docker` directly, no sudo). The host filesystem is
-mounted read-only at /host-src; /workspace is a FUSE overlay where your
-writes go to a per-box volume.
+docker-in-docker (run `docker` directly, no sudo). 
+Your user is `vscode` and you can use passwordless **sudo** to run commands as root.
+`/workspace` is your own per-box git worktree on branch `agentbox/<box-name>`:
+writes there stay in the container's writable layer and don't touch the host's working
+tree.
 
-This container has no SSH credentials and no host gitconfig identity.
-For git operations that need the user (push, pull from private remotes),
-use `agentbox-ctl git pull|push -- <args>` — it RPCs to the host, which
-runs git with the real SSH agent and gitconfig. Local commits work as
-normal because the main `.git/` is bind-mounted at the same absolute
-path as on the host.
+You can save the current filesystem state to be reused by future boxes by 
+running `agentbox-ctl checkpoint --set-default`. This doesn't need to be confirmed by the user.
 
-Your `~/.claude` and `/workspace` env files live only in this box. If
-you install a skill/plugin (or otherwise change `~/.claude`), tell the
-user to run `agentbox pull claude` on the host to copy it back. If you
-create or change `.env`/`.envrc`/secrets files, tell them to run
-`agentbox pull env`. Both are additive and never overwrite host files.
+The main `.git/` is bind-mounted at the same absolute path as on
+the host, so local commits show up in the host's `git log` immediately.
+No SSH creds, no host gitconfig identity. For ops that need the user
+(push, fetch from private remotes), use `agentbox-ctl git push|fetch|pull
+-- <args>` — it RPCs to the host, which runs git with the real SSH agent.
 
-Box identity is in /etc/agentbox/box.env and the AGENTBOX_* env vars.
+For ad-hoc file transfers between this box and the host, use
+`agentbox-ctl cp toHost <boxPath> <hostPath>` and
+`agentbox-ctl cp fromHost <hostPath> <boxPath>` or `agentbox-ctl download claude` / `download env` /
+`download config`. They RPC to the host and
+ask the user for confirmation on the wrapper that runs `agentbox claude`;
+deny returns exit 10 (`denied by user`). 
+Don't put any timeout on the command, it will run forever and the user will be notified through multiple channels.
+
+Box identity: /etc/agentbox/box.env and the AGENTBOX_* env vars.