blob: b6a52c145a4f55708812903a14237ab13dde1b91 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
#!/bin/bash
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -euo pipefail
if ! scripts/sandbox_command.sh -q; then
echo "ERROR: sandboxing disabled. See docs to enable sandboxing."
exit 1
fi
# parse flags
interactive=false
while getopts "i" opt; do
case "$opt" in
\?)
echo "usage: sandbox.sh [-i] [sandbox-name-or-index = AUTO] [command... = bash -l]"
echo " -i: enable interactive mode for custom command (enabled by default for login shell)"
echo " (WARNING: interactive mode causes stderr to be redirected to stdout)"
exit 1
;;
i)
interactive=true
if [ ! -t 0 ]; then
echo "ERROR: interactive mode (-i) requested without a terminal attached"
exit 1
fi
;;
esac
done
shift $((OPTIND - 1))
IMAGE=gemini-cli-sandbox
CMD=$(scripts/sandbox_command.sh)
# list all containers running on sandbox image
sandboxes=()
while IFS= read -r line; do
sandboxes+=("$line")
done < <($CMD ps --filter "ancestor=$IMAGE" --format "{{.Names}}")
# take first argument as sandbox name if it starts with image name or is an integer
# otherwise require a unique sandbox to be running and take its name
if [[ "${1:-}" =~ ^$IMAGE(-[0-9]+)?$ ]]; then
SANDBOX=$1
shift
elif [[ "${1:-}" =~ ^[0-9]+$ ]]; then
SANDBOX=$IMAGE-$1
shift
else
# exit if no sandbox is running
if [ ${#sandboxes[@]} -eq 0 ]; then
echo "No sandboxes found. Are you running gemini-cli with sandboxing enabled?"
exit 1
fi
# exit if multiple sandboxes are running
if [ ${#sandboxes[@]} -gt 1 ]; then
echo "Multiple sandboxes found:"
for sandbox in "${sandboxes[@]}"; do
echo " $sandbox"
done
echo "Sandbox name or index (0,1,...) must be specified as first argument"
exit 1
fi
SANDBOX=${sandboxes[0]}
fi
# check that sandbox exists
if ! [[ " ${sandboxes[*]} " == *" $SANDBOX "* ]]; then
echo "unknown sandbox $SANDBOX"
echo "known sandboxes:"
for sandbox in "${sandboxes[@]}"; do
echo " $sandbox"
done
exit 1
fi
# determine command and args for exec
if [ $# -gt 0 ]; then
cmd=(bash -l -c "$(printf '%q ' "$@")") # fixes quoting, e.g. bash -c 'echo $SANDBOX'
exec_args=()
if [ "$interactive" = true ]; then
exec_args=(-it)
fi
else
cmd=(bash -l)
exec_args=(-it)
fi
# run command in sandbox
exec_args+=("$SANDBOX" "${cmd[@]}")
$CMD exec "${exec_args[@]}"
|
