Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NVIDIA/OpenShell/llms.txt

Use this file to discover all available pages before exploring further.

Default policy reference

The default policy is applied when you create an OpenShell sandbox without --policy. It is baked into the community base image (ghcr.io/nvidia/openshell-community/sandboxes/base) and defined in the community repo’s dev-sandbox-policy.yaml.

Agent compatibility

The default policy is authored for Claude Code. Other agents require additional policy configuration.
AgentCoverageAction required
Claude CodeFullNone. Works out of the box.
OpenCodePartialAdd opencode.ai endpoint and OpenCode binary paths.
CodexNoneProvide a complete custom policy with OpenAI endpoints and Codex binary paths.
If you run a non-Claude agent without a custom policy, the agent’s API calls are denied by the network proxy. You must provide a policy that declares the agent’s endpoints and binaries.

Default filesystem access

The default policy grants the following filesystem access inside the sandbox:
PathAccessPurpose
/usrRead-onlySystem binaries and libraries
/libRead-onlyShared libraries
/lib64Read-only64-bit shared libraries
/procRead-onlyProcess information filesystem
/dev/urandomRead-onlyEntropy source
/etcRead-onlySystem configuration
/sandboxRead-writeAgent working directory
/tmpRead-writeTemporary files
/dev/nullRead-writeNull device
The include_workdir: true flag is set by default, so the agent’s current working directory is always included in read-write access.

Default network access

The default policy’s network rules are defined in dev-sandbox-policy.yaml in the community repository. The policy covers the endpoints and binaries required by Claude Code, including the Anthropic API and common development tooling.
The full dev-sandbox-policy.yaml source is maintained in the openshell-community repository. Refer to that repository for the current list of permitted hosts, ports, and binaries.

Viewing the active policy

To inspect the policy currently applied to a sandbox: 
openshell policy get <sandbox-name>
This returns the full policy YAML, including both the default blocks and any custom extensions you have applied.

Extending the default policy

Use openshell policy set to apply a policy file to a running sandbox. Because network_policies is a dynamic section, changes take effect immediately without restarting the sandbox. 
openshell policy set <sandbox-name> --policy ./my-policy.yaml
Your policy file is merged with the default policy blocks. You do not need to redeclare the default filesystem or process settings unless you want to override them.
Start from the community dev-sandbox-policy.yaml and add your agent’s endpoints and binary paths. This preserves the default Claude Code coverage while adding support for your agent.

Policy schema

Complete field reference for all policy YAML fields.

Support matrix

Supported platforms, prerequisites, and kernel requirements.

Build docs developers (and LLMs) love

Get started for freeTalk to us