Skip to content

feat(sandbox): add vi, jq, and dos2unix to base images#3091

Merged
cv merged 4 commits into
mainfrom
feat/sandbox-essential-tools
May 7, 2026
Merged

feat(sandbox): add vi, jq, and dos2unix to base images#3091
cv merged 4 commits into
mainfrom
feat/sandbox-essential-tools

Conversation

@jason-ma-nv

@jason-ma-nv jason-ma-nv commented May 6, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Adds three essential Linux tools — vi (vim-tiny), jq, and dos2unix — to both the OpenClaw and Hermes sandbox base images. These tools are commonly expected in any interactive shell environment and are frequently needed for ad-hoc editing and data wrangling inside a running sandbox.

Related Issue

Fixes #2999

Changes

  • Dockerfile.base: add dos2unix=7.4.3-1, jq=1.6-2.1+deb12u1, vim-tiny=2:9.0.1378-2+deb12u2 (Debian bookworm, exact versions)
  • agents/hermes/Dockerfile.base: same three packages added after socat

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

  • npx prek run --all-files passes
  • npm test passes
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • make docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: jason-ma-nv jama@nvidia.com

Summary by CodeRabbit

  • Chores
    • Updated Docker base images with additional system utilities to support development and operational workflows.

@jason-ma-nv @claude
feat(sandbox): add vi, jq, and dos2unix to base images
e979efe 
Fixes #2999

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jason-ma-nv jason-ma-nv self-assigned this May 6, 2026
@copy-pr-bot

copy-pr-bot Bot commented May 6, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented May 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Three essential Linux utilities—dos2unix, jq, and vim-tiny—are pinned to specific Debian versions and added to the apt-get install block in two base Dockerfiles, addressing missing sandbox tools.

Changes

Base Image Utilities

Layer / File(s) Summary
Dependency Addition
Dockerfile.base, agents/hermes/Dockerfile.base		 Three pinned Debian packages (dos2unix=7.4.3-1, jq=1.6-2.1+deb12u1, vim-tiny=2:9.0.1378-2+deb12u2) are appended to the apt-get install lists in both base image Dockerfiles.

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A toolkit arrives in the sandbox so bare,
With jq to parse, vi to edit with care,
And dos2unix to fix those line-ending woes—
Now the Nemoclaw box has the tools that it knows! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately describes the main change: adding three utilities (vi, jq, dos2unix) to sandbox base images.
Linked Issues check ✅ Passed All three required tools from issue #2999 are successfully added: vim-tiny (vi), jq, and dos2unix with exact pinned versions to both Dockerfile.base files.
Out of Scope Changes check ✅ Passed All changes are within scope—only the three requested packages are added to the base images with no unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/sandbox-essential-tools

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 6, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
Dockerfile.base (1)

55-71: Run container-level E2E jobs for this base-image layer change.

Since this modifies sandbox base image contents, please run the recommended selective jobs before merge:
cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e.

As per coding guidelines, "Dockerfile.base: This file affects the sandbox container image. Layer ordering, permissions, and baked config changes are only testable with a real container build."

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.base` around lines 55 - 71, This change modifies the sandbox base
image RUN apt-get layer (the RUN apt-get update && apt-get install -y ... block
in Dockerfile.base) so before merging, trigger the prescribed container-level
E2E jobs — run cloud-e2e, sandbox-survival-e2e, hermes-e2e, and
rebuild-openclaw-e2e — to validate layer ordering, permissions, and baked config
in a real container build; if any test fails, iterate on the package list or
layer ordering in the RUN apt-get block and re-run the same E2E jobs until all
pass.
agents/hermes/Dockerfile.base (1)

32-49: Run Hermes-focused E2E workflows for this base-image update.

For confidence on onboarding/probe/routing paths, run:
hermes-e2e,hermes-discord-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e.

As per coding guidelines, "agents/hermes/**: This directory contains the Hermes agent. Changes affect multi-agent onboarding, health probes, and inference routing."

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/hermes/Dockerfile.base` around lines 32 - 49, Run Hermes-focused
end-to-end tests to validate the base-image package changes in
agents/hermes/Dockerfile.base: execute the hermes-e2e, hermes-discord-e2e,
rebuild-hermes-e2e, and rebuild-hermes-stale-base-e2e workflows against the
updated RUN apt-get ... block to confirm onboarding, probe, and routing paths
still work for the Hermes agent after the package/version updates.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@agents/hermes/Dockerfile.base`:
- Around line 32-49: Run Hermes-focused end-to-end tests to validate the
base-image package changes in agents/hermes/Dockerfile.base: execute the
hermes-e2e, hermes-discord-e2e, rebuild-hermes-e2e, and
rebuild-hermes-stale-base-e2e workflows against the updated RUN apt-get ...
block to confirm onboarding, probe, and routing paths still work for the Hermes
agent after the package/version updates.

In `@Dockerfile.base`:
- Around line 55-71: This change modifies the sandbox base image RUN apt-get
layer (the RUN apt-get update && apt-get install -y ... block in
Dockerfile.base) so before merging, trigger the prescribed container-level E2E
jobs — run cloud-e2e, sandbox-survival-e2e, hermes-e2e, and rebuild-openclaw-e2e
— to validate layer ordering, permissions, and baked config in a real container
build; if any test fails, iterate on the package list or layer ordering in the
RUN apt-get block and re-run the same E2E jobs until all pass.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 22aca7fc-412e-4921-a327-6780b1700596

📥 Commits

Reviewing files that changed from the base of the PR and between 3800964 and e979efe.

📒 Files selected for processing (2)
  • Dockerfile.base
  • agents/hermes/Dockerfile.base

@cv cv merged commit 2c3a392 into main May 7, 2026
8 checks passed
@miyoungc miyoungc mentioned this pull request May 7, 2026
Merged
jyaunches pushed a commit that referenced this pull request May 8, 2026
@miyoungc @cursoragent
docs: prepare 0.0.37 release docs (#3215)
37050a6 
## Summary
- Bump the docs release metadata to `0.0.37`.
- Document release-prep updates for messaging policy presets, sandbox
runtime utilities, and the GPU CDI troubleshooting path.
- Refresh generated `nemoclaw-user-*` skills from the updated docs.

## Source summary
- #3159 -> `docs/reference/troubleshooting.md`: Documents the GPU CDI
preflight warning and remediation for `nvidia.com/gpu=all` gateway start
failures.
- #2415 -> `docs/reference/network-policies.md`,
`docs/manage-sandboxes/messaging-channels.md`,
`docs/network-policy/customize-network-policy.md`: Clarifies that
Telegram, Discord, and Slack egress comes from opt-in messaging presets,
not the baseline policy.
- #3091 -> `docs/deployment/sandbox-hardening.md`,
`docs/network-policy/customize-network-policy.md`: Documents the
retained sandbox utilities `vi`, `jq`, and `dos2unix` while keeping
host-side policy files as the durable source of truth.

## Test plan
- `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix
nemoclaw-user`
- `make docs`
- `npm run build:cli`
- `npm run typecheck:cli`
- Commit and pre-push hooks: markdownlint, docs-to-skills verification,
gitleaks, commitlint, CLI typecheck

## Skipped
- #3193 and #3191 matched `docs/.docs-skip` entries for experimental
shields/config paths.
- #3200 and #3183 were test-only fixes.
- #3189 and #3163 were internal documentation/refactor changes with no
public docs impact.

Made with [Cursor](https://cursor.com)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Clarified which utilities remain in the sandbox runtime for
lightweight inspection and cleanup
* Noted that messaging endpoints (Discord, Slack, Telegram) are not in
the baseline policy and that channel presets are applied during
onboarding
  * Added GPU passthrough troubleshooting for gateway startup
* Updated release/version bump and release-prep workflow guidance,
including Discord preset description updates
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
@wscurran wscurran added area: packaging Packages, images, registries, installers, or distribution area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery feature PR adds or expands user-visible functionality platform: container Affects Docker, containerd, Podman, or images and removed area: packaging Packages, images, registries, installers, or distribution Docker labels Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cv cv cv approved these changes

Assignees

@jason-ma-nv jason-ma-nv

Labels

area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery feature PR adds or expands user-visible functionality platform: container Affects Docker, containerd, Podman, or images

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Nemoclaw sandbox - essential linux tools are missing

3 participants

@jason-ma-nv @cv @wscurran