This page lists the platform, software, runtime, and kernel requirements for running OpenShell.
OpenShell publishes multi-architecture container images for linux/amd64 and linux/arm64. The CLI is supported on the following host platforms:
| Platform | Architecture | Status |
|---|---|---|
| Linux (Debian/Ubuntu) | x86_64 (amd64) | Supported |
| Linux (Debian/Ubuntu) | aarch64 (arm64) | Supported |
| macOS (Docker Desktop) | Apple Silicon (arm64) | Supported |
| Windows (WSL 2 + Docker Desktop) | x86_64 | Experimental |
The following software must be installed on the host before using the OpenShell CLI:
| Component | Minimum Version | Notes |
|---|---|---|
| Docker Desktop or Docker Engine | 28.04 | Must be running before any openshell command. |
Sandbox container images are maintained in the openshell-community repository. Refer to that repository for the current list of installed components and their versions.
OpenShell publishes two container images. Both are published for linux/amd64 and linux/arm64.
| Image | Reference | Pulled When |
|---|---|---|
| Cluster | ghcr.io/nvidia/openshell/cluster:latest |
openshell gateway start |
| Gateway | ghcr.io/nvidia/openshell/gateway:latest |
Cluster startup (via Helm chart) |
The cluster image bundles the Helm charts, Kubernetes manifests, and the openshell-sandbox supervisor binary required to bootstrap the control plane. The supervisor binary is side-loaded into sandbox pods at runtime through a read-only host volume mount. The gateway image is pulled at cluster startup and runs the API server.
Sandbox images are maintained separately in the openshell-community repository.
To override the default image references, set the following environment variables:
| Variable | Purpose |
|---|---|
OPENSHELL_CLUSTER_IMAGE |
Override the cluster image reference. |
OPENSHELL_COMMUNITY_REGISTRY |
Override the registry for community sandbox images. |
OpenShell enforces sandbox isolation through two Linux kernel security modules:
| Module | Requirement | Details |
|---|---|---|
| Landlock LSM | Recommended | Enforces filesystem access restrictions at the kernel level. The best_effort compatibility mode uses the highest Landlock ABI the host kernel supports. The hard_requirement mode fails sandbox creation if the required ABI is unavailable. |
| seccomp | Required | Filters dangerous system calls. Available on all modern Linux kernels (3.17+). |
On macOS, these kernel modules run inside the Docker Desktop Linux VM, not on the host kernel.
For the full list of supported agents and their default policy coverage, refer to the {doc}../about/supported-agents page.