Purpose
Run the host-side API server experiment to validate that agents inside an OpenShell sandbox can call API servers running on the host through the L7 proxy.
Requirements
| Requirement | Link |
|---|---|
| Go 1.23+ | https://go.dev/dl/ |
| Python 3.11+ | https://www.python.org/downloads/ |
| OpenShell CLI v0.0.43+ | https://github.com/NVIDIA/OpenShell |
| openshell-gateway v0.0.43+ | https://github.com/NVIDIA/OpenShell/releases |
| Podman (rootless) | https://podman.io/docs/installation |
| curl | (pre-installed on most systems) |
| git | https://git-scm.com/downloads |
OpenShell setup
This experiment uses the standalone openshell-gateway binary with the Podman driver — not the older K3s-in-Docker approach (openshell gateway start, removed in v0.0.37).
Install Podman and start the socket:
bashsystemctl --user start podman.socketDownload the
openshell-gatewaybinary from the OpenShell releases page and place it in your$PATH.Pull the required images:
bashpodman pull ghcr.io/nvidia/openshell/supervisor:latest podman pull ghcr.io/nvidia/openshell-community/sandboxes/base:latestStart the gateway:
bashOPENSHELL_SSH_HANDSHAKE_SECRET="$(python3 -c 'import secrets; print(secrets.token_hex(16))')" \ OPENSHELL_SUPERVISOR_IMAGE="ghcr.io/nvidia/openshell/supervisor:latest" \ OPENSHELL_SANDBOX_IMAGE="ghcr.io/nvidia/openshell-community/sandboxes/base:latest" \ OPENSHELL_SANDBOX_IMAGE_PULL_POLICY="missing" \ openshell-gateway \ --bind-address 0.0.0.0 \ --port 18080 \ --health-port 18081 \ --drivers podman \ --disable-tls \ --db-url "sqlite:/tmp/openshell-gateway.db?mode=rwc" \ --log-level info &Register the gateway with the CLI:
bashCONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/openshell" mkdir -p "${CONFIG_DIR}/gateways/podman-local" cat > "${CONFIG_DIR}/gateways/podman-local/metadata.json" <<'EOF' { "name": "podman-local", "gateway_endpoint": "http://127.0.0.1:18080", "is_remote": false, "gateway_port": 18080, "auth_mode": "plaintext" } EOF printf 'podman-local' > "${CONFIG_DIR}/active_gateway"Verify the gateway is healthy:
bashcurl -sf http://127.0.0.1:18081/healthz
Environment variables
| Variable | Description |
|---|---|
FULLSEND_GCP_PROJECT_ID | GCP project with Vertex AI API enabled |
CLOUD_ML_REGION | Vertex AI region (default: global) |
GOOGLE_APPLICATION_CREDENTIALS | Path to a service account key JSON with roles/aiplatform.user in the project |
Create a service account and key if you don't have one:
gcloud iam service-accounts create fullsend-runner \
--display-name="Fullsend Runner" \
--project=<your-gcp-project>
gcloud projects add-iam-policy-binding <your-gcp-project> \
--member="serviceAccount:fullsend-runner@<your-gcp-project>.iam.gserviceaccount.com" \
--role="roles/aiplatform.user" \
--condition=None
gcloud iam service-accounts keys create /tmp/sa-key.json \
--iam-account=fullsend-runner@<your-gcp-project>.iam.gserviceaccount.com
export GOOGLE_APPLICATION_CREDENTIALS=/tmp/sa-key.json
export FULLSEND_GCP_PROJECT_ID=<your-gcp-project>The fullsend run CLI must also be installed and in your $PATH.
Steps
Automated (fullsend run)
Navigate to the experiment directory:
bashcd experiments/host-side-api-serverRun the setup script to build Go binaries and verify prerequisites:
bash./setup.shRun a harness:
bash./run.sh baked-instructions-fullAvailable harnesses (3 discovery methods × 2 policies):
baked-instructions-full/baked-instructions-restrictedopenapi-discovery-full/openapi-discovery-restrictedtooluse-discovery-full/tooluse-discovery-restricted
Results are saved to
results/.
Expected Output
- Both API servers start and pass health checks
- Sandbox is created with L7 policy applied
- From inside the sandbox,
curlto API server endpoints succeeds for allowed endpoints and returns 403 for restricted ones - Container build via host API completes successfully
- Repo provisioning clones, scans, and reports results
