SANDBOX_SET_UID_GID option for systems where this is necessary (should be only rootful docker on linux w/o userns-remap configured) (#210)

* SANDBOX_SET_UID_GID option for systems where this is necessary (should be only rootful docker on linux w/o userns-remap configured)

* Merge remote-tracking branch 'origin/main' into sandbox_uid_gid

scripts/sandbox_command.sh

@@ -22,15 +22,15 @@ set -euo pipefail
 QUIET=false
 while getopts ":q" opt; do
     case ${opt} in
-        q ) QUIET=true ;;
-        \? ) echo "Usage: $0 [-q]"
-            exit 1
-            ;;
+    q) QUIET=true ;;
+    \?)
+        echo "Usage: $0 [-q]"
+        exit 1
+        ;;
     esac
 done
 shift $((OPTIND - 1))
 
-
 # if GEMINI_CODE_SANDBOX is not set, try to source .env in case set there
 # allow .env to be in any ancestor directory (same as findEnvFile in config.ts)
 if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then
@@ -57,10 +57,10 @@ fi
 
 # if GEMINI_CODE_SANDBOX is set to 1 or true, then try to use docker or podman
 if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]]; then
-    if command -v docker &> /dev/null; then
+    if command -v docker &>/dev/null; then
         if [ "$QUIET" = false ]; then echo "docker"; fi
         exit 0
-    elif command -v podman &> /dev/null; then
+    elif command -v podman &>/dev/null; then
         if [ "$QUIET" = false ]; then echo "podman"; fi
         exit 0
     else
@@ -69,7 +69,7 @@ if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]]; then
     fi
 fi
 
-if ! command -v "$GEMINI_CODE_SANDBOX" &> /dev/null; then
+if ! command -v "$GEMINI_CODE_SANDBOX" &>/dev/null; then
     echo "ERROR: missing sandbox command '$GEMINI_CODE_SANDBOX' (from GEMINI_CODE_SANDBOX)" >&2
     exit 1
 fi

scripts/start.sh

@@ -30,4 +30,4 @@ else
     else
         CLI_VERSION='development' DEV=true node ./packages/cli "$@"
     fi
-fi
+fi

scripts/start_sandbox.sh

@@ -44,10 +44,10 @@ fi
 run_args=(-it --rm --init --workdir "$WORKDIR")
 
 # mount current directory as $WORKDIR inside container
-run_args+=(-v "$PWD:$WORKDIR")
+run_args+=(--volume "$PWD:$WORKDIR")
 
 # mount $TMPDIR as /tmp inside container
-run_args+=(-v "${TMPDIR:-/tmp/}:/tmp")
+run_args+=(--volume "${TMPDIR:-/tmp/}:/tmp")
 
 # if .env exists, source it before checking/parsing environment variables below
 # allow .env to be in any ancestor directory (same as findEnvFile in config.ts)
@@ -81,7 +81,7 @@ if [ -n "${SANDBOX_MOUNTS:-}" ]; then
                 exit 1
             fi
             echo "SANDBOX_MOUNTS: $from -> $to ($opts)"
-            run_args+=(-v "$mount")
+            run_args+=(--volume "$mount")
         fi
     done
 fi
@@ -130,7 +130,7 @@ run_args+=(--env "SANDBOX=$IMAGE-$INDEX")
 node_args=()
 if [ -n "${DEBUG:-}" ]; then
     node_args+=(--inspect-brk="0.0.0.0:$DEBUG_PORT")
-    run_args+=(-p "$DEBUG_PORT:$DEBUG_PORT")
+    run_args+=(--publish "$DEBUG_PORT:$DEBUG_PORT")
 fi
 node_args+=("$CLI_PATH" "$@")
 
@@ -142,13 +142,20 @@ if [ -n "${SANDBOX_PORTS:-}" ]; then
     for port in $ports; do
         if [ -n "$port" ]; then
             echo "SANDBOX_PORTS: $port"
-            run_args+=(-p "$port:$port")
+            run_args+=(--publish "$port:$port")
             bash_cmd+="socat TCP4-LISTEN:$port,bind=\$(hostname -i),fork,reuseaddr TCP4:127.0.0.1:$port 2> /dev/null& "
         fi
     done
 fi
 bash_cmd+="node $(printf '%q ' "${node_args[@]}")" # printf fixes quoting within args
 
+# specify --user as "$(id -u):$(id -g)" if SANDBOX_SET_UID_GID is 1|true
+# only necessary if user mapping is not handled by sandboxing setup on host
+# (e.g. rootful docker on linux w/o userns-remap configured)
+if [[ "${SANDBOX_SET_UID_GID:-}" =~ ^(1|true)$ ]]; then
+    run_args+=(--user "$(id -u):$(id -g)")
+fi
+
 # run gemini-code in sandbox container
 if [[ "$CMD" == "podman" ]]; then
     # use empty --authfile to skip unnecessary auth refresh overhead