Fix remote sandbox permissions (#11582)

2026-01-09 14:57:59 -05:00 · 2025-10-30 16:13:02 -06:00
parent ec670cd130
commit 7272eae758
4 changed files with 23 additions and 13 deletions
--- a/openhands/app_server/app_conversation/git_app_conversation_service.py
+++ b/openhands/app_server/app_conversation/git_app_conversation_service.py
@@ -56,6 +56,14 @@ class GitAppConversationService(AppConversationService, ABC):
    ):
        request = task.request

+        # Create the projects directory if it does not exist yet
+        parent = Path(workspace.working_dir).parent
+        result = await workspace.execute_command(
+            f'mkdir {workspace.working_dir}', parent
+        )
+        if result.exit_code:
+            _logger.warning(f'mkdir failed: {result.stderr}')
+
        if not request.selected_repository:
            if self.init_git_in_empty_workspace:
                _logger.debug('Initializing a new git repository in the workspace.')
@@ -81,7 +89,8 @@ class GitAppConversationService(AppConversationService, ABC):
        # Clone the repo - this is the slow part!
        clone_command = f'git clone {remote_repo_url} {dir_name}'
        result = await workspace.execute_command(clone_command, workspace.working_dir)
-        print(result)
+        if result.exit_code:
+            _logger.warning(f'Git clone failed: {result.stderr}')

        # Checkout the appropriate branch
        if request.selected_branch:
--- a/openhands/app_server/app_conversation/live_status_app_conversation_service.py
+++ b/openhands/app_server/app_conversation/live_status_app_conversation_service.py
@@ -9,7 +9,7 @@ from uuid import UUID, uuid4

 import httpx
 from fastapi import Request
-from pydantic import Field, SecretStr, TypeAdapter
+from pydantic import Field, TypeAdapter

 from openhands.agent_server.models import (
    ConversationInfo,
@@ -443,7 +443,7 @@ class LiveStatusAppConversationService(GitAppConversationService):
                    expires_in=self.access_token_hard_timeout,
                )
                secrets[GIT_TOKEN] = LookupSecret(
-                    url=self.web_url + '/ap/v1/webhooks/secrets',
+                    url=self.web_url + '/api/v1/webhooks/secrets',
                    headers={'X-Access-Token': access_token},
                )
            else:
@@ -452,7 +452,7 @@ class LiveStatusAppConversationService(GitAppConversationService):
                # on the type, this may eventually expire.
                static_token = await self.user_context.get_latest_token(git_provider)
                if static_token:
-                    secrets[GIT_TOKEN] = StaticSecret(value=SecretStr(static_token))
+                    secrets[GIT_TOKEN] = StaticSecret(value=static_token)

        workspace = LocalWorkspace(working_dir=working_dir)

--- a/openhands/app_server/sandbox/remote_sandbox_service.py
+++ b/openhands/app_server/sandbox/remote_sandbox_service.py
@@ -124,7 +124,9 @@ class RemoteSandboxService(SandboxService):
            try:
                runtime = await self._get_runtime(stored.id)
            except Exception:
-                _logger.exception('Error getting runtime: {stored.id}', stack_info=True)
+                _logger.exception(
+                    f'Error getting runtime: {stored.id}', stack_info=True
+                )

        if runtime:
            # Translate status
@@ -150,7 +152,7 @@ class RemoteSandboxService(SandboxService):
                    exposed_urls.append(ExposedUrl(name=AGENT_SERVER, url=url))
                    vscode_url = (
                        _build_service_url(url, 'vscode')
-                        + f'/?tkn={session_api_key}&folder={runtime["working_dir"]}'
+                        + f'/?tkn={session_api_key}&folder=%2Fworkspace%2Fproject'
                    )
                    exposed_urls.append(ExposedUrl(name=VSCODE, url=vscode_url))
                    exposed_urls.append(
@@ -308,14 +310,13 @@ class RemoteSandboxService(SandboxService):
            start_request: dict[str, Any] = {
                'image': sandbox_spec.id,  # Use sandbox_spec.id as the container image
                'command': sandbox_spec.command,
-                #'command': ['python', '-c', 'import time; time.sleep(300)'],
-                'working_dir': sandbox_spec.working_dir,
+                'working_dir': '/workspace',
                'environment': environment,
                'session_id': sandbox_id,  # Use sandbox_id as session_id
                'resource_factor': self.resource_factor,
-                'run_as_user': 1000,
-                'run_as_group': 1000,
-                'fs_group': 1000,
+                'run_as_user': 10001,
+                'run_as_group': 10001,
+                'fs_group': 10001,
            }

            # Add runtime class if specified
@@ -530,7 +531,7 @@ async def refresh_conversation(
        # TODO: It would be nice to have an updated_at__gte filter parameter in the
        # agent server so that we don't pull the full event list each time
        event_url = (
-            f'{url}/ap/conversations/{app_conversation_info.id.hex}/events/search'
+            f'{url}/api/conversations/{app_conversation_info.id.hex}/events/search'
        )
        page_id = None
        while True:
--- a/openhands/app_server/sandbox/remote_sandbox_spec_service.py
+++ b/openhands/app_server/sandbox/remote_sandbox_spec_service.py
@@ -30,7 +30,7 @@ def get_default_sandbox_specs():
                'OH_BASH_EVENTS_DIR': '/workspace/bash_events',
                'OH_VSCODE_PORT': '60001',
            },
-            working_dir='/workspace/projects',
+            working_dir='/workspace/project',
        )
    ]