feat(drivers): support docker and podman config mounts by drew · Pull Request #1785 · NVIDIA/OpenShell

drew · 2026-06-05T20:56:32Z

Summary

Adds driver-config mount support for local Docker and Podman sandboxes. Docker accepts existing named volumes and tmpfs mounts; Podman accepts existing named volumes, tmpfs mounts, and image mounts. Host bind mounts remain out of the driver-config schema, and NFS is supported through pre-created runtime-managed named volumes.

Related Issue

N/A. Follow-up to #1744.

Changes

Parse and validate per-sandbox mount config for Docker and Podman from --driver-config-json.
Validate Docker and Podman named volumes exist before sandbox creation.
Add Podman image mount support and image pull handling; keep Docker image mounts unsupported.
Document per-driver mount behavior in reference and sandbox management docs.

Testing

mise run pre-commit passes
Unit tests added/updated
E2E tests added/updated (if applicable)

Checklist

Follows Conventional Commits
Commits are signed off (DCO)
Architecture docs updated (if applicable)

github-actions · 2026-06-05T20:56:59Z

🌿 Preview your docs: https://nvidia-preview-pr-1785.docs.buildwithfern.com/openshell

copy-pr-bot · 2026-06-05T21:49:00Z

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

drew · 2026-06-08T04:16:19Z

/ok to test 113bbea

github-actions · 2026-06-09T05:37:42Z

Label test:e2e applied, but pull-request/1785 is at 113bbea while the PR head is 08b333d. A maintainer needs to comment /ok to test 08b333dd4c8ff2018646bb57aabe7f8abe5890c7 to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

drew · 2026-06-09T06:02:35Z

/ok to test f37da23

benoitf · 2026-06-10T12:49:09Z

hello, FYI I tried in on macOS with a podman machine and I was able to mount my local folder into a work subfolder or /sandbox 👍

drew · 2026-06-10T16:05:03Z

Pushed fixes in b00108b.

Addressed the open mount feedback:

moved shared protobuf Struct conversion and mount path validation into openshell-core
reserved /etc/openshell-tls and shared the reserved target logic across Docker and Podman
kept /sandbox exact-only reserved so /sandbox/work remains a supported target
changed user bind/volume mounts to default read-only unless read_only: false is explicit
gated Docker local-driver bind-backed named volumes behind enable_bind_mounts, using the existing inspect_volume preflight
simplified the Docker HostConfig mounts assignment
updated driver docs, gateway config docs, and architecture notes for the new defaults and host-path behavior

drew · 2026-06-10T16:49:39Z

/ok to test b00108b

Signed-off-by: Drew Newberry <anewberry@nvidia.com>

drew requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners June 5, 2026 20:56

drew marked this pull request as draft June 5, 2026 21:48

elezar reviewed Jun 6, 2026

View reviewed changes

Comment thread crates/openshell-driver-docker/src/lib.rs

elezar reviewed Jun 8, 2026

View reviewed changes

Comment thread docs/reference/sandbox-compute-drivers.mdx

elezar reviewed Jun 8, 2026

View reviewed changes

Comment thread crates/openshell-driver-podman/src/container.rs

drew added the test:e2e Requires end-to-end coverage label Jun 9, 2026

drew marked this pull request as ready for review June 10, 2026 00:35