OpenShell v0.0.39

OpenShell v0.0.39

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.39 sh

What's Changed

• feat(gpu): honor device IDs in Docker and Podman by @elezar in #1253
• feat(k8s): support ImageVolumeSource for supervisor sideload by @mrunalp in #1300
• ci(kubernetes): add kube gateway e2e tests and gated CI workflow by @TaylorMutch in #1251
• fix(driver-kubernetes): propagate log_level as OPENSHELL_LOG_LEVEL env var by @mesutoezdil in #1310
• docs(helm): document supervisor.sideloadMethod and sandboxNamespace default by @mesutoezdil in #1309
• fix(vm): use bash 3.2-safe empty array expansion in supervisor build by @benoitf in #1311
• fix(vm): correct /sandbox ownership when rootfs is built by non-root host by @benoitf in #1176
• docs(rfc): add gateway configuration file RFC by @TaylorMutch in #951
• feat(relay): route forwarding through ForwardTcp by @pimlock in #1029
• fix(sandbox): rewrite messaging credential placeholders by @ericksoa in #1286
• fix(providers): read opencode config file during credential discovery by @ericcurtin in #1290

New Contributors

• @ericksoa made their first contribution in #1286
• @ericcurtin made their first contribution in #1290

Full Changelog: v0.0.38...v0.0.39

OpenShell Development Build

This build is automatically published on every commit to main that passes CI.

NOTE: This is a development build, not a tagged release, and may be unstable.

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=dev sh

OpenShell v0.0.38

OpenShell v0.0.38

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.38 sh

What's Changed

• fix(install): register local gateway before probing listener by @drew in #1280
• fix(helm): derive sandboxNamespace from Release.Namespace instead of hardcoding by @sauagarwa in #1282
• chore(installer): promote package install script by @drew in #1261
• feat: agent-driven policy management MVP by @zredlined in #1151
• docs: document OPENSHELL_SSH_HANDSHAKE_SECRET in Getting Started by @russellb in #1287
• fix(gateway): update Podman supervisor build task name by @russellb in #1288
• fix(installer): guard incompatible v0.0.37 upgrades by @drew in #1294
• fix(docker): add SELinux labeling to bind mounts by @derekwaynecarr in #1291
• docs(readme): add roadmap and RFC issue guidance by @drew in #1284
• docs(rfc): move policy management RFC to 0002 by @drew in #1283
• feat(driver-kubernetes): disable service account token auto-mounting by @derekwaynecarr in #1298
• fix(docker): route VM-Docker runtimes through host-gateway by @laitingsheng in #1301
• (feat) early snap support by @zyga in #1238

New Contributors

• @russellb made their first contribution in #1287
• @zyga made their first contribution in #1238

Full Changelog: v0.0.37...v0.0.38

OpenShell v0.0.37

v0.0.37 is a breaking release with major updates to the gateway, entity model, and sandbox scheduling.

Gateway persistence now uses a shared entity schema with Kubernetes-style metadata and labels, and policy revisions plus draft policy recommendations now live in that object model instead of dedicated policy tables. This also changes public protobuf shapes for core resources like sandboxes, providers, and SSH sessions, so existing clients and gateway will need recreation.

On the runtime side, RFC-0001 is now substantially implemented with pluggable compute drivers for Docker, Podman, Kubernetes, and experimental MicroVM-backed sandboxes.

This release also introduces an experimental Helm chart for Kubernetes and OpenShift deployments.

Also new in this release: initial provider profiles and sandbox-provider attach lifecycle, OIDC/RBAC gateway auth, GraphQL L7 policy inspection, Kubernetes user namespace support, and expanded Debian/RPM/Homebrew packaging.

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.37 sh

Upgrading from v0.0.36 or earlier

v0.0.37 is not compatible with existing gateway state from earlier releases. openshell start|stop|destroy commands have been removed. Starting in v0.0.37 the gateway service is now managed as a proper system service setup by the system's package manager.

Before upgrading, back up anything you need from existing sandboxes. Then clean up the old runtime before installing v0.0.37:

openshell sandbox delete --all

openshell gateway destroy

openshell gateway destroy must be run before upgrading, while you still have the v0.0.36 or earlier CLI installed. In v0.0.37, gateway lifecycle is no longer managed by the openshell gateway start|stop|destroy commands. Once you have destroyed the gateway, you can delete the openshell binary on your path.

After cleanup, reinstall OpenShell using the current installation instructions:

https://docs.nvidia.com/openshell/latest/about/installation

After reinstalling, recreate your sandboxes and re-register or reconfigure any providers, policies, and gateway settings you still need.

What's Changed

• fix(driver-vm): preflight supervisor cross-compile toolchain in start.sh by @pimlock in #931
• fix(ci): E2E gate must verify work actually ran, not just top-level success by @pimlock in #926
• fix(ci): bump ci-image tooling versions to clear vendored CVEs by @johntmyers in #929
• fix(ci): bump helm to 4.1.4 for plugin CVE fixes by @johntmyers in #928
• fix(skills): remove --assignee @me from gh pr/issue create commands by @sjenning in #937
• chore(mise): replace deprecated ubi: prefix by github: prefix by @benoitf in #923
• fix(ci): rename mise --no-prepare to --no-deps by @pimlock in #942
• feat(server): add Prometheus metrics infrastructure and gRPC/HTTP request metrics by @sjenning in #920
• fix(ci): post E2E Gate check to the PR when workflow_run fires by @pimlock in #938
• chore(helm): remove unused ClusterRole and ClusterRoleBinding by @TaylorMutch in #943
• feat(ci): add shadow-shared-cpu-spike workflow for OS-49 Phase 2 by @jtoelke2 in #934
• chore(ci): add ARC baseline collector for OS-49 runner migration by @jtoelke2 in #927
• fix(ci): expose GHA sccache env in shadow-shared-cpu-spike by @jtoelke2 in #950
• feat(ci): add driver input to setup-buildx action by @jtoelke2 in #941
• fix(cli): preserve source directory on sandbox upload by @mjamiv in #952
• fix(sandbox): route console logs to stderr by @johntmyers in #949
• fix(e2e): add /dev/urandom to provider test sandbox policy by @derekwaynecarr in #948
• test(e2e): fix rust upload path assertions by @drew in #960
• test(e2e): fix gitignore upload assertion path by @johntmyers in #962
• fix(ci): partition GHA sccache cache per arch in shadow spike by @jtoelke2 in #961
• Openshell driver podman by @maxamillion in #904
• feat(ci): add Markdown and Mermaid linting by @pimlock in #933
• feat(docker): add BINARY_SOURCE selector for prebuilt Rust binaries by @jtoelke2 in #945
• test(e2e): fix filtered upload path assertion by @drew in #963
• feat(ci): add shadow-docker-build workflow for OS-49 Phase 3 by @jtoelke2 in #964
• fix(ci): use nv-gha-runners buildkit mirror to avoid Docker Hub rate limit by @jtoelke2 in #966
• fix(docs): scope fenced code language linting by @pimlock in #965
• fix(ci): make buildkitd-config opt-in for setup-buildx by @jtoelke2 in #970
• fix(ci): ignore local artifacts in license checks by @johntmyers in #974
• fix(scripts): handle docker cleanup when no containers are running by @derekwaynecarr in #977
• feat(server): add object meta convention to top-level objects by @derekwaynecarr in #919
• fix(ci): patch CI container vulnerability toolchain by @johntmyers in #959
• docs(rfc): add core architecture RFC by @drew in #836
• fix(e2e): use high UID range to avoid host user conflicts by @derekwaynecarr in #978
• ci(e2e): add label dispatcher and contributor CI docs by @pimlock in #975
• ci(e2e): replace label dispatcher with comment-only helper by @pimlock in #990
• fix(deps): add missing cargo-zigbuild dependency for macOS cross-compilation by @benoitf in #986
• docs: weekly documentation refresh by @miyoungc in #993
• fix(sandbox): deny ambiguous socket ownership by @johntmyers in #958
• chore(ci): relax agent diagnostic gate by @johntmyers in #1001
• chore(mise): add lockfile with multi-platform support and version pin by @pimlock in #946
• fix(podman): use podman machine socket path on macOS by @benoitf in #999
• feat(server): add bundled docker compute driver by @drew in #888
• fix(ci): grant actions:read and contents:read to E2E label helper by @pimlock in #995
• chore(tools): sync mise version to v2026.4.25 by @TaylorMutch in #1013
• feat(ci): add shadow-rust-native-build workflow for OS-49 Phase 4 (PR 4a) by @jtoelke2 in #973
• refactor(server): unify policy persistence in objects table by @johntmyers in #972
• fix(cli): preserve directory basename for filtered uploads by @johntmyers in #1028
• fix(net): catch IPv4-mapped blocked ranges in is_always_blocked_net by @mesutoezdil in #1032
• feat(openshell-vm): add tty support for exec by @benoitf in #939
• Adding qemu vm driver support with GPU pass-through by @vince-brisebois in #992
• ci(rust): enforce -D warnings on clippy by @drew in #1008
• fix(sandbox): log L7 parse denials by @johntmyers in #1072
• fix(sandbox): preserve encoded slash policy from proto by @pimlock in #1073
• ci(docker): use prebuilt Rust binaries by default by @jtoelke2 in #1027
• ci(rust): keep sccache stats non-blocking by @jtoelke2 in #1074
• docs(examples): add multi-agent notepad demo by @zredlined in #991
• ci: add OS-49 phase 5 shadow workflows by @jtoelke2 in #1075
• feat(auth): add OIDC/Keycloak authentication with RBAC and scope-based permissions by @mrunalp in #935
• chore(ci): update checkout action to v6 by @drew in #1086
• fix(docker): set apparmor=unconfined on sandbox containers by @elezar in #1078
• feat(docker): enable CDI GPU sandboxes by @elezar in #1036
• feat(server): add auto-detection of compute driver at startup by @sjenning in #1088
• test(e2e): skip docker gpu test in rust suite by @pimlock in #110...

OpenShell VM Runtime

Build of the OpenShell VM runtime artifacts used by openshell-driver-vm.

NOTE: This is a development build.

Kernel Runtime Artifacts

Pre-built kernel runtime (libkrunfw + libkrun + gvproxy) for embedding into
the openshell-driver-vm binary. These are rebuilt on demand when the kernel
config or pinned dependency versions change.

Platform	Artifact
Linux ARM64	vm-runtime-linux-aarch64.tar.zst
Linux x86_64	vm-runtime-linux-x86_64.tar.zst
macOS ARM64	vm-runtime-darwin-aarch64.tar.zst

Verify

gh release download vm-runtime -R NVIDIA/OpenShell -p vm-runtime-linux-x86_64.tar.zst
gh attestation verify vm-runtime-linux-x86_64.tar.zst -R NVIDIA/OpenShell

OpenShell v0.0.36

OpenShell v0.0.36

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/refs/tags/v0.0.36/install.sh | OPENSHELL_VERSION=v0.0.36 sh

What's Changed

• feat(server): allow disabling health check listener by @TaylorMutch in #915
• add configurable timeout for image transfer to gateway containerd by @tmckayus in #914
• fix(sandbox): preserve explicit read-only baseline paths by @johntmyers in #910
• fix(sandbox): resolve sandbox host aliases in SSRF checks by @johntmyers in #912
• fix(sandbox): inject GIT_SSL_CAINFO so git clone trusts the sandbox CA by @laitingsheng in #918
• ci(e2e): enable E2E to run on external forks throught the copy-pr-bot flow by @pimlock in #922
• feat(server,driver-vm,e2e): gateway-owned readiness + VM compute driver e2e by @drew in #901

New Contributors

• @tmckayus made their first contribution in #914
• @laitingsheng made their first contribution in #918

Full Changelog: v0.0.35...v0.0.36

OpenShell v0.0.35

OpenShell v0.0.35

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.35 sh

What's Changed

• feat(server,sandbox): supervisor-initiated SSH connect and exec over gRPC-multiplexed relay by @pimlock in #867
• feat(server): add request-level logging via TraceLayer by @sjenning in #895
• feat(server): serve health endpoints on separate unauthenticated port by @sjenning in #903
• fix(k8s-driver): use dedicated kube client without read_timeout for watches by @sjenning in #907

New Contributors

• @sjenning made their first contribution in #895

Full Changelog: v0.0.34...v0.0.35

OpenShell v0.0.34

OpenShell v0.0.34

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.34 sh

What's Changed

• feat(policy): add incremental sandbox policy updates by @johntmyers in #860
• fix(cli,tui): escape and validate SSH session response fields by @johntmyers in #876
• fix(sandbox): apply supervisor seccomp prelude by @johntmyers in #891
• feat(install-vm): install gateway + vm driver, add --driver-dir resolution by @drew in #887
• fix(cli): sandbox get returns currently active runtime policy by @TaylorMutch in #880
• fix(sandbox): canonicalize HTTP request-targets before L7 policy evaluation by @johntmyers in #878

New Contributors

• @TaylorMutch made their first contribution in #880

Full Changelog: v0.0.33...v0.0.34

OpenShell v0.0.33

OpenShell v0.0.33

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.33 sh

What's Changed

• fix(sandbox): harden seccomp, inference routing, and process limits by @johntmyers in #869
• feat(vm): add standalone libkrun compute driver by @drew in #858
• docs: fix TOC structure by @miyoungc in #797
• docs: refresh user-facing docs for recent sandbox and inference changes by @miyoungc in #868
• docs(contributing): add bash shell setup example for mise by @mrunalp in #877
• fix(sandbox): strip " (deleted)" suffix from unlinked /proc//exe paths by @mjamiv in #844
• test(sandbox): fix flaky arm64 procfs binary_path tests by @pimlock in #881

New Contributors

• @mrunalp made their first contribution in #877

Full Changelog: v0.0.32...v0.0.33

OpenShell v0.0.32

OpenShell v0.0.32

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.32 sh

What's Changed

• feat(sandbox): load system CA certificates for upstream TLS connections by @matz3 in #862
• feat(release): publish standalone openshell-gateway binaries by @drew in #853
• docs(rfc): adopt per-RFC folder structure by @drew in #870

New Contributors

• @matz3 made their first contribution in #862

Full Changelog: v0.0.31...v0.0.32