codex-container-sandbox
Use this when you want:
- •Full egress/network for
codex(web search, fetching, etc.) - •Tight filesystem boundaries via container bind mounts (repo root + explicit allowlist)
This repo contains a wrapper script intended to be installed as codex-container-sandbox.
Workflow
- •
Build the image
From the repo root (this repository):
bashpodman build -t localhost/codex-container-sandbox:latest -f Containerfile .
- •
Install the wrapper
bashinstall -m 0755 codex-container-sandbox ~/.local/bin/codex-container-sandbox
- •
(Optional) Configure extra mounts
Create
~/.config/codex-container-sandbox/config.sh:bashCODEX_CONTAINER_SANDBOX_IMAGE="localhost/codex-container-sandbox:latest" # Extra read-only mounts (mapped under /home/codex/... if under $HOME) CODEX_CONTAINER_SANDBOX_RO_MOUNTS=( "$HOME/.local/bin" ) # Extra read-write mounts CODEX_CONTAINER_SANDBOX_RW_MOUNTS=( "$HOME/.cache/uv" "$HOME/tmp" )
- •
Login once inside the container
bashcodex-container-sandbox --shell codex login
- •
Run the self-test (recommended)
bash./selftest.sh
If this repo is vendored as a git submodule at
./codex-container-sandbox/(for example in a dotfiles repo), either:- •
cd codex-container-sandbox && ./selftest.sh, or - •run
./codex-container-sandbox/selftest.shfrom the parent repo root.
- •
- •
Run Codex
bashcodex-container-sandbox exec "Summarize this repo"
Safety notes
- •This wrapper runs Codex in full-yolo mode (
--dangerously-bypass-approvals-and-sandbox) with full networking. Anything mounted into the container can be exfiltrated. - •Keep mounts minimal; do not mount secrets, password stores, SSH keys, or large chunks of
$HOMEunless you intend to expose them.