Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NVIDIA/OpenShell/llms.txt

Use this file to discover all available pages before exploring further.

Support matrix

This page lists the platform, software, runtime, and kernel requirements for running OpenShell.

Supported platforms

OpenShell publishes multi-architecture container images for linux/amd64 and linux/arm64. The CLI is supported on the following host platforms:
PlatformArchitectureStatus
Linux (Debian/Ubuntu)x86_64 (amd64)Supported
Linux (Debian/Ubuntu)aarch64 (arm64)Supported
macOS (Docker Desktop)Apple Silicon (arm64)Supported
Windows (WSL 2 + Docker Desktop)x86_64Experimental
On macOS, kernel security modules (Landlock, seccomp) run inside the Docker Desktop Linux VM, not on the host kernel.

Software prerequisites

The following software must be installed and running on the host before using the OpenShell CLI:
ComponentMinimum versionNotes
Docker Desktop or Docker Engine28.04Must be running before any openshell command.

Container images

OpenShell publishes two container images. Both are published for linux/amd64 and linux/arm64.
ImageReferencePulled when
Clusterghcr.io/nvidia/openshell/cluster:latestopenshell gateway start
Gatewayghcr.io/nvidia/openshell/gateway:latestCluster startup (via Helm chart)
The cluster image bundles the Helm charts, Kubernetes manifests, and the openshell-sandbox supervisor binary required to bootstrap the control plane. The supervisor binary is side-loaded into sandbox pods at runtime through a read-only host volume mount. The gateway image is pulled at cluster startup and runs the API server.
Sandbox images are maintained separately in the openshell-community repository. Refer to that repository for the current list of installed components and their versions.

Image overrides

To override the default image references, set the following environment variables before running openshell commands:
VariablePurpose
OPENSHELL_CLUSTER_IMAGEOverride the cluster image reference.
OPENSHELL_COMMUNITY_REGISTRYOverride the registry for community sandbox images.
export OPENSHELL_CLUSTER_IMAGE=registry.example.com/openshell/cluster:dev
openshell gateway start

Kernel requirements

OpenShell enforces sandbox isolation through two Linux kernel security modules:
ModuleRequirementDetails
Landlock LSMRecommendedEnforces filesystem access restrictions at the kernel level. best_effort compatibility uses the highest supported ABI; hard_requirement fails if the required ABI is unavailable.
seccompRequiredFilters dangerous system calls. Available on all modern Linux kernels (3.17+).
Use landlock.compatibility: best_effort (the default) to maximize portability across kernel versions while still taking advantage of Landlock when it is available.

Sandbox runtime versions

Sandbox container images are maintained in the openshell-community repository. Refer to that repository for the current list of installed components and their versions.

Default policy

The built-in policy applied when no custom policy is provided.

Policy schema

Complete field reference for the sandbox policy YAML.