codex-container-sandbox

Use this when you want:

• Full egress/network for codex (web search, fetching, etc.)
• Tight filesystem boundaries via container bind mounts (repo root + explicit allowlist)

This repo contains a wrapper script intended to be installed as codex-container-sandbox.

Workflow

1. Build the image

   From the repo root (this repository):

   bashCopy

   podman build -t localhost/codex-container-sandbox:latest -f Containerfile .
   

2. Install the wrapper

   bashCopy

   install -m 0755 codex-container-sandbox ~/.local/bin/codex-container-sandbox
   

3. (Optional) Configure extra mounts

   Create ~/.config/codex-container-sandbox/config.sh:

   bashCopy

   CODEX_CONTAINER_SANDBOX_IMAGE="localhost/codex-container-sandbox:latest"
   
   # Extra read-only mounts (mapped under /home/codex/... if under $HOME)
   CODEX_CONTAINER_SANDBOX_RO_MOUNTS=(
     "$HOME/.local/bin"
   )
   
   # Extra read-write mounts
   CODEX_CONTAINER_SANDBOX_RW_MOUNTS=(
     "$HOME/.cache/uv"
     "$HOME/tmp"
   )
   

4. Login once inside the container

   bashCopy

   codex-container-sandbox --shell
   codex login
   

5. Run the self-test (recommended)

   bashCopy

   ./selftest.sh
   

   If this repo is vendored as a git submodule at ./codex-container-sandbox/ (for example in a dotfiles repo), either:

   • cd codex-container-sandbox && ./selftest.sh, or
   • run ./codex-container-sandbox/selftest.sh from the parent repo root.

6. Run Codex

   bashCopy

   codex-container-sandbox exec "Summarize this repo"
   

Safety notes

• This wrapper runs Codex in full-yolo mode (--dangerously-bypass-approvals-and-sandbox) with full networking. Anything mounted into the container can be exfiltrated.
• Keep mounts minimal; do not mount secrets, password stores, SSH keys, or large chunks of $HOME unless you intend to expose them.