Replies: 1 comment
-
|
Thanks for the detailed write-up—it makes the issues much easier to understand. For (1), I think your analysis makes sense. If the router intentionally removes the Otherwise, the request ends up in an inconsistent state:
Using For (2), I don't think you're missing anything obvious either. On SELinux-enabled Podman systems, bind mounts typically need to be relabeled ( It would be helpful if the maintainers could clarify:
Both issues sound like provider/container compatibility concerns rather than problems with your configuration, so I'd be interested to hear whether they're already on the roadmap or considered enhancement requests. If this answer helped or pointed you in the right direction, I'd appreciate it if you could mark it as the accepted answer so it's easier for others with the same issue to find. Also, if you found my contribution useful, I'd appreciate it if you could check out my GitHub profile, follow me, and star any repositories you find interesting. GitHub: https://github.com/Advait251206 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I'm trying to run Claude Code inside an OpenShell sandbox on Fedora (Podman driver, SELinux enforcing, v0.0.71) with a Vertex AI provider and I've hit two issues. Wondering if I'm missing something in my setup or if these are known gaps.
Setup:
1)
context_management: Extra inputs are not permittedClaude Code sends a
context_managementfield in the request body (part of thecontext-management-2025-06-27beta). The router strips theanthropic-betaheader for Vertex rawPredict routes (makes sense — Vertex rejects it), but the corresponding body field isn't stripped. Vertex then rejects the unknown field with 400.I'm working around it with
CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1, which works but disables all experimental features. Would it make sense for the router to strip beta-only body fields (likecontext_management) alongside stripping theanthropic-betaheader?2) User bind mounts don't get SELinux relabeling
On Fedora with SELinux enforcing, the bind-mounted
/sandbox/reposis inaccessible to the sandbox user — SELinux blocks it because the source files haveuser_home_tcontext. I noticed that internal TLS bind mounts get thez(shared relabel) option when SELinux is detected, but user-configured bind mounts via--driver-config-jsondon't. Is there a way to pass mount options I'm missing, or would adding automaticzrelabeling for user bind mounts on SELinux systems be a reasonable enhancement?Thanks for any pointers.
Beta Was this translation helpful? Give feedback.
All reactions