Expose sandbox host-path mounts in KOTS (ADDITIONAL_HOST_PATHS)

[ak684]

What

Adds an Additional Host Path Mounts option to the sandbox configuration so admins can mount node host paths into every sandbox — the OSS SANDBOX_VOLUMES equivalent for OHE.

• replicated/config.yaml: new sandbox_additional_host_paths config option (textarea, blank by default).
• replicated/openhands.yaml: passes it to the runtime-api chart as ADDITIONAL_HOST_PATHS.

No chart-template change needed — charts/runtime-api/templates/_env.yaml already ranges .Values.env.

Why

An enterprise customer migrating from OSS Docker OpenHands shares 100GB+ build artifacts into sandboxes via an NFS export mounted on the host, and prefers hostPath over PVC. This surfaces that capability in the admin console.

How it works

The admin enters host_path:container_path[:mode] entries (comma- or newline-separated; mode ro/rw, default rw), e.g. /mnt/nfs-artifacts:/nfs:ro. The host path must already exist on the node — for NFS, pre-mount the export there (on every node for multi-node clusters). Blank = disabled (no-op).

Companion PR

Requires the runtime-api change that reads the env var and builds the hostPath volumes: OpenHands/runtime-api#593.

Testing

• config.yaml + openhands.yaml parse cleanly; the new option renders as type: textarea.
• helm template charts/runtime-api confirms ADDITIONAL_HOST_PATHS reaches both the runtime-api deployment and the warm-runtime pods.

✅ Proven live on a real OHE embedded-cluster install (R03)

With this env wiring delivering the value, a real sandbox pod mounted a node host path and read a host-written sentinel file through a read-only /nfs mount (write correctly denied). See OpenHands/runtime-api#593 for the full end-to-end trace. Internal report: ~/replicated-tests/sandbox-hostpath-volumes/2026-06-14/REPORT.md.

[all-hands-bot]

✅ Review complete.

This review was performed through OpenHands Cloud Automation. You can log in and view the conversation here.

[all-hands-bot]

Code Review: PR #715

Taste Rating

🟢 Good taste - Elegant, simple solution that follows existing patterns

---

This PR adds KOTS configuration to expose sandbox host-path mounts, mirroring the existing SANDBOX_VOLUMES functionality from the OpenHands CLI. The implementation follows the established pattern in this repository:

1. Config option in replicated/config.yaml: A textarea-type KOTS config option with clear help text describing the format
2. Environment variable mapping in replicated/openhands.yaml: Passes the value as ADDITIONAL_HOST_PATHS to the server container

What works well:

• Follows the existing KOTS config → env var pattern used throughout the repo
• Help text is clear and documents the expected format (host_path:container_path[:mode])
• References the equivalent OSS feature (SANDBOX_VOLUMES) for users familiar with that
• Defaults to empty string, so existing deployments are unaffected
• The consumer side (OpenHands agent server) already parses SANDBOX_VOLUMES with comma-separated entries - the naming ADDITIONAL_HOST_PATHS is appropriately consistent

No Critical Issues

The implementation is straightforward and follows existing conventions. The security consideration (allowing arbitrary host path mounts) is inherent to the feature and documented in the help text.

---

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟢 LOW
  This is an additive feature that follows existing patterns. It adds a new optional configuration that defaults to empty (disabled), so existing deployments are unaffected. The downstream consumption (SANDBOX_VOLUMES parsing) already exists in the OpenHands agent server.

VERDICT:
✅ Worth merging: Clean implementation of a well-scoped feature

KEY INSIGHT:
This PR correctly exposes an existing capability (host-path mounts) in the KOTS deployment model by following the established pattern of KOTS config options mapped to environment variables consumed by the agent server.

---

This review was generated by an AI agent (OpenHands) on behalf of the user through OpenHands Automation. View conversation