fix(sandbox): codex 沙盒下保留整个 ~/.codex 为真实路径,修复 SQLite 锁超时起不来#356
Merged
Conversation
codex 启动时在 ~/.codex 下打开 SQLite 状态/日志库(state_*.sqlite、 logs_*.sqlite)。开启文件沙盒后 home 是 overlayfs 合并挂载,而 overlay (内核与 fuse-overlayfs 均是)不支持 SQLite 需要的 POSIX fcntl 字节范围锁, 连接池拿不到锁、阻塞约 57 秒后 codex 退出 code 1("pool timed out"), daemon 侧表现为约 1 分钟后 pane 消失、consecutive restart x2、疑似卡输入框。 修复:把 codex / codex-app 适配器的 authPaths 从 ['~/.codex/auth.json'] 扩到整个 ['~/.codex'],让整目录以真实可写方式 bind 进沙盒(绕开 overlay 锁问题),登录态与会话历史也照旧持久——与 auth.json 同理。代价:codex 自身 state/会话记录落真实盘、不随沙盒隔离;项目代码写入隔离(/land 审阅) 不受影响。所有 codex + sandbox 组合通用,非单个 bot。 验证:以 live/本 build 的 prepareSandbox 生成真实 bwrap 参数、node-pty 起 真 codex TUI 复现——旧值 ~57s 必崩,新值稳跑 90s+ 无 SQLite 报错。更新 适配器 authPaths 单测断言并记录 why。
deepcoldy
added a commit
that referenced
this pull request
Jul 4, 2026
This was referenced Jul 4, 2026
deepcoldy
added a commit
that referenced
this pull request
Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景 / 现象
开了
sandbox: true的 codex bot 无法启动:spawn 后约 1 分钟 codex 进程退出 code 1,daemon 侧表现为 pane 消失、consecutive restart x2 — 2nd failed resume attempt、疑似卡在输入框。实际是 codex 自身启动报错:根因
codex 在
~/.codex下打开 SQLite 状态/日志库(state_*.sqlite/logs_*.sqlite)。文件沙盒把 home 以 overlayfs 合并挂载(lower=真实 home,写入隔离到 upper)。overlayfs(内核与 fuse-overlayfs 均是)不支持 SQLite 需要的 POSIX fcntl 字节范围锁,codex 连接池拿不到锁、阻塞约 57s 后超时退出 code 1。改动
把
codex与codex-app适配器的authPaths从['~/.codex/auth.json']扩到整个['~/.codex']。authReal 是真实可写--bind,整目录绕开 overlay 后 SQLite 锁正常工作;登录态/会话历史也照旧持久(与 auth.json 同理)。代价:codex 自身的 state / 会话记录落到真实
~/.codex、不随沙盒隔离(与 auth 一样)。项目代码的写入隔离(/land审阅)不受影响。验证
node-pty拉起真 codex TUI 复现:旧值['~/.codex/auth.json']→ ~57s 必现pool timed out崩溃;新值['~/.codex']→ 稳跑 90s+ 无 SQLite 报错,bwrap 参数含--bind /root/.codex /root/.codex。authPaths单测断言(含 why 注释):pnpm vitest run test/cli-adapters.test.ts test/relay-adapter.test.ts256 通过。pnpm build绿。影响范围
仅改 codex/codex-app 适配器的 sandbox 真实路径集合。未开沙盒、非 codex bot 均不受影响。