Cradicle Explorer
ai-agents-runtimes_OpenSandbox
/ server / TROUBLESHOOTING.md
TROUBLESHOOTING.md
 1  # Troubleshooting
 2  
 3  English | [中文](TROUBLESHOOTING_zh.md)
 4  
 5  ## `exec /opt/opensandbox/bootstrap.sh: operation not permitted`
 6  
 7  If sandbox logs show:
 8  
 9  ```text
10  exec /opt/opensandbox/bootstrap.sh: operation not permitted
11  ```
12  
13  check the following first:
14  
15  1. Verify the script exists and is executable inside the sandbox container:
16     ```bash
17     docker exec -it <sandbox-container> ls -l /opt/opensandbox/bootstrap.sh
18     ```
19  2. Verify runtime security/mount constraints are not blocking execution (for example strict
20     confinement or `noexec` mount behavior in host/container runtime setup).
21  3. If you are running Docker from Snap-based environments (for example Ubuntu Core), prefer
22     Docker CE package deployments for production OpenSandbox workloads, because strict runtime
23     confinement may block this bootstrap execution path in some setups.
24  4. Re-run with the latest server and execd images to ensure you include the latest runtime fixes.
25  
26  If this still reproduces, collect:
27  - `docker info`
28  - `docker logs opensandbox-server`
29  - `docker logs <sandbox-container>`
30  - your `config.toml` (mask secrets)
31  
32  ## Sandbox health check timed out (e.g. on Alibaba Cloud ECS)
33  
34  If the client reports:
35  
36  ```text
37  opensandbox.exceptions.sandbox.SandboxReadyTimeoutException: Sandbox health check timed out after 30.0s (2 attempts). Health check returned false continuously
38  ```
39  
40  when the server runs on a cloud VM (e.g. [Alibaba Cloud ECS](https://github.com/alibaba/OpenSandbox/issues/297)), the client is likely trying to reach the sandbox at an address it cannot access. The server may be returning a bind address such as `127.0.0.1` or an internal LAN IP in the endpoint URL, so the health check from the client side fails.
41  
42  **Solution:** Set the bound public IP so that the server returns a reachable address in the sandbox endpoint API. In your config (e.g. `~/.sandbox.toml`), under `[server]`, set `eip` to the VM’s public IP (or the hostname that clients use to reach the server):
43  
44  ```toml
45  [server]
46  host = "0.0.0.0"
47  port = 8080
48  eip = "47.x.x.x"   # Your ECS public IP, or the hostname clients use to reach this server
49  ```
50  
51  After restarting the server, the get-endpoint API will use `eip` as the host part of the returned URL, so the client can reach the sandbox for the health check. This applies to the Docker runtime; the server skips resolving `host` when `eip` is set.