Skip to content

Sysbox runtime for Replicated EC installs#610

Draft
jlav wants to merge 1 commit intomainfrom
jl/sysbox
Draft

Sysbox runtime for Replicated EC installs#610
jlav wants to merge 1 commit intomainfrom
jl/sysbox

Conversation

@jlav
Copy link
Copy Markdown
Contributor

@jlav jlav commented May 6, 2026
edited
Loading

OpenHands uses Sysbox as a runtime class to improve isolation between sandboxes and enable Docker-in-Docker support without having to resort to privileged containers.

Sysbox requires either CRI-O or containerd 2 as the container runtime. The embedded cluster (k0s) is packaged with containerd 1.7, so Sysbox is not supported. We're expecting the next version of k0s to ship with containerd 2, but until then, we've provided a script which installs containerd 2, replaces k0s' usage of containerd 1.7, and configures Sysbox.

Usage Instructions

  1. OpenHands Support must assign you to the dedicated sysbox release channel before you begin the installation process.
  2. Install OpenHands via the Quick Start Guide.
    • You must start from a clean installation. If you have already installed OpenHands, you can start the installation over on your existing VM by executing sudo ./openhands reset. This command will delete your existing installation and all of its data.
    • If resetting an existing cluster, make sure you re-download the latest release via the customer portal.
  3. Wait for the embedded cluster to start completely. A healthy cluster will have both green "Ready" and "Currently Deployed Version" symbols. image
  4. Copy the sysbox-containerd2-setup.sh script from this PR onto the VM and execute it as root: sudo bash sysbox-containerd2-setup.sh
  5. Wait for the script to complete. While the script executes, your embedded cluster will restart. OpenHands and the admin console will be unavailable during this time. It may take 5-10 minutes for your cluster to start again, at which point it will show as "Ready" in the admin console.
  6. Log in to OpenHands and start a new conversation. You will be able to ask your agent to interact with Docker. For example, when prompted with "Start a basic hello world server in Docker and curl it", the agent starts the Docker daemon, builds a simple hello world Docker image, and runs it.

This feature is experimental and not intended for production. It will not be possible to migrate from installations using this release channel back to the Stable release channel.

@jlav jlav force-pushed the jl/sysbox branch 3 times, most recently from c2b72cc to 661be9c Compare May 6, 2026 12:31
@jlav
Add sysbox runtime support for Replicated EC installs
d122e62 
- New scripts/sysbox-containerd2-setup.sh: installs containerd v2.x +
  sysbox-runc on a k0s embedded-cluster host and redirects kubelet to it.
  Verified end-to-end on Ubuntu 24.04.4 / kernel 6.17.0-1012-aws.
- replicated/openhands.yaml: set RUNTIME_CLASS=sysbox-runc on the
  runtime-api env so sandbox pods land on the sysbox-runc RuntimeClass
  the script creates.
- Bump runtime-api image to sha-ab08469 and chart to 0.3.2.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jlav