Skip to content

feat: allow host.docker.internal for local inference#549

Closed
EdwallScaffold wants to merge 1 commit intoNVIDIA:mainfrom
EdwallScaffold:feat/allow-host-docker-internal-local-inference
Closed

feat: allow host.docker.internal for local inference#549
EdwallScaffold wants to merge 1 commit intoNVIDIA:mainfrom
EdwallScaffold:feat/allow-host-docker-internal-local-inference

Conversation

@EdwallScaffold
Copy link

@EdwallScaffold EdwallScaffold commented Mar 23, 2026

Summary

This PR fixes the issue where host.docker.internal was being blocked by the sandbox proxy, preventing local inference scenarios (vLLM, Ollama) from working within OpenShell sandboxes.

Problem

When users configured local inference endpoints using host.docker.internal:8000, the sandbox proxy would reject the connection. This broke legitimate use cases like running vLLM or Ollama on the host machine.

Solution

Added a special case in resolve_and_reject_internal() to allow host.docker.internal to resolve to private IP addresses, while still blocking loopback and link-local addresses for security.

Changes

  • Modified resolve_and_reject_internal() function
  • Added special handling for host.docker.internal
  • Still blocks loopback (127.x.x.x) and link-local (169.254.x.x)
  • Added 3 unit tests
  • Improved error messages with helpful hints

Testing

  • All existing tests pass (74 tests in proxy module)
  • New tests verify Docker bridge IP ranges
  • End-to-end test with vLLM on host: SUCCESS

Security

This change maintains security boundaries:

  • Loopback addresses (127.0.0.0/8) are still blocked
  • Link-local addresses (169.254.0.0/16) are still blocked
  • Only host.docker.internal gets special treatment

Related Issues

Fixes: #263
Related: NVIDIA/NemoClaw#314
Related: NVIDIA/NemoClaw#385

@EdwallScaffold @qwencoder
feat: allow host.docker.internal for local inference
4262238 
Add special case in resolve_and_reject_internal() to allow
host.docker.internal to resolve to private IPs (Docker bridge),
enabling local vLLM/Ollama inference from within sandboxes.

Security: Still blocks loopback and link-local addresses.

Fixes: NVIDIA#263
Related: NVIDIA/NemoClaw#314, NVIDIA/NemoClaw#385

Tests: Add unit tests for host.docker.internal behavior.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
@EdwallScaffold EdwallScaffold requested a review from a team as a code owner March 23, 2026 18:20
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Thank you for your interest in contributing to OpenShell, @EdwallScaffold.

This project uses a vouch system for first-time contributors. Before submitting a pull request, you need to be vouched by a maintainer.

To get vouched:

  1. Open a Vouch Request discussion.
  2. Describe what you want to change and why.
  3. Write in your own words — do not have an AI generate the request.
  4. A maintainer will comment /vouch if approved.
  5. Once vouched, open a new PR (preferred) or reopen this one after a few minutes.

See CONTRIBUTING.md for details.

@github-actions github-actions bot closed this Mar 23, 2026
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: allow sandbox policy to egress to host.docker.internal without requiring explicit allowed_ips

1 participant

@EdwallScaffold