Skip to content

Feature request: sandbox update --image (in-place image swap preserving PVC) #758

Open
Enhancement
Open
Feature request: sandbox update --image (in-place image swap preserving PVC)#758
Enhancement
Assignees
drew
@novarii

Description

@novarii
novarii
opened on Apr 5, 2026

Problem

sandbox delete + sandbox create is currently the only way to update a sandbox's image. For stateful workloads this causes:

  1. PVC orphaning — the old persistent volume survives but is not reattached to the new sandbox. The new sandbox gets a fresh PVC.
  2. State loss — any runtime state on the persistent volume (auth sessions, conversation history, scheduled jobs) is effectively lost.
  3. No rollback — once deleted, the old sandbox and its state binding are gone.

This makes OpenShell unsafe for stateful long-running services that need frequent image updates (e.g., config changes, hotfixes) without downtime or state loss.

Use case

We run a WhatsApp-connected daemon inside an OpenShell sandbox. The daemon stores Baileys auth state and conversation sessions on /sandbox/state (persistent volume). During early deployment we need to iterate on config and code multiple times per day. Each sandbox delete + sandbox create cycle:

  • Destroys the WhatsApp session (requires QR code rescan with the client)
  • Loses in-flight conversation state
  • Accumulates orphaned PVCs

Proposed solution

A sandbox update command (or similar) that swaps the container image while preserving the existing PVC binding:

openshell sandbox update <name> --image <new-image> [--policy <policy.yaml>]

Expected behavior:

  • Stop the running container
  • Replace the image reference
  • Restart with the same PVC attached at the same mount point
  • Optionally update the policy file
  • Optionally support --rollback to revert to the previous image

This is analogous to how Kubernetes handles StatefulSet image updates — the pod is replaced but the PVC persists and rebinds.

Alternatives considered

  • Patch files in-place inside the sandbox — works for writable paths but Landlock (correctly) makes /app and /etc read-only, so code and baked config can't be updated without an image swap.
  • Use dev policy with relaxed Landlock — defeats the security model.
  • kubectl patch the underlying workload directly — bypasses OpenShell's state tracking and policy enforcement, fragile.

Environment

  • OpenShell with Landlock filesystem enforcement
  • Persistent volumes mounted at /sandbox/
  • Stateful daemon workloads (WhatsApp, session persistence)

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Enhancement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions