docs: document required sbx default network policy#6
Open
jasonkneen wants to merge 1 commit into
Open
Conversation
`sbx create` fails until a default network policy is configured
("default network policy has not been configured"), but the README and
install.sh only mentioned `sbx login`. Fractal swallows sbx's stderr, so
this surfaced as a silent sandbox-startup failure.
- README: add `sbx policy set-default balanced` to the sbx prerequisite,
explain the failure mode, and note the first-run image pull can take
several minutes (with a pre-pull workaround).
- install.sh: include the policy step in the sbx prerequisite hints.
Claude-Session: https://claude.ai/code/session_01CeJ5biNVPBwmnpFMv9Zjaf
There was a problem hiding this comment.
Pull request overview
Updates Fractal’s onboarding docs to prevent a first-run “silent” sandbox startup failure by documenting that sbx requires a default network policy before it can create sandboxes.
Changes:
- Add
sbx policy set-default balancedto the README’ssbxprerequisites and describe the associated failure mode. - Note that the first sandbox image pull can take several minutes and provide an optional pre-pull (“warm”) command.
- Update
install.shprerequisite hints to include the default network policy step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Documents the required sbx default network policy and first-run image pull behavior to avoid confusing startup failures. |
| install.sh | Extends prerequisite guidance to include setting the sbx default network policy alongside sbx login. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Installing via the curl one-liner works, but the first run fails to start the sandbox with no useful error — it appears to hang or fail silently.
Root cause:
sbxrefuses to create any sandbox until a default network policy is configured:The README and
install.shonly tell users to runsbx login— neversbx policy set-default. Because Fractal's sbx backend capturessbx createwithcapture_output=Trueand discards stderr, the real error never reaches the user; it surfaces as a silent sandbox-startup failure.Reproduced and confirmed: after
sbx policy set-default balanced,sbx createsucceeds andfractalruns end-to-end.Changes
sbx policy set-default balancedto the sbx prerequisite, explain the failure mode, and note the first-run sandbox image pull can take several minutes (with a pre-pull workaround).check_prereqssbx hints.Docs only — no behavior change.
Follow-up (not in this PR)
The sbx backend (
predict_rlm/backends/sbx/backend.py) raisesFailed to create sbx sandbox: <CalledProcessError>but discards the capturedstderr. Surfacingexc.stderrwould turn this from a silent failure into an obvious one. That lives in the vendoredpredict-rlmdependency, so it belongs upstream.https://claude.ai/code/session_01CeJ5biNVPBwmnpFMv9Zjaf