claude-sandbox (main)

Published 2026-06-10 20:22:51 +00:00 by pkoptilin

Pull the image from the command line:

docker pull gitea.rashpile.net/pkoptilin/claude-sandbox:main

Digest

sha256:0da7894017a4e153af1cd198f0eeb659b5cf6a45c4d2f1e0ef8045dd97cf30f8

For more information on the Container registry, see the documentation.

Digest	OS / Arch	Size
05606eaa16	linux/arm64	668 MiB

Image Layers ( linux/arm64)

# debian.sh --arch 'arm64' out/ 'bookworm' '@1779062400'

RUN /bin/sh -c groupadd --gid 1000 node && useradd --uid 1000 --gid node --shell /bin/bash --create-home node # buildkit

ENV NODE_VERSION=22.22.3

RUN /bin/sh -c ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" && case "${dpkgArch##*-}" in amd64) ARCH='x64' OPENSSL_ARCH='linux-x86_64';; ppc64el) ARCH='ppc64le' OPENSSL_ARCH='linux-ppc64le';; s390x) ARCH='s390x' OPENSSL_ARCH='linux*-s390x';; arm64) ARCH='arm64' OPENSSL_ARCH='linux-aarch64';; armhf) ARCH='armv7l' OPENSSL_ARCH='linux-armv4';; *) echo "unsupported architecture"; exit 1 ;; esac && set -ex && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends && rm -rf /var/lib/apt/lists/* && export GNUPGHOME="$(mktemp -d)" && for key in 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 CC68F5A3106FF448322E48ED27F5E38D5B0A215F 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C 108F52B48DB57BB0CC439B2997B01419BD92F80A A363A499291CBBC940DD62E41F10027AF002F8B0 ; do { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; done && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc && gpgconf --kill all && rm -rf "$GNUPGHOME" && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; && apt-mark auto '.*' > /dev/null && find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && ln -s /usr/local/bin/node /usr/local/bin/nodejs && node --version && npm --version && rm -rf /tmp/* # buildkit

ENV YARN_VERSION=1.22.22

RUN /bin/sh -c set -ex && savedAptMark="$(apt-mark showmanual)" && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr --no-install-recommends && rm -rf /var/lib/apt/lists/* && export GNUPGHOME="$(mktemp -d)" && for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; done && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" && gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && gpgconf --kill all && rm -rf "$GNUPGHOME" && mkdir -p /opt && tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ && ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn && ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg && rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && apt-mark auto '.*' > /dev/null && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; } && find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && yarn --version && rm -rf /tmp/* # buildkit

COPY docker-entrypoint.sh /usr/local/bin/ # buildkit

ENTRYPOINT ["docker-entrypoint.sh"]

CMD ["node"]

LABEL stage=claude-sandbox-build

SHELL [/bin/bash -eo pipefail -c]

ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 GOROOT=/usr/local/go GOPATH=/home/claude/go PATH=/usr/local/go/bin:/home/claude/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

RUN /bin/bash -eo pipefail -c apt-get update && apt-get install -y --no-install-recommends ca-certificates curl wget gnupg git openssh-client bubblewrap iptables ipset dnsutils jq ripgrep fd-find less vim-tiny make build-essential procps gosu tmux fish zsh bash-completion python3 python3-pip python3-venv pipx && ln -s /usr/bin/fdfind /usr/local/bin/fd && rm -rf /var/lib/apt/lists/* # buildkit

ARG UV_VERSION=0.5.18

RUN |1 UV_VERSION=0.5.18 /bin/bash -eo pipefail -c ARCH="$(dpkg --print-architecture)" && case "$ARCH" in amd64) UV_ARCH=x86_64-unknown-linux-gnu ;; arm64) UV_ARCH=aarch64-unknown-linux-gnu ;; *) echo "unsupported arch: $ARCH" >&2; exit 1 ;; esac && wget -qO- "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-${UV_ARCH}.tar.gz" | tar -xz -C /tmp && install -m 0755 "/tmp/uv-${UV_ARCH}/uv" /usr/local/bin/uv && install -m 0755 "/tmp/uv-${UV_ARCH}/uvx" /usr/local/bin/uvx && rm -rf "/tmp/uv-${UV_ARCH}" && uv --version # buildkit

ARG GO_VERSION=1.23.4

RUN |2 UV_VERSION=0.5.18 GO_VERSION=1.23.4 /bin/bash -eo pipefail -c ARCH="$(dpkg --print-architecture)" && wget -qO- "https://go.dev/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz" | tar -C /usr/local -xz && go version # buildkit

RUN |2 UV_VERSION=0.5.18 GO_VERSION=1.23.4 /bin/bash -eo pipefail -c printf '%s\n' 'export GOROOT=/usr/local/go' 'export GOPATH=$HOME/go' 'export PATH=/usr/local/go/bin:$HOME/go/bin:$HOME/.local/bin:$PATH' > /etc/profile.d/10-paths.sh && chmod 0644 /etc/profile.d/10-paths.sh # buildkit

RUN |2 UV_VERSION=0.5.18 GO_VERSION=1.23.4 /bin/bash -eo pipefail -c git config --system pull.ff only # buildkit

RUN |2 UV_VERSION=0.5.18 GO_VERSION=1.23.4 /bin/bash -eo pipefail -c install -m 0755 -d /etc/apt/keyrings && wget -nv -O- https://cli.github.com/packages/githubcli-archive-keyring.gpg | gpg --dearmor -o /etc/apt/keyrings/githubcli-archive-keyring.gpg && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list && apt-get update && apt-get install -y --no-install-recommends gh && rm -rf /var/lib/apt/lists/* # buildkit

ARG CLI_CACHEBUST=1

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c npm install -g @anthropic-ai/claude-code @openai/codex && command -v claude && command -v codex && claude --version | awk '{print $1}' > /etc/claude-sandbox.claude-version && echo "cli-cachebust=${CLI_CACHEBUST} claude-version=$(cat /etc/claude-sandbox.claude-version)" # buildkit

COPY /srv/ralphex /usr/local/bin/ralphex # buildkit

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c chmod +x /usr/local/bin/ralphex && /usr/local/bin/ralphex --version # buildkit

COPY /out/revdiff /usr/local/bin/revdiff # buildkit

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c chmod +x /usr/local/bin/revdiff && /usr/local/bin/revdiff --version # buildkit

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c userdel --remove node 2>/dev/null || true && groupdel node 2>/dev/null || true && groupadd --gid 1000 claude && useradd --uid 1000 --gid 1000 --create-home --shell /bin/bash claude && mkdir -p /home/claude/.claude /home/claude/.codex /home/claude/.npm /home/claude/.cache/pip /home/claude/go/pkg/mod && chown -R claude:claude /home/claude # buildkit

COPY tmux.conf /etc/tmux.conf # buildkit

ENV USE_BUILTIN_RIPGREP=0 RALPHEX_DOCKER=1 CLAUDE_CONFIG_DIR=/home/claude/.claude

COPY firewall-allowlist.txt /etc/firewall-allowlist.txt # buildkit

COPY init-firewall.sh /usr/local/bin/init-firewall.sh # buildkit

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c chmod +x /usr/local/bin/init-firewall.sh # buildkit

COPY launch.sh /usr/local/bin/launch.sh # buildkit

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c chmod +x /usr/local/bin/launch.sh # buildkit

COPY entrypoint.sh /usr/local/bin/entrypoint.sh # buildkit

RUN |3 UV_VERSION=0.5.18 GO_VERSION=1.23.4 CLI_CACHEBUST=1 /bin/bash -eo pipefail -c chmod +x /usr/local/bin/entrypoint.sh # buildkit

WORKDIR /workspace

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

CMD []

Key	Value
org.opencontainers.image.created	2026-06-10T20:15:53.781Z
org.opencontainers.image.description
org.opencontainers.image.licenses
org.opencontainers.image.revision	cfe11341ce8adea76296a97af6814b4ea395767d
org.opencontainers.image.source	https://gitea.rashpile.net/pkoptilin/Claude-sandbox
org.opencontainers.image.title	Claude-sandbox
org.opencontainers.image.url	https://gitea.rashpile.net/pkoptilin/Claude-sandbox
org.opencontainers.image.version	main
stage	claude-sandbox-build