Releases: NVIDIA/OpenShell
Releases · NVIDIA/OpenShell
OpenShell Development Build
This build is automatically published on every commit to main that passes CI.
NOTE: This is a development build, not a tagged release, and may be unstable.
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=dev sh
OpenShell v0.0.37
v0.0.37 is a breaking release that moves OpenShell onto the new entity/object model and RFC-0001 compute-driver architecture. Gateway persistence now uses a shared entity schema with Kubernetes-style metadata and labels, and policy revisions plus draft policy recommendations now live in that object model instead of dedicated policy tables. This also changes public protobuf shapes for core resources like sandboxes, providers, and SSH sessions, so existing clients and gateway databases may need regeneration, migration, or recreation.
This release introduces the experimental Helm chart for Kubernetes and OpenShift deployments, including chart packaging, PKI bootstrap, Gateway API support, and Kubernetes setup docs. On the runtime side, RFC-0001 is now substantially implemented with pluggable compute drivers for Docker, Podman, Kubernetes, and experimental MicroVM-backed sandboxes, plus related packaging, installer, and CI support.
Also new in this release: initial provider profiles and sandbox-provider attach lifecycle, OIDC/RBAC gateway auth, GraphQL L7 policy inspection, Kubernetes user namespace support, and expanded Debian/RPM/Homebrew packaging.
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.37 shUpgrading from v0.0.36 or earlier
v0.0.37 is not compatible with existing gateway state from earlier releases. openshell start|stop|destroy commands have been removed. Before upgrading, back up anything you need from existing sandboxes, including files, generated artifacts, and any local configuration that was only stored inside the sandbox.
Then clean up the old runtime before installing v0.0.37:
openshell sandbox delete --all
openshell gateway destroyopenshell gateway destroy must be run before upgrading, while you still have the v0.0.36 or earlier CLI installed. In v0.0.37, gateway lifecycle is no longer managed by the openshell gateway start|stop|destroy commands.
After cleanup, reinstall OpenShell using the current installation instructions:
https://docs.nvidia.com/openshell/latest/about/installation
After reinstalling, recreate your sandboxes and re-register or reconfigure any providers, policies, and gateway settings you still need.
What's Changed
- fix(driver-vm): preflight supervisor cross-compile toolchain in start.sh by @pimlock in #931
- fix(ci): E2E gate must verify work actually ran, not just top-level success by @pimlock in #926
- fix(ci): bump ci-image tooling versions to clear vendored CVEs by @johntmyers in #929
- fix(ci): bump helm to 4.1.4 for plugin CVE fixes by @johntmyers in #928
- fix(skills): remove --assignee @me from gh pr/issue create commands by @sjenning in #937
- chore(mise): replace deprecated ubi: prefix by github: prefix by @benoitf in #923
- fix(ci): rename mise --no-prepare to --no-deps by @pimlock in #942
- feat(server): add Prometheus metrics infrastructure and gRPC/HTTP request metrics by @sjenning in #920
- fix(ci): post E2E Gate check to the PR when workflow_run fires by @pimlock in #938
- chore(helm): remove unused ClusterRole and ClusterRoleBinding by @TaylorMutch in #943
- feat(ci): add shadow-shared-cpu-spike workflow for OS-49 Phase 2 by @jtoelke2 in #934
- chore(ci): add ARC baseline collector for OS-49 runner migration by @jtoelke2 in #927
- fix(ci): expose GHA sccache env in shadow-shared-cpu-spike by @jtoelke2 in #950
- feat(ci): add driver input to setup-buildx action by @jtoelke2 in #941
- fix(cli): preserve source directory on sandbox upload by @mjamiv in #952
- fix(sandbox): route console logs to stderr by @johntmyers in #949
- fix(e2e): add /dev/urandom to provider test sandbox policy by @derekwaynecarr in #948
- test(e2e): fix rust upload path assertions by @drew in #960
- test(e2e): fix gitignore upload assertion path by @johntmyers in #962
- fix(ci): partition GHA sccache cache per arch in shadow spike by @jtoelke2 in #961
- Openshell driver podman by @maxamillion in #904
- feat(ci): add Markdown and Mermaid linting by @pimlock in #933
- feat(docker): add BINARY_SOURCE selector for prebuilt Rust binaries by @jtoelke2 in #945
- test(e2e): fix filtered upload path assertion by @drew in #963
- feat(ci): add shadow-docker-build workflow for OS-49 Phase 3 by @jtoelke2 in #964
- fix(ci): use nv-gha-runners buildkit mirror to avoid Docker Hub rate limit by @jtoelke2 in #966
- fix(docs): scope fenced code language linting by @pimlock in #965
- fix(ci): make buildkitd-config opt-in for setup-buildx by @jtoelke2 in #970
- fix(ci): ignore local artifacts in license checks by @johntmyers in #974
- fix(scripts): handle docker cleanup when no containers are running by @derekwaynecarr in #977
- feat(server): add object meta convention to top-level objects by @derekwaynecarr in #919
- fix(ci): patch CI container vulnerability toolchain by @johntmyers in #959
- docs(rfc): add core architecture RFC by @drew in #836
- fix(e2e): use high UID range to avoid host user conflicts by @derekwaynecarr in #978
- ci(e2e): add label dispatcher and contributor CI docs by @pimlock in #975
- ci(e2e): replace label dispatcher with comment-only helper by @pimlock in #990
- fix(deps): add missing cargo-zigbuild dependency for macOS cross-compilation by @benoitf in #986
- docs: weekly documentation refresh by @miyoungc in #993
- fix(sandbox): deny ambiguous socket ownership by @johntmyers in #958
- chore(ci): relax agent diagnostic gate by @johntmyers in #1001
- chore(mise): add lockfile with multi-platform support and version pin by @pimlock in #946
- fix(podman): use podman machine socket path on macOS by @benoitf in #999
- feat(server): add bundled docker compute driver by @drew in #888
- fix(ci): grant actions:read and contents:read to E2E label helper by @pimlock in #995
- chore(tools): sync mise version to v2026.4.25 by @TaylorMutch in #1013
- feat(ci): add shadow-rust-native-build workflow for OS-49 Phase 4 (PR 4a) by @jtoelke2 in #973
- refactor(server): unify policy persistence in objects table by @johntmyers in #972
- fix(cli): preserve directory basename for filtered uploads by @johntmyers in #1028
- fix(net): catch IPv4-mapped blocked ranges in is_always_blocked_net by @mesutoezdil in #1032
- feat(openshell-vm): add tty support for exec by @benoitf in #939
- Adding qemu vm driver support with GPU pass-through by @vince-brisebois in #992
- ci(rust): enforce -D warnings on clippy by @drew in #1008
- fix(sandbox): log L7 parse denials by @johntmyers in #1072
- fix(sandbox): preserve encoded slash policy from proto by @pimlock in #1073
- ci(docker): use prebuilt Rust binaries by default by @jtoelke2 in #1027
- ci(rust): keep sccache stats non-blocking by @jtoelke2 in #1074
- docs(examples): add multi-agent notepad demo by @zredlined in #991
- ci: add OS-49 phase 5 shadow workflows by @jtoelke2 in #1075
- feat(auth): add OIDC/Keycloak authentication with RBAC and scope-based permissions by @mrunalp in #935
- chore(ci): update checkout action to v6 by @drew in #1086
- fix(docker): set apparmor=unconfined on sandbox containers by @elezar in #1078
- feat(docker): enable CDI GPU sandboxes by @elezar in #1036
- feat(server): add auto-detection of compute driver at startup by @sjenning in #1088
- test(e2e): skip docker gpu test in rust suite by @pimlock in #1...
Contributors
drew, me, and 22 other contributors
Assets 26
- 5.25 MB
2026-05-08T22:42:28Z - 5.37 MB
2026-05-08T22:42:28Z - 14.4 MB
2026-05-08T22:42:28Z - 17.7 MB
2026-05-08T22:42:28Z - 18.4 MB
2026-05-08T22:42:28Z - 13.7 MB
2026-05-08T22:42:28Z - 14.1 MB
2026-05-08T22:42:28Z - 1.6 KB
2026-05-08T22:42:28Z - 25.6 MB
2026-05-08T22:42:28Z - 21.3 MB
2026-05-08T22:42:28Z -
2026-05-08T21:46:57Z -
2026-05-08T21:46:57Z - Loading
OpenShell VM Runtime
Build of the OpenShell VM runtime artifacts used by openshell-driver-vm.
NOTE: This is a development build.
Kernel Runtime Artifacts
Pre-built kernel runtime (libkrunfw + libkrun + gvproxy) for embedding into
the openshell-driver-vm binary. These are rebuilt on demand when the kernel
config or pinned dependency versions change.
| Platform | Artifact |
|---|---|
| Linux ARM64 | vm-runtime-linux-aarch64.tar.zst |
| Linux x86_64 | vm-runtime-linux-x86_64.tar.zst |
| macOS ARM64 | vm-runtime-darwin-aarch64.tar.zst |
Verify
gh release download vm-runtime -R NVIDIA/OpenShell -p vm-runtime-linux-x86_64.tar.zst
gh attestation verify vm-runtime-linux-x86_64.tar.zst -R NVIDIA/OpenShellOpenShell v0.0.36
OpenShell v0.0.36
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/refs/tags/v0.0.36/install.sh | OPENSHELL_VERSION=v0.0.36 shWhat's Changed
- feat(server): allow disabling health check listener by @TaylorMutch in #915
- add configurable timeout for image transfer to gateway containerd by @tmckayus in #914
- fix(sandbox): preserve explicit read-only baseline paths by @johntmyers in #910
- fix(sandbox): resolve sandbox host aliases in SSRF checks by @johntmyers in #912
- fix(sandbox): inject GIT_SSL_CAINFO so git clone trusts the sandbox CA by @laitingsheng in #918
- ci(e2e): enable E2E to run on external forks throught the copy-pr-bot flow by @pimlock in #922
- feat(server,driver-vm,e2e): gateway-owned readiness + VM compute driver e2e by @drew in #901
New Contributors
- @tmckayus made their first contribution in #914
- @laitingsheng made their first contribution in #918
Full Changelog: v0.0.35...v0.0.36
Contributors
drew, pimlock, and 4 other contributors
Assets 16
OpenShell v0.0.35
OpenShell v0.0.35
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.35 shWhat's Changed
- feat(server,sandbox): supervisor-initiated SSH connect and exec over gRPC-multiplexed relay by @pimlock in #867
- feat(server): add request-level logging via TraceLayer by @sjenning in #895
- feat(server): serve health endpoints on separate unauthenticated port by @sjenning in #903
- fix(k8s-driver): use dedicated kube client without read_timeout for watches by @sjenning in #907
New Contributors
Full Changelog: v0.0.34...v0.0.35
Contributors
sjenning and pimlock
Assets 16
OpenShell v0.0.34
OpenShell v0.0.34
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.34 shWhat's Changed
- feat(policy): add incremental sandbox policy updates by @johntmyers in #860
- fix(cli,tui): escape and validate SSH session response fields by @johntmyers in #876
- fix(sandbox): apply supervisor seccomp prelude by @johntmyers in #891
- feat(install-vm): install gateway + vm driver, add --driver-dir resolution by @drew in #887
- fix(cli): sandbox get returns currently active runtime policy by @TaylorMutch in #880
- fix(sandbox): canonicalize HTTP request-targets before L7 policy evaluation by @johntmyers in #878
New Contributors
- @TaylorMutch made their first contribution in #880
Full Changelog: v0.0.33...v0.0.34
Contributors
drew, johntmyers, and TaylorMutch
Assets 16
OpenShell v0.0.33
OpenShell v0.0.33
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.33 shWhat's Changed
- fix(sandbox): harden seccomp, inference routing, and process limits by @johntmyers in #869
- feat(vm): add standalone libkrun compute driver by @drew in #858
- docs: fix TOC structure by @miyoungc in #797
- docs: refresh user-facing docs for recent sandbox and inference changes by @miyoungc in #868
- docs(contributing): add bash shell setup example for mise by @mrunalp in #877
- fix(sandbox): strip " (deleted)" suffix from unlinked /proc//exe paths by @mjamiv in #844
- test(sandbox): fix flaky arm64 procfs binary_path tests by @pimlock in #881
New Contributors
Full Changelog: v0.0.32...v0.0.33
Contributors
drew, mrunalp, and 4 other contributors
Assets 16
OpenShell v0.0.32
OpenShell v0.0.32
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.32 shWhat's Changed
- feat(sandbox): load system CA certificates for upstream TLS connections by @matz3 in #862
- feat(release): publish standalone openshell-gateway binaries by @drew in #853
- docs(rfc): adopt per-RFC folder structure by @drew in #870
New Contributors
Full Changelog: v0.0.31...v0.0.32
Contributors
drew and matz3
Assets 16
OpenShell v0.0.31
OpenShell v0.0.31
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.31 shWhat's Changed
- fix(core): exclude vm-dev tag from git describe version glob by @mjamiv in #843
- fix(inference): allowlist routed request headers by @johntmyers in #826
Full Changelog: v0.0.30...v0.0.31
Contributors
johntmyers and mjamiv
Assets 9
OpenShell v0.0.30
OpenShell v0.0.30
Quick install
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.30 shWhat's Changed
- refactor(server): extract kubernetes compute driver by @drew in #817
- fix(inference): prevent silent truncation of large streaming responses by @johntmyers in #834
- refactor(server): use ComputeDriver RPC surface in-process by @drew in #839
- fix(sandbox): preserve ownership for existing read_write paths by @johntmyers in #827
- feat(policy): add deny rules to network policy schema by @johntmyers in #822
- fix(sandbox): disable child core dumps by @johntmyers in #821
- fix(sandbox): escape control characters in format_sse_error by @mjamiv in #842
New Contributors
Full Changelog: v0.0.29...v0.0.30
Contributors
drew, johntmyers, and mjamiv