About NVIDIA OpenShell

Installation

View as Markdown

Install OpenShell

Install OpenShell with a single command:

$curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh

The script detects your operating system and installs the OpenShell CLI and gateway with your native package manager. It then starts the local gateway server so you can begin creating sandboxes.

You can also download release artifacts directly from the OpenShell GitHub Releases page.

Use openshell status to confirm the CLI can reach the gateway.

Supported Compute Drivers

OpenShell supports several local compute drivers. The installer chooses a default driver for your platform, and the gateway reads the driver choice from its startup configuration. Sandbox commands use the same CLI workflow after the gateway is running.

Compute DriverHow It Is ConfiguredSystem Requirements
PodmanThe gateway is configured to create rootless Podman containers through the Podman API socket.Linux with Podman 5.x, cgroups v2, rootless networking, and an active Podman user socket.
DockerThe gateway is configured to create containers through Docker Desktop or Docker Engine.Docker Desktop or Docker Engine 28.04 or later on the gateway host.
MicroVMThe gateway is configured to create VM-backed sandboxes.Host virtualization support. MicroVM uses Hypervisor.framework on macOS, KVM on Linux, and QEMU for GPU-backed sandboxes on Linux.

For detailed driver behavior, refer to Sandbox Compute Drivers. For gateway and sandbox operations, refer to Gateways and Sandboxes.

macOS

On macOS, the install script uses Homebrew. The Homebrew package installs the openshell CLI, the gateway binary, and a Homebrew-managed gateway service.

The Homebrew service listens on https://127.0.0.1:17670 and generates a local mTLS bundle on install. The CLI reads the client bundle from ~/.config/openshell/gateways/openshell/mtls/.

The installer starts the service for you. Use Homebrew service commands when you need to inspect, restart, or stop the gateway service:

$brew services list
$brew services restart openshell

Linux

On Fedora and RHEL, the install script uses RPM packages. The RPM installs the openshell CLI, the openshell-gateway daemon, and a systemd user service.

On Debian and Ubuntu, the install script uses a Debian package. The Debian package installs the openshell CLI, the openshell-gateway daemon, VM sandbox support, and a systemd user service.

The Debian user service listens on https://127.0.0.1:17670 and generates a local mTLS bundle before the gateway starts. The CLI reads the client bundle from ~/.config/openshell/gateways/openshell/mtls/.

The installer starts the service for you. Use systemd user commands when you need to inspect, restart, or stop the gateway service:

$systemctl --user status openshell-gateway
$systemctl --user restart openshell-gateway
$journalctl --user -u openshell-gateway -f

To keep the user service running after logout, enable linger:

$sudo loginctl enable-linger $USER

Kubernetes

Kubernetes deployments use the OpenShell Helm chart. For step-by-step installation, refer to Kubernetes Setup. For chart values and packaging details, refer to the Helm chart README.

Next Steps

  • To create your first sandbox, refer to the Quickstart.
  • To register, select, and inspect gateways, refer to Gateways.
  • To supply API keys or tokens, refer to Manage Providers.
  • To control what the agent can access, refer to Policies.