***

title: Manage Sandboxes
sidebar-title: Sandboxes
description: Set up gateways, create sandboxes, and manage the full sandbox lifecycle.
keywords: Generative AI, Cybersecurity, Gateway, Sandboxing, AI Agents, Sandbox Management, CLI
position: 2
---------------------

For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.nvidia.com/openshell/latest/sandboxes/llms.txt. For full documentation content, see https://docs.nvidia.com/openshell/latest/sandboxes/llms-full.txt.

This page covers creating sandboxes and managing them. For background on what sandboxes are and how isolation works, refer to [About Sandboxes](/sandboxes/about).

<Info>
  Docker must be running before you create a gateway or sandbox. If it is not, the CLI
  returns a connection-refused error (`os error 61`) without explaining
  the cause. Start Docker and try again.
</Info>

## Create a Sandbox

Create a sandbox with a single command. For example, to create a sandbox with Claude, run:

```shell
openshell sandbox create -- claude
```

Every sandbox requires a gateway. If you run `openshell sandbox create` without a gateway, the CLI auto-bootstraps a local gateway.

### Remote Gateways

If you plan to run sandboxes on a remote host or a cloud-hosted gateway, set up the gateway first. Refer to [Manage Gateways](/sandboxes/manage-gateways) for deployment options and multi-gateway management.

### GPU Resources

To request GPU resources, add `--gpu`:

```shell
openshell sandbox create --gpu -- claude
```

### Custom Containers

Use `--from` to create a sandbox from a pre-built community package, a local directory, or a container image:

```shell
openshell sandbox create --from openclaw
openshell sandbox create --from ./my-sandbox-dir
openshell sandbox create --from my-registry.example.com/my-image:latest
```

The CLI resolves community names against the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) catalog, pulls the bundled Dockerfile and policy, builds the image locally, and creates the sandbox. For the full catalog and how to contribute your own, refer to [Community Sandboxes](/sandboxes/community-sandboxes).

## Connect to a Sandbox

Open an SSH session into a running sandbox:

```shell
openshell sandbox connect my-sandbox
```

Launch VS Code or Cursor directly into the sandbox workspace:

```shell
openshell sandbox create --editor vscode --name my-sandbox
openshell sandbox connect my-sandbox --editor cursor
```

When `--editor` is used, OpenShell keeps the sandbox alive and installs an
OpenShell-managed SSH include file instead of cluttering your main
`~/.ssh/config` with generated host blocks.

## Monitor and Debug

List all sandboxes:

```shell
openshell sandbox list
```

Get detailed information about a specific sandbox:

```shell
openshell sandbox get my-sandbox
```

Stream sandbox logs to monitor agent activity and diagnose policy decisions:

```shell
openshell logs my-sandbox
```

| Flag       | Purpose                      | Example                            |
| ---------- | ---------------------------- | ---------------------------------- |
| `--tail`   | Stream logs in real time     | `openshell logs my-sandbox --tail` |
| `--source` | Filter by log source         | `--source sandbox`                 |
| `--level`  | Filter by severity           | `--level warn`                     |
| `--since`  | Show logs from a time window | `--since 5m`                       |

OpenShell Terminal combines sandbox status and live logs in a single real-time dashboard:

```shell
openshell term
```

Use the terminal to spot blocked connections marked `action=deny` and inference-related proxy activity. If a connection is blocked unexpectedly, add the host to your network policy. Refer to [Policies](/sandboxes/policies) for the workflow.

## Port Forwarding

Forward a local port to a running sandbox to access services inside it, such as a web server or database:

```shell
openshell forward start 8000 my-sandbox
openshell forward start 8000 my-sandbox -d    # run in background
```

List and stop active forwards:

```shell
openshell forward list
openshell forward stop 8000 my-sandbox
```

<Tip>
  You can also forward a port at creation time with `--forward`:

  ```shell
  openshell sandbox create --forward 8000 -- claude
  ```
</Tip>

## SSH Config

Generate an SSH config entry for a sandbox so tools like VS Code Remote-SSH can connect directly:

```shell
openshell sandbox ssh-config my-sandbox
```

Append the output to `~/.ssh/config` or use `--editor` on `sandbox create`/`sandbox connect` for automatic setup.

## Transfer Files

Upload files from your host into the sandbox:

```shell
openshell sandbox upload my-sandbox ./src /sandbox/src
```

Download files from the sandbox to your host:

```shell
openshell sandbox download my-sandbox /sandbox/output ./local
```

<Note>
  You can also upload files at creation time with the `--upload` flag on
  `openshell sandbox create`.
</Note>

## Delete Sandboxes

Deleting a sandbox stops all processes, releases resources, and purges injected credentials.

```shell
openshell sandbox delete my-sandbox
```

## Next Steps

* To follow a complete end-to-end example, refer to the [Github Sandbox](/tutorials/github-sandbox) tutorial.
* To supply API keys or tokens, refer to [Manage Providers](/sandboxes/manage-providers).
* To control what the agent can access, refer to [Policies](/sandboxes/policies).
* To use a pre-built environment, refer to the [Community Sandboxes](/sandboxes/community-sandboxes) catalog.