Codex CLI: bubblewrap (bwrap) sandbox fails on Synology NAS — apply_patch broken

[tchirou]

Image Variant

Full (latest / dev)

Image Tag / Version

Latest

Host OS

Linux

What happened?

Environment

• Host: Synology NAS (DSM 7.x)
• HolyClaude: latest
• Platform: linux/amd64
• Deployment: Docker Compose behind Traefik + Authentik

Problem

When using the Codex CLI inside HolyClaude on a Synology NAS, the apply_patch
tool fails with the following error:

bwrap: Creating new namespace failed: Operation not permitted

This is caused by Synology's kernel restricting user namespaces, which bubblewrap
requires to create its sandbox. As a result, Codex CLI cannot write files through
its normal sandboxed mechanism and falls back to asking the user to explicitly
authorize "patch via shell" for every file edit.

What did you expect?

No fail

Steps to reproduce

1. Deploy HolyClaude on a Synology NAS using the provided docker-compose
2. Start a Codex CLI session
3. Ask Codex to edit any file
4. Observe: Failed to apply patch / bwrap: Creating new namespace failed

Expected behavior

Codex CLI should be able to edit files without requiring explicit shell fallback
authorization on every patch.

Suggested fix

Install bubblewrap in the image with the setuid bit set, which allows it to
work without user namespace support:

RUN apt-get install -y bubblewrap && chmod u+s /usr/bin/bwrap


### Docker Compose / Run command

```yaml

Logs / Error output

[CoderLuii]

thanks for the detailed report. this is a clear issue with bubblewrap needing user namespaces that synology kernels restrict.

the fix is straightforward, adding bubblewrap to the image and setting the setuid bit so it works without user namespace support:

RUN apt-get install -y bubblewrap && chmod u+s /usr/bin/bwrap

this will land in the next release. on standard linux hosts bwrap still uses namespaces normally so no behavior change there, the setuid bit only kicks in on restricted kernels like synology.

appreciate you including the suggested fix, saved me the research time.

[tchirou]

You are welcome, this is Claude who did the heavy lifting of writing the issue 😂
Awesome project !
Do you have a buymeacoffee or what ?
I am currently on the phone messing with Claude code and codex, no more need of a laptop !

[CoderLuii]

haha claude writes better bug reports than most humans honestly. appreciate the kind words!

yeah i do have a buy me a coffee: https://buymeacoffee.com/CoderLuii

glad its working well for you on mobile, thats exactly the use case i built it for. no laptop needed, just a browser and a server doing the work.

[tchirou]

I have found your buymeacoffee on your site.
Also you should update it as codex works with a chatgpt plus subscription
Finally, as I don’t know what I am talking about as a non coder, there are a bunch of tools to be allowed in the permissions settings of Claude but there are not in the codex permissions. Is it a limitation or could they be implemented ? It asked me 9 times to proceed with node, it was cumbersome to select yes each time on the phone
Many thanks

[CoderLuii]

haha claude writing its own bug reports, love it. glad its working well on your phone too, thats exactly the use case i had in mind. no laptop, just a browser and your server doing the work.

just got your 5 euros, seriously appreciate it. youre the first supporter ever. actually just finished setting up the membership tiers on buymeacoffee because of you lol.

the bubblewrap fix is done and tested locally. waiting for the build to finish and ill tag v1.1.6. ill reply here once its live so you can pull the latest.

[tchirou]

You are welcome !
Not having to copy paste code from Claude and chatgpt apps in a ssh window is a life changer !

After the previous release, I had to login again in the shells of Claude and codex. Is it expected after a rebuild ?
Claude pro account was still login though

I don’t know if you saw my previous comment about the fact that chatgpt plus sub includes codex now. And about the « allow tools » in codex ?

Thanks a lot !

[CoderLuii]

v1.1.6 is out with the bubblewrap fix. pull the latest image.

on your three points:

1. chatgpt plus/pro working with codex, yep already updated the docs in this release. you were right.

2. the approval prompts (node asked 9 times), thats because codex defaults to "untrusted" mode where every command needs manual approval. fixing this in the next release by pre-configuring codex with approval_policy = "on-request" so the model decides when to ask instead of prompting every time. still sandboxed, just less annoying. if you want to fix it now: create ~/.codex/config.toml with approval_policy = "on-request" and sandbox_mode = "workspace-write".

3. re-login after rebuild, thats expected right now. claude pro auth survives because ~/.claude/ is bind-mounted. codex stores auth in ~/.codex/ which isnt mounted so it gets wiped. fixing this in the next release too by symlinking ~/.codex into the persistent volume so your codex login survives rebuilds.

thanks for the feedback, these are real usability improvements.

[tchirou]

I will pull tomorrow as it took a loooong time with latest earlier Thanks a lot ! Le sam. 28 mars 2026 à 23:47, CoderLuii ***@***.***> a écrit :

…

*CoderLuii* left a comment (CoderLuii/HolyClaude#16) <#16 (comment)> v1.1.6 <https://github.com/CoderLuii/HolyClaude/releases/tag/v1.1.6> is out with the bubblewrap fix. pull the latest image. on your three points: 1. chatgpt plus/pro working with codex, yep already updated the docs in this release. you were right. 2. the approval prompts (node asked 9 times), thats because codex defaults to "untrusted" mode where every command needs manual approval. fixing this in the next release by pre-configuring codex with approval_policy = "on-request" so the model decides when to ask instead of prompting every time. still sandboxed, just less annoying. if you want to fix it now: create ~/.codex/config.toml with approval_policy = "on-request" and sandbox_mode = "workspace-write". 3. re-login after rebuild, thats expected right now. claude pro auth survives because ~/.claude/ is bind-mounted. codex stores auth in ~/.codex/ which isnt mounted so it gets wiped. fixing this in the next release too by symlinking ~/.codex into the persistent volume so your codex login survives rebuilds. thanks for the feedback, these are real usability improvements. — Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=ABTPZ3B6PDBOCI2DTJCSRJT4TBI6RA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJUHA4TKMRYHAZKM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4148952882>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTPZ3HAIO6JLYLQW6WQJX34TBI6RAVCNFSM6AAAAACXDQOIYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNBYHE2TEOBYGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[tchirou]

On the point 3 : is it possible to do the same for Claude shell ? Thanks ! Le sam. 28 mars 2026 à 23:47, CoderLuii ***@***.***> a écrit :

…

*CoderLuii* left a comment (CoderLuii/HolyClaude#16) <#16 (comment)> v1.1.6 <https://github.com/CoderLuii/HolyClaude/releases/tag/v1.1.6> is out with the bubblewrap fix. pull the latest image. on your three points: 1. chatgpt plus/pro working with codex, yep already updated the docs in this release. you were right. 2. the approval prompts (node asked 9 times), thats because codex defaults to "untrusted" mode where every command needs manual approval. fixing this in the next release by pre-configuring codex with approval_policy = "on-request" so the model decides when to ask instead of prompting every time. still sandboxed, just less annoying. if you want to fix it now: create ~/.codex/config.toml with approval_policy = "on-request" and sandbox_mode = "workspace-write". 3. re-login after rebuild, thats expected right now. claude pro auth survives because ~/.claude/ is bind-mounted. codex stores auth in ~/.codex/ which isnt mounted so it gets wiped. fixing this in the next release too by symlinking ~/.codex into the persistent volume so your codex login survives rebuilds. thanks for the feedback, these are real usability improvements. — Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=ABTPZ3B6PDBOCI2DTJCSRJT4TBI6RA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJUHA4TKMRYHAZKM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4148952882>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTPZ3HAIO6JLYLQW6WQJX34TBI6RAVCNFSM6AAAAACXDQOIYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNBYHE2TEOBYGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[CoderLuii]

depends on which login you mean:

• claude code CLI auth (your anthropic credentials) already persists across rebuilds. its stored in ~/.claude/ which is bind-mounted. if you ran claude in the terminal and authenticated, that should survive.

• the cloudcli web UI account (the one you create in the browser to access the web interface) does get wiped on rebuild. thats intentional because it uses SQLite which breaks on network mounts. takes about 10 seconds to recreate. its a known tradeoff documented in the readme.

• codex CLI auth (codex login --device-auth) currently gets wiped. fixing that in the next release by persisting ~/.codex/ into the bind mount.

which one are you hitting?

[tchirou]

After pulling the latest a few hours ago, I had to login again on the Claude cli shell window using the link and the paste method. Chat has survived though. Le dim. 29 mars 2026 à 00:10, CoderLuii ***@***.***> a écrit :

…

*CoderLuii* left a comment (CoderLuii/HolyClaude#16) <#16 (comment)> depends on which login you mean: - claude code CLI auth (your anthropic credentials) already persists across rebuilds. its stored in ~/.claude/ which is bind-mounted. if you ran claude in the terminal and authenticated, that should survive. - the cloudcli web UI account (the one you create in the browser to access the web interface) does get wiped on rebuild. thats intentional because it uses SQLite which breaks on network mounts. takes about 10 seconds to recreate. its a known tradeoff documented in the readme. - codex CLI auth (codex login --device-auth) currently gets wiped. fixing that in the next release by persisting ~/.codex/ into the bind mount. which one are you hitting? — Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=ABTPZ3AGFCL3E5CQBUJFDZT4TBLVVA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJUHA4TQNRTGYYKM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4148986360>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTPZ3ABQPFLPRIVF4DLNL34TBLVVAVCNFSM6AAAAACXDQOIYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNBYHE4DMMZWGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[CoderLuii]

thats expected when pulling a new image. the claude code CLI binary gets updated with each new image, and sometimes a CLI update invalidates your existing oauth session. your credentials are still in the bind mount, claude just needs to refresh the token which triggers the re-auth prompt.

the cloudcli web UI chat surviving is because thats a separate auth stored in the browser session.

this should only happen when you pull a new image version, not on regular restarts. if it happens on every restart without pulling, let me know.

[tchirou]

I just added the notify in docker compose and up -d and it lost Claude shell Le dim. 29 mars 2026 à 00:31, CoderLuii ***@***.***> a écrit :

…

*CoderLuii* left a comment (CoderLuii/HolyClaude#16) <#16 (comment)> thats expected when pulling a new image. the claude code CLI binary gets updated with each new image, and sometimes a CLI update invalidates your existing oauth session. your credentials are still in the bind mount, claude just needs to refresh the token which triggers the re-auth prompt. the cloudcli web UI chat surviving is because thats a separate auth stored in the browser session. this should only happen when you pull a new image version, not on regular restarts. if it happens on every restart without pulling, let me know. — Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=ABTPZ3FAQMDZ6Q6TYB52VKT4TBOEDA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJUHEYDEMJZG43KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4149021976>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTPZ3DVIQ3FOK4HXTLF5AL4TBOEDAVCNFSM6AAAAACXDQOIYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNBZGAZDCOJXGY> . You are receiving this because you authored the thread.Message ID: ***@***.***>