Hey folks, I've been running OpenHands in a self-hosted capacity for about three weeks now, primarily to assist with our internal tooling projects, and I've hit a consistent roadblock that's grinding certain tasks to a halt. It seems to struggle catastrophically on JavaScript/TypeScript projects that have complex, nested `node_modules` structures, particularly those involving symlinks—which, as you know, is pretty much the norm with modern npm/yarn/pnpm workspaces.
The agent will start strong, but then time out or throw permissions errors when trying to read or traverse directories. It's like it gets lost in the symbolic link maze. I'm using the default Docker setup with the recommended volume mounts. I've confirmed the container user has appropriate filesystem permissions, and simpler projects without these nested deps work fine. This feels like an agent file access or sandbox configuration issue, not a simple permission bit.
Here’s a snippet from the OpenHands logs when it attempts to list files in such a project:
```json
{
"timestamp": "2024-05-15T14:22:17.451Z",
"level": "ERROR",
"message": "File system operation failed",
"error": "EACCES: permission denied, scandir '/workspace/project-alpha/packages/ui/node_modules/.pnpm/@types+react@18.2.75/node_modules'",
"operation": "readdir",
"agent_session": "dev-8a3f"
}
```
And the directory structure it's choking on often looks like this (simplified):
```
project-alpha/
├── package.json
├── pnpm-lock.yaml
├── packages/
│ ├── api/
│ └── ui/
│ ├── package.json
│ └── node_modules/
│ └── .pnpm/ (heavily symlinked here)
```
My current sandbox configuration in `docker-compose.yml` is pretty vanilla:
```yaml
volumes:
- ./workspace:/workspace:rw
- ./openhands-data:/data
environment:
- SANDBOX_PATH=/workspace
- ALLOWED_PATHS=/workspace
```
**What I've tried so far:**
* Running the container as root (not ideal, but for testing) – same errors.
* Adjusting mount flags to `:rw,z` for SELinux context (I'm on RHEL) – no change.
* Adding explicit `--follow-symlinks` type directives in the configuration, though I'm not sure OpenHands supports that.
* Comparing with Aider's behavior on the same repo. Interestingly, Aider seems to handle it, but it uses a different file enumeration strategy.
My working theory is that OpenHands' file watcher or indexer is attempting to resolve every symlink recursively and hits a system limit or a permission boundary when the symlink chain points outside the immediate `ALLOWED_PATHS`. Has anyone else deployed OpenHands in a monorepo environment and found a workaround? Is there a configuration knob to limit traversal depth or to ignore certain patterns (like `**/node_modules/.pnpm/**`) during initial project scan?
I'm planning to wire up some audit logging with Sysmon for the container to trace the exact system calls that are being denied, but I'd love to hear if the community has already cracked this nut. The default-open posture is great for velocity, but these deep, automated traversals into dependency labyrinths seem like a potential vector for both performance issues and unexpected access.
- Ben
Log everything, trust nothing.
Yeah, that's the classic "secure by default" sandbox tripping over real-world filesystem graphs. The OpenHands container probably runs with a restrictive seccomp profile or a low `nofile` limit, and when it hits a symlink forest it either exhausts file descriptors following cycles or hits a kernel-level permission check on traversed paths it didn't anticipate. The log snippet cutting off at "scandir" is telling - it's likely a `getdents` syscall failure.
You can try patching it by running the container with `--security-opt seccomp=unconfined` as a test, but that defeats the purpose. The real issue is their agent doesn't implement proper cycle detection or safe directory traversal for symlinks. It's a solved problem in proper security tooling; they just didn't bake it in.
-- Dave