Skip to content

ENH enable sandbox env overrides in generate #1107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gwarmstrong merged 4 commits into from
Dec 12, 2025
Merged

ENH enable sandbox env overrides in generate #1107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7eeab8d
expose sandbox env override to generate
gwarmstrong Dec 12, 2025
b71682c
remove stem requiremetns from arm
gwarmstrong Dec 12, 2025
5b02320
MAINT remove stem requirements from arm for the moment...
gwarmstrong Dec 12, 2025
fdba8c2
Revert docker build command
gwarmstrong Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dockerfiles/Dockerfile.sandbox
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ ENV PIP_DISABLE_PIP_VERSION_CHECK=1 \


# Install uv (adds to ~/.local/bin), then install deps
RUN if [ "$GITHUB_CI" != "1" ]; then \
RUN if [ "$GITHUB_CI" != "1" ] && [ "$TARGETARCH" != "arm64" ]; then \
curl -LsSf https://astral.sh/uv/install.sh | sh && \
uv pip install --upgrade pip && \
uv pip install -r /app/stem_requirements.txt --no-cache-dir --extra-index-url https://download.pytorch.org/whl/cpu; \
Expand Down
15 changes: 15 additions & 0 deletions nemo_skills/pipeline/generate.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ def _create_commandgroup_from_config(
task_name: str,
log_dir: str,
sbatch_kwargs: Optional[Dict] = None,
sandbox_env_overrides: Optional[List[str]] = None,
) -> CommandGroup:
"""Create a CommandGroup from server_config.

Expand Down Expand Up @@ -122,6 +123,14 @@ def _create_commandgroup_from_config(
cmd, metadata = sandbox_command(cluster_config=cluster_config, port=sandbox_port)
metadata["log_prefix"] = "sandbox"

# Apply user-specified environment overrides for the sandbox
if sandbox_env_overrides:
sandbox_env = metadata.get("environment", {})
for override in sandbox_env_overrides:
key, value = override.split("=", 1)
sandbox_env[key] = value
metadata["environment"] = sandbox_env
Comment on lines +126 to +132
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Add error handling for malformed environment overrides.

Line 130 will raise ValueError if an override string doesn't contain "=". This would crash the pipeline with an unclear error message.

Apply this diff to add validation:

 # Apply user-specified environment overrides for the sandbox
 if sandbox_env_overrides:
     sandbox_env = metadata.get("environment", {})
     for override in sandbox_env_overrides:
+        if "=" not in override:
+            raise ValueError(
+                f"Invalid sandbox environment override format: '{override}'. "
+                f"Expected KEY=VALUE format (e.g., NEMO_SKILLS_SANDBOX_BLOCK_NETWORK=1)"
+            )
         key, value = override.split("=", 1)
         sandbox_env[key] = value
     metadata["environment"] = sandbox_env
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Apply user-specified environment overrides for the sandbox
if sandbox_env_overrides:
sandbox_env = metadata.get("environment", {})
for override in sandbox_env_overrides:
key, value = override.split("=", 1)
sandbox_env[key] = value
metadata["environment"] = sandbox_env
# Apply user-specified environment overrides for the sandbox
if sandbox_env_overrides:
sandbox_env = metadata.get("environment", {})
for override in sandbox_env_overrides:
if "=" not in override:
raise ValueError(
f"Invalid sandbox environment override format: '{override}'. "
f"Expected KEY=VALUE format (e.g., NEMO_SKILLS_SANDBOX_BLOCK_NETWORK=1)"
)
key, value = override.split("=", 1)
sandbox_env[key] = value
metadata["environment"] = sandbox_env
🤖 Prompt for AI Agents 
In nemo_skills/pipeline/generate.py around lines 126 to 132, the loop that
parses sandbox_env_overrides uses override.split("=", 1) which will raise a
ValueError for strings without "="; update the code to validate each override
before splitting (e.g., check if "=" in override), and handle malformed entries
by either raising a clear ValueError with the offending string or
skipping/logging them—implement input validation, provide a descriptive error
message mentioning the bad override and that expected format is KEY=VALUE, and
ensure metadata["environment"] is only updated for valid pairs.


sandbox_cmd = Command(
command=cmd,
container=cluster_config["containers"]["sandbox"],
Expand Down Expand Up @@ -242,6 +251,11 @@ def generate(
False, help="If True, will re-run jobs even if a corresponding '.done' file already exists"
),
with_sandbox: bool = typer.Option(False, help="If True, will start a sandbox container alongside this job"),
sandbox_env_overrides: List[str] = typer.Option(
None,
help="Extra environment variables for the sandbox container in KEY=VALUE format. "
"E.g., --sandbox-env-overrides NEMO_SKILLS_SANDBOX_BLOCK_NETWORK=1 to enable network blocking.",
),
keep_mounts_for_sandbox: bool = typer.Option(
False,
help="If True, will keep the mounts for the sandbox container. Note that, it is risky given that sandbox executes LLM commands and could potentially lead to data loss. So, we advise not to use this unless absolutely necessary.",
Expand Down Expand Up @@ -455,6 +469,7 @@ def generate(
task_name=task_name,
log_dir=log_dir,
sbatch_kwargs=sbatch_kwargs,
sandbox_env_overrides=sandbox_env_overrides,
)

# Use unique internal job name for dependency tracking, but same task_name
Expand Down