Jump to content

Opencode isolation and burner workflow 260216

From Game in the Brain Wiki
Revision as of 15:55, 23 February 2026 by Justinaquino (talk | contribs) (Update to match Claude Code isolation workflow: add opencode_isolation.sh, naming convention, daily workflow procedures, isolation table)

OpenCode Isolation and Burner Workflow

This workflow uses Distrobox containers to run OpenCode in isolated environments. Key concepts:

  • Each project runs in its own persistent container
  • Save points capture container state as images
  • A "golden image" serves as a template for new containers
  • Containers are deleted on your schedule

Protection mechanism: Malicious prompt injection damage remains confined to the container, not affecting the host system.

Hardware Reality

You need at least 32k Context for a usable agent.

VRAM GPU Example Context Window
8GB RX 7600 8k–16k (unstable at 32k)
16GB RX 9070 XT Tight; requires custom config
20GB RX 7900 XT Sweet spot; 64k–80k
32GB+ 128k+

Workstation unified memory (Ryzen AI Max+, Mac Studio) supports large models but at slower inference speeds.

Recommended models: Qwen2.5-Coder-7B through Qwen2.5-Coder-14B; alternative: DeepSeek V3 API (~₱7.80/million tokens).

Core Naming Convention

Type Format Example
Working container PREFIX-YYMMDD oc-260216
Saved image localhost/PREFIX-YYMMDD:latest localhost/oc-260216:latest
Golden image localhost/PREFIX-base:latest localhost/oc-base:latest
Burner home ~/sandbox-homes/PREFIX-YYMMDD ~/sandbox-homes/oc-260216

One-Time Setup: Golden Image Creation

Step 1: Install Distrobox (on host) 

sudo apt install distrobox    # Debian/Ubuntu
sudo dnf install distrobox    # Fedora
yay -S distrobox              # Arch

Step 2: Create and enter base container 

mkdir -p ~/sandbox-homes/oc-base
distrobox create --name oc-base --image ubuntu:24.04 --home ~/sandbox-homes/oc-base
distrobox enter oc-base

Step 3: Install dependencies (inside container) 

curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash -
sudo apt install -y nodejs git python3
npm install -g opencode-ai
opencode  # Complete authentication / API key setup

Step 4: Add launcher script (inside container)

Create ~/project/opencode_isolation.sh: 

#!/bin/bash
# Launcher for OpenCode inside Distrobox container

WORK_DIR="$(cd "$(dirname "$0")" && pwd)"
# WORK_DIR="/home/USER/your-project-directory"   # uncomment for hardcoded path

cd "$WORK_DIR"

echo "Starting OpenCode..."
echo "  Working directory: $WORK_DIR"
echo ""

exec opencode "$@"

Make executable: chmod +x ~/project/opencode_isolation.sh

Step 5: Commit golden image (on host) 

exit  # Leave container
distrobox stop oc-base
podman container commit oc-base localhost/oc-base:latest
podman image ls  # Verify

GitHub Burner Identity

Create a separate GitHub account exclusively for agent work. Generate Personal Access Tokens (90-day expiration) scoped to repo and workflow permissions rather than sharing primary credentials.

Daily Workflow Procedures

Starting a New Container

[HOST]      mkdir -p ~/sandbox-homes/oc-260216
[HOST]      distrobox create --name oc-260216 --image localhost/oc-base:latest --home ~/sandbox-homes/oc-260216
[HOST]      distrobox enter oc-260216
[DISTROBOX] cd ~/project && ./opencode_isolation.sh

Continuing an Existing Container

[HOST]      distrobox enter oc-260216
[DISTROBOX] cd ~/project && ./opencode_isolation.sh

Saving a Checkpoint

[HOST] distrobox stop oc-260216
[HOST] podman container commit oc-260216 localhost/oc-260216:latest
[HOST] distrobox enter oc-260216  # Resume work

Branching from a Save Point

mkdir -p ~/sandbox-homes/oc-260217
distrobox create --name oc-260217 --image localhost/oc-260216:latest --home ~/sandbox-homes/oc-260217
distrobox enter oc-260217

Restoring from a Checkpoint

[HOST] distrobox rm oc-260217 && rm -rf ~/sandbox-homes/oc-260217
[HOST] mkdir -p ~/sandbox-homes/oc-260217
[HOST] distrobox create --name oc-260217 --image localhost/oc-260216:latest --home ~/sandbox-homes/oc-260217

Promoting a Container to Golden Image

[HOST] distrobox stop oc-260216
[HOST] podman container commit oc-260216 localhost/oc-base:latest

Cleanup Commands

podman image ls              # List all images
podman image rm localhost/oc-260216:latest
podman ps -a                 # List containers
distrobox rm oc-260216 && rm -rf ~/sandbox-homes/oc-260216

Parallel Sessions

Clone the golden image into multiple independent containers simultaneously: 

distrobox create --name oc-A --image localhost/oc-base:latest --home ~/sandbox-homes/oc-A
distrobox create --name oc-B --image localhost/oc-base:latest --home ~/sandbox-homes/oc-B
distrobox create --name oc-C --image localhost/oc-base:latest --home ~/sandbox-homes/oc-C

Isolation Coverage

Surface Isolated? Notes
Host home ✅ Yes Burner home via --home
Host filesystem ⚠️ Partial Read-write by default; add --additional-flags for read-only mounts
System packages ✅ Yes Overlay filesystem isolation
Network ❌ No Shares host network (API access required)
Kernel ❌ No Rootless containers share kernel
Display ❌ No GUI renders on host

Troubleshooting

  • Mount failures: Use --home custom directory; avoid nested Firejail
  • cgroup warnings: Expected in rootless containers; operation succeeds despite messages
  • Command separation required: Run mkdir and distrobox create as separate commands; combining them can fail silently
  • $HOME path issue: Inside --home containers, $HOME resolves to the burner directory; use absolute paths in scripts
  • Firejail incompatibility: Fails with --home due to whitelist mode blocking Node.js dependencies; use Distrobox isolation alone

Prerequisites

  • Linux host (Fedora, Ubuntu, Arch, etc.)
  • Distrobox installed
  • Podman installed
  • OpenCode account / API key configured
Retrieved from "http://wiki.gi7b.org/index.php?title=Opencode_isolation_and_burner_workflow_260216&oldid=194"