no output using `fence -m copilot` on ubuntu 24.04

[jima80525]

Hi -
I'm excited about this tool, but having some start up issues.
I managed to install it, then did the apt install of socat. (bwrap was already present).
I then needed to add an apparmor config file:

abi <abi/4.0>,
include <tunables/global>
profile bwrap /usr/bin/bwrap flags=(unconfined) {
  userns,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/bwrap>
}

Once this was done, fence works with ls (fence -m ls, fence -- ls, and fence ls all work).
However, using this with the copilot cli (any of the above options) flashes the terminal and returns in about a second.

I've checked and the /tmp/fence directory exists, as does a /tmp/fence-seccomp directory with several .bpf files. These to be a binary format.

Info:

 ➜ copilot --version
GitHub Copilot CLI 1.0.15.
➜ fence --version
fence - lightweight, container-free sandbox for running untrusted commands
  Version: 0.1.40
  Built:   2026-03-31T21:31:24Z
  Commit:  d5bce6adfaa35f96d401f290f59cfe24de617031

thanks for any help you can provide! This looks like a really interesting and useful project!

[jy-tan]

Thanks for the issue @jima80525. What Fence config are you using (if any)?

You can do fence config show to display the config trace and the actual config being used.

[jy-tan]

I just added support for Copilot in the code template (f624e5f) for its required network requests and filesystem writes. Would you check if this works?

# build from source
git clone https://github.com/Use-Tusk/fence
cd fence
go build -o fence ./cmd/fence

# test with the code template
./fence -t code -- copilot

If anything is still being blocked, add the -m flag for Fence and let me know what you see.

[jima80525]

Hmm. Still no joy:

fence on  main via 🐹 v1.25.8 ➜ ./fence -t code -- copilot
fence on  main via 🐹 v1.25.8 took 2s ❯ ./fence -t code -m copilot
fence on  main via 🐹 v1.25.8 ➜ ./fence --version
fence - lightweight, container-free sandbox for running untrusted commands
  Version: dev
  Built:   unknown
  Commit:  unknown

fence on  main via 🐹 v1.25.8 ❯ 

No output for either invocation.

THANK YOU for looking at this and spending time here! I appreciate it.

[jima80525]

Thanks for the issue @jima80525. What Fence config are you using (if any)?

You can do fence config show to display the config trace and the actual config being used.

Sorry - I missed this one this morning. My current config file is:

➜ ./fence config show
Active config chain:
user config: /home/jima/.config/fence/fence.json

{}

[jy-tan]

@jima80525 I managed to reproduce this, just pushed another fix and verified that I see the Copilot TUI on my Fedora machine.

Can you pull main, build, and try it again?

[jima80525]

Victory!!!!
Thank you so much! I apologize for the gap in seeing your last message. I definitely appreciate you fixing this!

BTW - You do mention needing socat and bwrap in the install section, but both times I tried to build/use this (and maybe when I first installed it? I think so, but won't swear to it), I had to do some digging to find the config file changes needed for apparmor to allow bwrap to run here. Is there a good place to insert this into the docs?
I'm happy to take a shot at writing something up, but a pointer to where you want it will probably save us both some time.

Thanks again for the work on this bug!

[jy-tan]

Awesome!

I think the troubleshooting docs would be a good place for this, and PRs welcome!

[jima80525]

Awesome!

I think the troubleshooting docs would be a good place for this, and PRs welcome!

It's actually already covered there. I'm just not smart enough to look there. :) Thanks again for all the help!

[jy-tan]

I didn't remember it was there either, heh 😅