Hacker News

This is a bit odd, because it was going to start off as an Ask, and now its a hybrid Show/Ask.

The ask being, how in the world do I make use of Codex's proxy networking? I wanted Codex to have access to local services (not MCP servers) running outside its bubblewrap. The default config.toml file ships with this:

  [permissions.network]
  # enabled = true
  # proxy_url = "http://127.0.0.1:43128"
  # admin_url = "http://127.0.0.1:43129"
  # enable_socks5 = false
  # socks_url = "http://127.0.0.1:43130"
  # enable_socks5_udp = false
  # allow_upstream_proxy = false
  # dangerously_allow_non_loopback_proxy = false
  # dangerously_allow_non_loopback_admin = false
  # dangerously_allow_all_unix_sockets = false
  # mode = "limited"                           # limited | full
  # allowed_domains = ["api.openai.com"]
  # denied_domains = ["example.com"]
  # allow_unix_sockets = ["/var/run/docker.sock"]
  # allow_local_binding = false

I couldn't get it to work, so I downloaded Codex's source code and pointed Codex at it, but after a few hours it hadn't fared any better. I was thinking about asking here because nowhere else is 1000% all-in on AI, but for such a simple question I decided to concurrently try building my own network container... Which was a pain in the butt. First I proxied local traffic, forgetting that codex needs openai.com/chatgpt.com to work. Then I ran into systemd-resolved binding :53 SO_BINDTODEVICE, likely a symptom of I-think-I-know-best-itis, so I couldn't redirect DNS. There were lots of other paper-cuts, but a week later I consider this a really interesting deep-dive into Linux networking.

Anyway what I have here [1] is somewhat of a one-off, but also a really useful guide to building a network namespace container. Hopefully it'll be a useful roadmap for others.

1. https://gist.github.com/orbisvicis/347fb8439b658fd6161486f3de1e1ea0