opencode-cloud
A production-ready toolkit for deploying and managing opencode as a persistent cloud service, sandboxed inside a Docker container for isolation and security.
Quick install (cargo)
Features
- Sandboxed execution - opencode runs inside a Docker container, isolated from your host system
- Persistent environment - Your projects, settings, and shell history persist across restarts
- Cross-platform CLI (
opencode-cloud/occ) - Works on Linux and macOS - Service lifecycle commands - start, stop, restart, status, logs
- Platform service integration - systemd (Linux) / launchd (macOS) for auto-start on boot
- Remote host management - Manage opencode containers on remote servers via SSH
- Web-based admin - Cockpit integration for container administration
How it works
opencode-cloud runs opencode inside a Docker container, providing:
- Isolation - opencode and its AI-generated code run in a sandbox, separate from your host system
- Reproducibility - The container includes a full development environment (languages, tools, runtimes)
- Persistence - Docker volumes preserve your work across container restarts and updates
- Security - Network exposure is opt-in; by default, the service only binds to localhost
The CLI manages the container lifecycle, so you don't need to interact with Docker directly.
Docker Images
The sandbox container image is named opencode-cloud-sandbox (not opencode-cloud) to clearly distinguish it from the CLI tool. The CLI (opencode-cloud / occ) deploys and manages this sandbox container.
The image is published to both registries:
| Registry | Image |
|---|---|
| GitHub Container Registry | ghcr.io/prizz/opencode-cloud-sandbox |
| Docker Hub | prizz/opencode-cloud-sandbox |
Pull commands:
Docker Hub:
GitHub Container Registry:
For most users: Just use the CLI - it handles image pulling/building automatically:
Requirements
- Rust 1.85+ - Install via rustup:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh - Docker - For running the opencode container
Installation
Via cargo (recommended)
From source (install locally)
From source (development run)
Usage
# Show version
# Start the service (builds Docker container on first run, ~10-15 min)
# Start on a custom port
# Start and open browser
# Check service status
# View logs
# Follow logs in real-time
# Stop the service
# Restart the service
# Install as a system service (starts on login/boot)
# Uninstall the system service
# View configuration
Authentication
opencode-cloud uses PAM (Pluggable Authentication Modules) for authentication. Users created via occ user add can authenticate to both:
- opencode web UI - Access the coding interface
- Cockpit - System administration interface
Creating Users
Create a user with a password:
Generate a random password:
Managing Users
- List users:
occ user list - Change password:
occ user passwd <username> - Remove user:
occ user remove <username> - Enable/disable account:
occ user enable <username>/occ user disable <username>
Legacy Authentication Fields
The auth_username and auth_password config fields are deprecated and ignored. They are kept in the config schema for backward compatibility with existing deployments, but new users should be created via occ user add instead.
To migrate from legacy fields:
- Create a PAM user:
occ user add <username> - The legacy fields will be automatically cleared on next config save
Rebuilding the Docker Image
When developing locally or after updating opencode-cloud, you may need to rebuild the Docker image to pick up changes in the embedded Dockerfile:
# Rebuild using Docker cache (fast - only rebuilds changed layers)
# Rebuild from scratch without cache (slow - for troubleshooting)
--cached-rebuild (recommended for most cases):
- Uses Docker layer cache for fast rebuilds
- Only rebuilds layers that changed (e.g., if only the CMD changed, it's nearly instant)
- Stops and removes any existing container before rebuilding
--full-rebuild (for troubleshooting):
- Ignores Docker cache and rebuilds everything from scratch
- Takes 10-15 minutes but guarantees a completely fresh image
- Use when cached rebuild doesn't fix issues
When to rebuild:
- After pulling updates to opencode-cloud → use
--cached-rebuild - When modifying the Dockerfile during development → use
--cached-rebuild - When the container fails to start due to image issues → try
--cached-rebuildfirst, then--full-rebuild - When you want a completely fresh environment → use
--full-rebuild
Configuration
Configuration is stored at:
- Linux/macOS:
~/.config/opencode-cloud/config.json
Data (PID files, etc.) is stored at:
- Linux/macOS:
~/.local/share/opencode-cloud/
Development
# Install dependencies
# Configure git hooks (once after cloning)
# Build everything
# Compile and run occ (arguments automatically get passed to the binary)
# Run tests
# Format and lint
Note: The git hooks automatically sync
README.mdto npm package directories on commit.
Architecture
This is a monorepo with:
packages/core- Rust core librarypackages/cli-rust- Rust CLI binary (recommended)packages/cli-node- Node.js CLI (deprecated, directs users to cargo install)
Cargo.toml Sync Requirement
The packages/core/Cargo.toml file must use explicit values rather than workspace = true references.
When updating package metadata (version, edition, rust-version, etc.), keep both files in sync:
Cargo.toml(workspace root)packages/core/Cargo.toml
Use scripts/set-all-versions.sh <version> to update versions across all files automatically.
License
MIT