Platform Setup

Linux Setup

Install and configure YeePilot on Linux with full namespace sandbox isolation

Last updated: February 27, 2026

Overview

Linux is YeePilot's primary platform and supports the full feature set, including kernel namespace sandboxing for command isolation. This guide covers installation, credential storage, sandbox configuration, and distribution-specific notes.

Supported Distributions

YeePilot runs on most modern Linux distributions:

Distribution	Minimum Version
Ubuntu	20.04 LTS (Focal)
Debian	11 (Bullseye)
CentOS / RHEL	8
Fedora	36
Arch Linux	Rolling release
Alpine Linux	3.16+

Both amd64 (x86_64) and arm64 (aarch64) architectures are supported with native binaries.

Installation

Quick Install (Recommended)

The install script detects your architecture and installs the latest release:

bash

curl -fsSL https://yee.to/install.sh | bash

This will:

Detect your OS and architecture (amd64 or arm64).
Download the latest YeePilot binary.
Verify the download checksum.
Install the binary to /usr/local/bin/yeepilot.
Set the correct file permissions.

After installation, verify it works:

bash

yeepilot version

Manual Installation

If you prefer to install manually:

Download the correct archive from the releases page (opens in new tab):
- yeepilot-linux-amd64.tar.gz for x86_64 systems
- yeepilot-linux-arm64.tar.gz for ARM64 systems
Extract and install:

bash

tar xzf yeepilot-linux-amd64.tar.gz
sudo mv yeepilot /usr/local/bin/
sudo chmod +x /usr/local/bin/yeepilot

Verify the installation:

bash

yeepilot version

Initial Setup

Run the interactive setup to configure your AI provider and preferences:

bash

yeepilot setup

This creates your configuration file at ~/.yeepilot/config.yaml and prompts you to configure your AI provider and API key.

Credential Storage

YeePilot stores API keys and authentication tokens in your system's secret service for security.

GNOME Keyring (Recommended)

Most desktop Linux distributions include GNOME Keyring. YeePilot uses the secret-tool command to interact with it.

Install secret-tool if missing:

bash

# Ubuntu / Debian
sudo apt install libsecret-tools
 
# Fedora / CentOS
sudo dnf install libsecret
 
# Arch Linux
sudo pacman -S libsecret

Verify it is working:

bash

secret-tool --version

Headless Servers

On headless servers without a desktop environment or keyring daemon, YeePilot automatically falls back to an encrypted JSON file at ~/.yeepilot/credentials.json. This file is created with restricted permissions (0600).

If you want to use GNOME Keyring on a headless server, you can start the keyring daemon manually:

bash

eval $(dbus-launch --sh-syntax)
eval $(gnome-keyring-daemon --start --components=secrets)

Sandbox Features

Linux provides the most comprehensive sandbox environment through kernel namespaces. When sandbox namespaces are enabled, every command YeePilot executes runs in an isolated environment.

Namespace Isolation

YeePilot uses four Linux namespace types:

Namespace	Purpose
User	Runs commands as an unprivileged user inside the sandbox
PID	Isolates process visibility -- commands cannot see other processes
Mount	Restricts filesystem access to allowed paths only
Network	Optionally isolates network access completely

Enabling Namespaces

Namespaces are enabled by default on Linux. Verify your configuration:

yaml

# ~/.yeepilot/config.yaml
sandbox:
  enabled: true
  use_namespaces: true

Kernel Requirements

User namespaces must be enabled in your kernel. Most modern distributions enable them by default. Check with:

bash

cat /proc/sys/kernel/unprivileged_userns_clone

If the output is 0, enable it:

bash

# Temporary (until reboot)
sudo sysctl kernel.unprivileged_userns_clone=1
 
# Permanent
echo 'kernel.unprivileged_userns_clone=1' | sudo tee /etc/sysctl.d/99-yeepilot.conf
sudo sysctl --system

Note: Some hardened kernels (e.g., certain CentOS/RHEL configurations) disable user namespaces by default. If you cannot enable them, set sandbox.use_namespaces: false to fall back to process-level resource limits.

Audit Logging

YeePilot's audit log provides a tamper-evident record of all commands executed. Each log entry is signed with HMAC-SHA256 and linked in a hash chain, making it possible to detect any modifications to the log history.

The audit log is stored at ~/.yeepilot/audit.log by default. To change the location:

yaml

security:
  audit_log_path: "/var/log/yeepilot/audit.log"

Make sure the directory exists and the user has write permissions:

bash

sudo mkdir -p /var/log/yeepilot
sudo chown $(whoami) /var/log/yeepilot

Distribution-Specific Notes

Ubuntu / Debian

bash

# Install dependencies
sudo apt update
sudo apt install libsecret-tools curl
 
# Install YeePilot
curl -fsSL https://yee.to/install.sh | bash

Fedora / CentOS / RHEL

bash

# Install dependencies
sudo dnf install libsecret curl
 
# Install YeePilot
curl -fsSL https://yee.to/install.sh | bash

On CentOS 8 or RHEL 8, you may need to enable user namespaces:

bash

sudo sysctl kernel.unprivileged_userns_clone=1

Arch Linux

bash

# Install dependencies
sudo pacman -S libsecret curl
 
# Install YeePilot
curl -fsSL https://yee.to/install.sh | bash

Alpine Linux

Alpine uses musl libc. YeePilot provides statically linked binaries that work on Alpine without additional dependencies.

bash

# Install curl if needed
apk add curl
 
# Install YeePilot
curl -fsSL https://yee.to/install.sh | bash

Note: GNOME Keyring is not typically available on Alpine. YeePilot will use the JSON file fallback for credential storage.

Updating

Update to the latest version:

bash

yeepilot update

Or reinstall via the install script:

bash

curl -fsSL https://yee.to/install.sh | bash

Uninstalling

Remove YeePilot and all its data:

bash

yeepilot uninstall --all

Or remove only the binary while keeping your configuration:

bash

yeepilot uninstall --binary-only

For a manual removal:

bash

sudo rm /usr/local/bin/yeepilot
rm -rf ~/.yeepilot

Environment Variables

Configuration

macOS Setup

Platform Setup