test(macos-container): add launch integration smoke
This commit is contained in:
@@ -9,10 +9,10 @@
|
||||
|
||||
Add an experimental `macos-container` backend that integrates Apple's
|
||||
`container` CLI as a host runtime on macOS. The first shipped slice
|
||||
registers the backend, implements the reusable host primitives
|
||||
registers the backend and implements reusable host primitives
|
||||
(`build`, `exec`, `cp`, image inspection, cleanup, active
|
||||
enumeration), and blocks full launch behind an explicit network
|
||||
enforcement guard. This creates a real integration point without
|
||||
enumeration). Follow-up slices make launch runnable with the proven
|
||||
two-network sidecar topology and add real-runtime coverage, without
|
||||
weakening bot-bottle's sidecar egress model.
|
||||
|
||||
## Problem
|
||||
@@ -49,10 +49,15 @@ path around the egress sidecar.
|
||||
- The backend has tested wrappers for Apple Container image build,
|
||||
image inspection, container `exec`, container `cp`, cleanup, and
|
||||
active-agent enumeration.
|
||||
- Full launch fails loudly with an operator-facing message until the
|
||||
sidecar network enforcement design is implemented.
|
||||
- The PRD records the remaining launch work so the next PR can make the
|
||||
backend runnable without revisiting registration or wrapper plumbing.
|
||||
- Full launch uses a host-only internal network for the agent and a
|
||||
separate NAT egress network for the sidecar bundle.
|
||||
- The agent container does not attach to the egress network. It reaches
|
||||
allowed outbound hosts through HTTP(S)_PROXY pointing at the
|
||||
sidecar's internal-network IP.
|
||||
- `bottle.git` / git-gate bottles fail loudly on this backend until a
|
||||
safe Apple Container key-delivery path exists.
|
||||
- Real-runtime integration coverage is present and guarded by macOS and
|
||||
Apple Container availability.
|
||||
|
||||
## Non-goals
|
||||
|
||||
@@ -101,25 +106,38 @@ The bottle handle mirrors `DockerBottle`: it builds a host argv for
|
||||
foreground agent execution, pipes shell snippets through stdin for
|
||||
`Bottle.exec`, and exposes `cp_in` for provisioning.
|
||||
|
||||
### Launch guard
|
||||
### Launch topology
|
||||
|
||||
`launch()` is intentionally not enabled in the first slice. It exits
|
||||
with a fatal message explaining that sidecar network enforcement still
|
||||
needs implementation.
|
||||
`launch()` uses Apple Container's two-network topology:
|
||||
|
||||
This is deliberate. A runnable backend that places the agent on a
|
||||
normal outbound network while relying on environment variables for
|
||||
proxying would violate bot-bottle's egress model. The runnable version
|
||||
must prove one of these shapes:
|
||||
- create a host-only internal network for the bottle;
|
||||
- create a normal NAT egress network for the sidecar bundle;
|
||||
- start the sidecar bundle attached to the egress network first and the
|
||||
internal network second;
|
||||
- discover the sidecar's internal-network IPv4 address from
|
||||
`container inspect`;
|
||||
- start the agent attached only to the internal network, with
|
||||
HTTP_PROXY / HTTPS_PROXY / lowercase proxy vars pointing at the
|
||||
sidecar IP and egress port.
|
||||
|
||||
- Apple Container supports the equivalent of Docker's two-network
|
||||
sidecar topology: agent on an internal-only network, sidecar on both
|
||||
internal and egress networks.
|
||||
- The sidecar bundle runs as a separate VM/container with published
|
||||
loopback ports, and the agent runtime can be constrained to only
|
||||
reach that per-bottle loopback alias.
|
||||
- Apple Container init/network hooks can enforce the egress sidecar as
|
||||
the only outbound path before the agent process starts.
|
||||
This keeps the agent off the outbound network while preserving the
|
||||
proxy-env contract that existing agent tooling already honors. The
|
||||
integration smoke also removes the proxy env in-guest and confirms
|
||||
direct egress fails.
|
||||
|
||||
### Deferred git-gate support
|
||||
|
||||
Apple Container currently rejects single-file bind mounts, and
|
||||
`container cp` into a stopped container is not available. Starting the
|
||||
container earlier would allow `container cp` into a running container,
|
||||
but it would also mean delivering SSH private key material into a live
|
||||
sidecar before the git-gate daemon is ready to own it. Mounting broad
|
||||
host SSH directories is not acceptable.
|
||||
|
||||
For this PRD, `bottle.git` / git-gate support is explicitly deferred on
|
||||
the `macos-container` backend. Bottles with git-gate upstreams fail
|
||||
loudly and should use `docker` or `smolmachines` until a narrower key
|
||||
delivery design lands.
|
||||
|
||||
## Implementation chunks
|
||||
|
||||
@@ -147,8 +165,12 @@ must prove one of these shapes:
|
||||
- Unit tests cover `MacosContainerBottle` command construction and
|
||||
stdin-based shell execution.
|
||||
- Unit tests cover cleanup and active enumeration parsing.
|
||||
- Future integration tests must run on a host with Apple Container
|
||||
installed and should verify egress cannot bypass the sidecar.
|
||||
- Unit tests cover launch argv/env construction, sidecar mount
|
||||
staging, sidecar IP parsing, and git-gate rejection.
|
||||
- Integration tests run on macOS hosts with Apple Container installed
|
||||
and verify that egress cannot bypass the sidecar. They also preflight
|
||||
Apple Container BuildKit DNS because image builds must resolve
|
||||
package mirrors before a launch smoke can be meaningful.
|
||||
|
||||
## References
|
||||
|
||||
|
||||
Reference in New Issue
Block a user