didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

docs(prd): note gate image must be self-sufficient at boot on 0007
test / unit (pull_request) Successful in 12s
Details
test / integration (pull_request) Successful in 13s
Details

Browse Source 
The gate's agent-facing leg sits on the `--internal` network, so
the forwarder image cannot rely on apk/apt at startup. Surfaced
by the DNS spike — a placeholder using `apk add socat` died
silently and gave a false-negative DNS-on-internal result.
This commit is contained in:
didericis
2026-05-12 15:50:34 -04:00
parent cb0f0f133d
commit b2927b1483
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/prds/0007-ssh-egress-gate.md
+6 -3
View File
@@ -97,9 +97,12 @@ Mirror the pipelock layout:
egress network, `docker start`. `stop` is idempotent `docker rm
-f`. Container name: `claude-bottle-ssh-gate-<slug>`.
Forwarder image: `alpine/socat`, pinned by digest. One socat
process per ssh entry, multiplexed inside the same gate container
via an entrypoint script that backgrounds N socat invocations:
Forwarder image: `alpine/socat`, pinned by digest. Must be
self-sufficient at boot (no apk/apt pulls on first run) because
the gate's agent-facing leg sits on the `--internal` network and
has no internet at startup. One socat process per ssh entry,
multiplexed inside the same gate container via an entrypoint
script that backgrounds N socat invocations:
```
socat TCP-LISTEN:<port_i>,reuseaddr,fork TCP:<Hostname_i>:<Port_i>