From b2927b1483050b394644e211e7f79528e08e958e Mon Sep 17 00:00:00 2001 From: didericis Date: Tue, 12 May 2026 15:50:34 -0400 Subject: [PATCH] docs(prd): note gate image must be self-sufficient at boot on 0007 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The gate's agent-facing leg sits on the `--internal` network, so the forwarder image cannot rely on apk/apt at startup. Surfaced by the DNS spike — a placeholder using `apk add socat` died silently and gave a false-negative DNS-on-internal result. --- docs/prds/0007-ssh-egress-gate.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/prds/0007-ssh-egress-gate.md b/docs/prds/0007-ssh-egress-gate.md index f2f816a..78101ae 100644 --- a/docs/prds/0007-ssh-egress-gate.md +++ b/docs/prds/0007-ssh-egress-gate.md @@ -97,9 +97,12 @@ Mirror the pipelock layout: egress network, `docker start`. `stop` is idempotent `docker rm -f`. Container name: `claude-bottle-ssh-gate-`. -Forwarder image: `alpine/socat`, pinned by digest. One socat -process per ssh entry, multiplexed inside the same gate container -via an entrypoint script that backgrounds N socat invocations: +Forwarder image: `alpine/socat`, pinned by digest. Must be +self-sufficient at boot (no apk/apt pulls on first run) because +the gate's agent-facing leg sits on the `--internal` network and +has no internet at startup. One socat process per ssh entry, +multiplexed inside the same gate container via an entrypoint +script that backgrounds N socat invocations: ``` socat TCP-LISTEN:,reuseaddr,fork TCP::