didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

docs(prd): resolve gate-DNS open question on 0007
test / unit (pull_request) Successful in 12s
Details
test / integration (pull_request) Successful in 14s
Details

Browse Source 
Spike: container on a `--internal` user-defined network resolves
another container's name via the embedded resolver at 127.0.0.11
and reaches it over TCP, while egress to the public internet
remains blocked. The PRD's design assumption holds — no design
change needed.
This commit is contained in:
didericis
2026-05-12 15:48:55 -04:00
parent 02a0fe679d
commit cb0f0f133d
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/prds/0007-ssh-egress-gate.md
+6 -2
View File
@@ -170,10 +170,14 @@ dataclass (`SSHGatePlan`) under `claude_bottle/ssh_gate.py`.
- Connection-level audit log: socat's `-v` mode logs every
connect/close. Worth piping into the bottle's stderr stream, or
is that noise? Default off, reconsider if debugging gets hard.
- Docker DNS for the `<gate-container>` hostname inside the
- ~~Docker DNS for the `<gate-container>` hostname inside the
agent: works via Docker's embedded resolver on user-defined
networks. Verify on the `--internal` network specifically before
implementation.
implementation.~~ **Resolved.** Spike confirmed: a container on
a `--internal` user-defined network resolves another
container's name via the embedded resolver at 127.0.0.11 and
reaches it over TCP, while egress to the public internet
remains blocked. The PRD's design assumption holds.
## References