docs(prd): resolve gate-DNS open question on 0007
Spike: container on a `--internal` user-defined network resolves another container's name via the embedded resolver at 127.0.0.11 and reaches it over TCP, while egress to the public internet remains blocked. The PRD's design assumption holds — no design change needed.
This commit is contained in:
@@ -170,10 +170,14 @@ dataclass (`SSHGatePlan`) under `claude_bottle/ssh_gate.py`.
|
|||||||
- Connection-level audit log: socat's `-v` mode logs every
|
- Connection-level audit log: socat's `-v` mode logs every
|
||||||
connect/close. Worth piping into the bottle's stderr stream, or
|
connect/close. Worth piping into the bottle's stderr stream, or
|
||||||
is that noise? Default off, reconsider if debugging gets hard.
|
is that noise? Default off, reconsider if debugging gets hard.
|
||||||
- Docker DNS for the `<gate-container>` hostname inside the
|
- ~~Docker DNS for the `<gate-container>` hostname inside the
|
||||||
agent: works via Docker's embedded resolver on user-defined
|
agent: works via Docker's embedded resolver on user-defined
|
||||||
networks. Verify on the `--internal` network specifically before
|
networks. Verify on the `--internal` network specifically before
|
||||||
implementation.
|
implementation.~~ **Resolved.** Spike confirmed: a container on
|
||||||
|
a `--internal` user-defined network resolves another
|
||||||
|
container's name via the embedded resolver at 127.0.0.11 and
|
||||||
|
reaches it over TCP, while egress to the public internet
|
||||||
|
remains blocked. The PRD's design assumption holds.
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user