feat(bottle): opt-in gVisor runtime per bottle · e3f5a5907a - bot-bottle

feat(bottle): opt-in gVisor runtime per bottle

test / run tests/run_tests.py (push) Successful in 19s

Details

Bottles can now set "runtime": "runsc" to launch the agent container
under gVisor instead of runc, adding a userspace syscall barrier
between the agent and the host kernel. Default is runc (Docker
default). Pipelock stays on the default runtime per the research doc's
minimum-diff prescription.

The launcher verifies runsc is registered with the daemon before
launch, surfaces the runtime in the preflight plan, and dies with an
install pointer (and a macOS-not-supported note) when runsc is
requested but unavailable.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

This commit is contained in:

didericis

2026-05-10 00:48:11 -04:00

parent 3eff1e0b6e

commit e3f5a5907a

7 changed files with 122 additions and 5 deletions

									
										claude-bottle.example.json
									
		+1
		
												View File
												
				@@ -13,6 +13,7 @@

				    },

				    "gitea-dev": {

				      "runtime": "runsc",

				      "env": {

				        "GITEA_TOKEN":     "?paste your Gitea API token",

				        "GITHUB_TOKEN":    "${GH_PAT}",

feat(bottle): opt-in gVisor runtime per bottle test / run tests/run_tests.py (push) Successful in 19s Details

feat(bottle): opt-in gVisor runtime per bottle

test / run tests/run_tests.py (push) Successful in 19s

Details