feat(bottle): opt-in gVisor runtime per bottle
test / run tests/run_tests.py (push) Successful in 19s
test / run tests/run_tests.py (push) Successful in 19s
Bottles can now set "runtime": "runsc" to launch the agent container under gVisor instead of runc, adding a userspace syscall barrier between the agent and the host kernel. Default is runc (Docker default). Pipelock stays on the default runtime per the research doc's minimum-diff prescription. The launcher verifies runsc is registered with the daemon before launch, surfaces the runtime in the preflight plan, and dies with an install pointer (and a macOS-not-supported note) when runsc is requested but unavailable. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -19,6 +19,22 @@ def require_docker() -> None:
|
||||
die("docker not found")
|
||||
|
||||
|
||||
def require_runsc() -> None:
|
||||
"""Fail with an install pointer if the `runsc` (gVisor) runtime is
|
||||
not registered with the local Docker daemon. Called when a bottle
|
||||
sets `runtime: "runsc"`."""
|
||||
result = subprocess.run(
|
||||
["docker", "info", "--format", "{{json .Runtimes}}"],
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
if result.returncode != 0 or "runsc" not in result.stdout:
|
||||
info("This bottle requested runtime 'runsc' but the gVisor runtime is not registered with Docker.")
|
||||
info("Install gVisor and register it with the daemon: https://gvisor.dev/docs/user_guide/install/")
|
||||
info("On macOS, gVisor is not available natively; remove 'runtime' from the bottle or run on Linux.")
|
||||
die("runsc runtime not available")
|
||||
|
||||
|
||||
def image_exists(ref: str) -> bool:
|
||||
return _silent_run(["docker", "image", "inspect", ref]) == 0
|
||||
|
||||
|
||||
Reference in New Issue
Block a user