Compare commits
139 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 73ee081c65 | |||
| 95981ea9d3 | |||
| bab44dbe97 | |||
| 0a1f949937 | |||
| 64ca39ddd4 | |||
| 3c426f45f5 | |||
| 1d3e9e859c | |||
| 56d879f0b3 | |||
| 09393b354b | |||
| 77948ef56c | |||
| c10d1cb6e0 | |||
| 96b84eb84d | |||
| 910267b8a8 | |||
| 03eacd9f57 | |||
| c839cee319 | |||
| ea75fab3b4 | |||
| 13a8bdd7ca | |||
| 3318bdce28 | |||
| b2f61053ad | |||
| 485d101430 | |||
| e97366dad5 | |||
| 8e7f5c9572 | |||
| 69db629e16 | |||
| 96f75599a1 | |||
| 3062fc9230 | |||
| 404369a3e0 | |||
| 327e756eef | |||
| 444924d95d | |||
| 118d81533b | |||
| 353b1ad984 | |||
| 40ad2364ab | |||
| 9e5d00c6fa | |||
| 0c158c5718 | |||
| fe25ad7623 | |||
| 6570e9f044 | |||
| 39c823d3c0 | |||
| 8a44537f7e | |||
| 72ee1f77da | |||
| 00418a2834 | |||
| 2cbb178f88 | |||
| ed9a19bb38 | |||
| c5ae93c8ba | |||
| 186b905dff | |||
| 3519b924cb | |||
| c77f578fb4 | |||
| bc52c3525c | |||
| b70f3228ca | |||
| f7b3d6aaca | |||
| b05f245299 | |||
| 8d4e7f2582 | |||
| a0e17d56de | |||
| 934c1617b9 | |||
| bd964c0278 | |||
| 93756f2a8b | |||
| d9843fa41e | |||
| ae6c8b13d9 | |||
| 13a8d66c9b | |||
| c46d392b44 | |||
| 2a473eb404 | |||
| 4d89ffce8b | |||
| 822cff48ad | |||
| ce440fabc4 | |||
| 2b970d1170 | |||
| 1bfc6c5d16 | |||
| ed9adfb678 | |||
| b2f498cac5 | |||
| 46be9039b7 | |||
| caf1da580a | |||
| c44a1ffdc1 | |||
| 568cf4f35a | |||
| 8941b92e37 | |||
| cb5d22b25f | |||
| 049103ac99 | |||
| f71558aff6 | |||
| a80356af75 | |||
| 3d7c508dc4 | |||
| f42a0dc7fe | |||
| 480269b116 | |||
| 949b001464 | |||
| 656966c2c4 | |||
| 15f0e0b507 | |||
| dd2e83b8a9 | |||
| ce3fad9320 | |||
| c07ebca867 | |||
| c276f7b0b1 | |||
| 814c7338a1 | |||
| fa7c6ab9d8 | |||
| e27bd66080 | |||
| d496e30681 | |||
| 61740cdb6a | |||
| f9662c88a5 | |||
| e89dffa899 | |||
| 21d03b7cc9 | |||
| eb804f8674 | |||
| b765f87fb5 | |||
| 1084d8b79d | |||
| 36e62cd7e8 | |||
| 70e58f1333 | |||
| 3703b6f59f | |||
| afd943c4f9 | |||
| 8f31741c9f | |||
| 5bfe45bc1d | |||
| 7aca7d5289 | |||
| f6d4eb9e3c | |||
| c5b9f05467 | |||
| 09a2329f31 | |||
| 03c89dae81 | |||
| dd7232f368 | |||
| 76fdefded3 | |||
| 1085a2280d | |||
| c97f4ecb8d | |||
| 142974a4b8 | |||
| 041d9bbbf5 | |||
| 9fb83ef1b0 | |||
| e7e8c7fdb4 | |||
| ed8fbfdfa8 | |||
| 5fcca2060f | |||
| a4d82e5ff2 | |||
| e8e4f6f7c7 | |||
| 5f0fc0d540 | |||
| 244ad6a914 | |||
| 29904609da | |||
| 3067b067d2 | |||
| 212551df9a | |||
| f1b8bbdfa1 | |||
| 08918f9a8a | |||
| 9af02831ea | |||
| 5970b785aa | |||
| 2f5cf81cf5 | |||
| 4a1e667306 | |||
| b93fe58523 | |||
| 94eca35b4f | |||
| f787764364 | |||
| a256e5762a | |||
| b7f5f6439e | |||
| 09755c3e24 | |||
| 121dc84b9f | |||
| 2a67a85835 | |||
| 0bb47bd754 |
+10
-11
@@ -71,11 +71,15 @@ jobs:
|
|||||||
- name: Run integration tests
|
- name: Run integration tests
|
||||||
run: python3 -m unittest discover -t . -s tests/integration -v
|
run: python3 -m unittest discover -t . -s tests/integration -v
|
||||||
|
|
||||||
# Combined unit+integration coverage + the diff-coverage gate.
|
# Combined unit+integration coverage report (informational). See
|
||||||
# See docs/decisions/0004-coverage-policy.md. The hard gate is diff
|
# docs/decisions/0004-coverage-policy.md.
|
||||||
# coverage (new/changed lines >= 90%); the combined + critical reports
|
#
|
||||||
# are informational and degrade gracefully when the runner has no
|
# The hard diff-coverage gate (changed lines >= 90%) is DEFERRED: the
|
||||||
# Docker (integration tests skip, those modules just read lower).
|
# Firecracker backend's VM/SSH orchestration is covered by the integration
|
||||||
|
# suite, which needs /dev/kvm + the provisioned TAP/nft pool — a
|
||||||
|
# container-based runner skips it and those lines read uncovered, so the
|
||||||
|
# gate can't pass here. Re-enabling it on a self-hosted KVM runner is
|
||||||
|
# tracked separately (see PRD 0069 / #348 and the ci-runner branch).
|
||||||
coverage:
|
coverage:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
@@ -92,10 +96,5 @@ jobs:
|
|||||||
- name: Install dev requirements
|
- name: Install dev requirements
|
||||||
run: python3 -m pip install -r requirements-dev.txt
|
run: python3 -m pip install -r requirements-dev.txt
|
||||||
|
|
||||||
- name: Combined coverage (unit + integration)
|
- name: Combined coverage report (unit + integration)
|
||||||
run: PYTHON=python3 bash scripts/coverage.sh critical
|
run: PYTHON=python3 bash scripts/coverage.sh critical
|
||||||
|
|
||||||
- name: Diff-coverage gate (changed lines >= 90%)
|
|
||||||
run: |
|
|
||||||
git fetch --no-tags origin main:refs/remotes/origin/main
|
|
||||||
python3 scripts/diff_coverage.py --base origin/main --min 90
|
|
||||||
|
|||||||
@@ -6,8 +6,6 @@ on:
|
|||||||
- main
|
- main
|
||||||
paths:
|
paths:
|
||||||
- '**.py'
|
- '**.py'
|
||||||
- '.pylintrc'
|
|
||||||
- 'pyrightconfig.json'
|
|
||||||
- '.coveragerc'
|
- '.coveragerc'
|
||||||
# The core-coverage badge reads this list; refresh when it changes.
|
# The core-coverage badge reads this list; refresh when it changes.
|
||||||
- 'scripts/critical-modules.txt'
|
- 'scripts/critical-modules.txt'
|
||||||
@@ -32,22 +30,6 @@ jobs:
|
|||||||
python -m pip install --upgrade pip
|
python -m pip install --upgrade pip
|
||||||
pip install -r requirements-dev.txt
|
pip install -r requirements-dev.txt
|
||||||
|
|
||||||
- name: Run pylint and extract score
|
|
||||||
id: pylint
|
|
||||||
run: |
|
|
||||||
PYLINT_OUTPUT=$(python -m pylint bot_bottle/ 2>&1) || true
|
|
||||||
SCORE=$(echo "$PYLINT_OUTPUT" | grep -oP '(?<=rated at )\d+\.\d+/10' | head -1)
|
|
||||||
echo "score=$SCORE" >> $GITHUB_OUTPUT
|
|
||||||
echo "Pylint score: $SCORE"
|
|
||||||
|
|
||||||
- name: Run pyright and check errors
|
|
||||||
id: pyright
|
|
||||||
run: |
|
|
||||||
PYRIGHT_OUTPUT=$(python -m pyright 2>&1) || true
|
|
||||||
ERRORS=$(echo "$PYRIGHT_OUTPUT" | grep -oP '\d+(?= error)' | head -1)
|
|
||||||
echo "errors=$ERRORS" >> $GITHUB_OUTPUT
|
|
||||||
echo "Pyright errors: $ERRORS"
|
|
||||||
|
|
||||||
- name: Run coverage and extract percentage
|
- name: Run coverage and extract percentage
|
||||||
id: coverage
|
id: coverage
|
||||||
run: |
|
run: |
|
||||||
@@ -69,19 +51,9 @@ jobs:
|
|||||||
|
|
||||||
- name: Update badges in README
|
- name: Update badges in README
|
||||||
run: |
|
run: |
|
||||||
PYLINT_SCORE="${{ steps.pylint.outputs.score }}"
|
|
||||||
PYRIGHT_ERRORS="${{ steps.pyright.outputs.errors }}"
|
|
||||||
COVERAGE_PERCENT="${{ steps.coverage.outputs.percent }}"
|
COVERAGE_PERCENT="${{ steps.coverage.outputs.percent }}"
|
||||||
CORE_COVERAGE_PERCENT="${{ steps.core_coverage.outputs.percent }}"
|
CORE_COVERAGE_PERCENT="${{ steps.core_coverage.outputs.percent }}"
|
||||||
|
|
||||||
PYLINT_SCORE_ENCODED=$(echo "$PYLINT_SCORE" | sed 's|/|%2F|g')
|
|
||||||
|
|
||||||
if [ -n "$PYLINT_SCORE_ENCODED" ]; then
|
|
||||||
sed -i "s|/badge/pylint-[^)]*|/badge/pylint-${PYLINT_SCORE_ENCODED}-brightgreen|" README.md
|
|
||||||
fi
|
|
||||||
if [ -n "$PYRIGHT_ERRORS" ]; then
|
|
||||||
sed -i "s|/badge/pyright-[^)]*|/badge/pyright-${PYRIGHT_ERRORS}%20errors-brightgreen|" README.md
|
|
||||||
fi
|
|
||||||
if [ -n "$COVERAGE_PERCENT" ]; then
|
if [ -n "$COVERAGE_PERCENT" ]; then
|
||||||
sed -i "s|/badge/coverage-[^)]*|/badge/coverage-${COVERAGE_PERCENT}%25-brightgreen|" README.md
|
sed -i "s|/badge/coverage-[^)]*|/badge/coverage-${COVERAGE_PERCENT}%25-brightgreen|" README.md
|
||||||
fi
|
fi
|
||||||
@@ -90,7 +62,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Updated badges:"
|
echo "Updated badges:"
|
||||||
grep -E "pylint|pyright|coverage" README.md | head -4
|
grep -E "coverage" README.md | head -2
|
||||||
|
|
||||||
- name: Commit and push badge updates
|
- name: Commit and push badge updates
|
||||||
run: |
|
run: |
|
||||||
@@ -103,7 +75,7 @@ jobs:
|
|||||||
else
|
else
|
||||||
echo "Badge changes detected, committing..."
|
echo "Badge changes detected, committing..."
|
||||||
git add README.md
|
git add README.md
|
||||||
MSG="chore: update quality badges"$'\n\n'"- Pylint: ${{ steps.pylint.outputs.score }}"$'\n'"- Pyright: ${{ steps.pyright.outputs.errors }} errors"$'\n'"- Coverage: ${{ steps.coverage.outputs.percent }}%"$'\n'"- Core coverage: ${{ steps.core_coverage.outputs.percent }}%"$'\n\n'"[skip ci]"
|
MSG="chore: update quality badges"$'\n\n'"- Coverage: ${{ steps.coverage.outputs.percent }}%"$'\n'"- Core coverage: ${{ steps.core_coverage.outputs.percent }}%"$'\n\n'"[skip ci]"
|
||||||
git commit -m "$MSG"
|
git commit -m "$MSG"
|
||||||
git push
|
git push
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -8,12 +8,12 @@ broad permissions inside a sandbox, so a misbehaving agent cannot reach the
|
|||||||
host. A Python CLI (entry point `cli.py`, package `bot_bottle/`) orchestrates
|
host. A Python CLI (entry point `cli.py`, package `bot_bottle/`) orchestrates
|
||||||
the runtime lifecycle and the copying of skills and env vars into it.
|
the runtime lifecycle and the copying of skills and env vars into it.
|
||||||
The default backend on compatible macOS hosts is macos-container:
|
The default backend on compatible macOS hosts is macos-container:
|
||||||
agents and sidecar bundles run through Apple's `container` CLI without
|
agents and gateways run through Apple's `container` CLI without
|
||||||
requiring Docker. The smolmachines backend remains available with
|
requiring Docker. On KVM-capable Linux hosts the default is firecracker:
|
||||||
`BOT_BOTTLE_BACKEND=smolmachines` or `--backend=smolmachines`; agents
|
agents run in a Firecracker microVM reached over SSH on a point-to-point
|
||||||
run in a libkrun micro-VM, while the sidecar bundle still uses Docker.
|
TAP, while the gateway still uses Docker. The legacy Docker
|
||||||
The legacy Docker backend remains available with `BOT_BOTTLE_BACKEND=docker`
|
backend remains available with `BOT_BOTTLE_BACKEND=docker` or
|
||||||
or `--backend=docker`.
|
`--backend=docker`.
|
||||||
|
|
||||||
## Goals
|
## Goals
|
||||||
|
|
||||||
@@ -59,7 +59,7 @@ or `--backend=docker`.
|
|||||||
in a PRD, research note, or decision record.
|
in a PRD, research note, or decision record.
|
||||||
- Low dependencies by default. The project is Python, stdlib-first (no
|
- Low dependencies by default. The project is Python, stdlib-first (no
|
||||||
runtime pip dependencies in the package itself; the only language
|
runtime pip dependencies in the package itself; the only language
|
||||||
runtime is the Python 3.13 used by the CLI + sidecars). Ask before
|
runtime is the Python 3.13 used by the CLI + companion containers). Ask before
|
||||||
adding new tools, runtimes, or package managers.
|
adding new tools, runtimes, or package managers.
|
||||||
- Commit messages follow [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/):
|
- Commit messages follow [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/):
|
||||||
`<type>[(scope)][!]: <description>`, where `<type>` is one of `feat`, `fix`,
|
`<type>[(scope)][!]: <description>`, where `<type>` is one of `feat`, `fix`,
|
||||||
|
|||||||
@@ -1,8 +1,15 @@
|
|||||||
# Per-bottle sidecar bundle image (PRD 0024).
|
# Gateway data-plane image (PRD 0024 bundle shape; PRD 0070 gateway).
|
||||||
#
|
#
|
||||||
# Collapses the prior per-sidecar images (egress, git-gate,
|
# The egress / git-gate / supervise *data plane* — one image, run by
|
||||||
|
# the consolidated per-host gateway (PRD 0070). It is NOT the
|
||||||
|
# orchestrator control plane: that is the separate, lean
|
||||||
|
# `bot-bottle-orchestrator` image (Dockerfile.orchestrator, #384), which
|
||||||
|
# ships only python + the stdlib-only `bot_bottle` package and none of
|
||||||
|
# this image's mitmproxy / git / gitleaks payload.
|
||||||
|
#
|
||||||
|
# Collapses the prior per-daemon images (egress, git-gate,
|
||||||
# supervise) into one. A small stdlib-Python init supervisor at
|
# supervise) into one. A small stdlib-Python init supervisor at
|
||||||
# /app/sidecar_init.py spawns all daemons, forwards SIGTERM, and
|
# /app/gateway_init.py spawns all daemons, forwards SIGTERM, and
|
||||||
# propagates per-daemon stdout/stderr to the container log with a
|
# propagates per-daemon stdout/stderr to the container log with a
|
||||||
# `[name]` prefix. See PRD 0024 for the rationale.
|
# `[name]` prefix. See PRD 0024 for the rationale.
|
||||||
#
|
#
|
||||||
@@ -12,19 +19,19 @@
|
|||||||
# /app/egress_addon.py + siblings mitmproxy addon (egress)
|
# /app/egress_addon.py + siblings mitmproxy addon (egress)
|
||||||
# /app/egress-entrypoint.sh mitmdump launcher
|
# /app/egress-entrypoint.sh mitmdump launcher
|
||||||
# /app/supervise_server.py + .py supervise MCP server
|
# /app/supervise_server.py + .py supervise MCP server
|
||||||
# /app/sidecar_init.py PID 1 supervisor
|
# /app/gateway_init.py PID 1 supervisor
|
||||||
# /etc/egress/routes.yaml bind-mounted at run time
|
# /etc/egress/routes.yaml bind-mounted at run time
|
||||||
# /etc/git-gate/pre-receive docker-cp'd at start time
|
# /etc/git-gate/pre-receive docker-cp'd at start time
|
||||||
# /git-gate-entrypoint.sh docker-cp'd at start time
|
# /git-gate-entrypoint.sh docker-cp'd at start time
|
||||||
# /git-gate/creds/* docker-cp'd at start time
|
# /git-gate/creds/* docker-cp'd at start time
|
||||||
# /git/* bare repos, populated at runtime
|
# /git/* bare repos, populated at runtime
|
||||||
# /run/supervise/queue/ bind-mounted at run time
|
# /run/supervise/bot-bottle.db bind-mounted at run time
|
||||||
# /home/mitmproxy/.mitmproxy/ mitmproxy CA dir
|
# /home/mitmproxy/.mitmproxy/ mitmproxy CA dir
|
||||||
#
|
#
|
||||||
# Exposed ports inside the container:
|
# Exposed ports inside the container:
|
||||||
# 9099 egress (mitmproxy, agent-facing HTTPS proxy)
|
# 9099 egress (mitmproxy, agent-facing HTTPS proxy)
|
||||||
# 9418 git-gate (git-daemon)
|
# 9418 git-gate (git-daemon)
|
||||||
# 9420 git-gate smart HTTP (smolmachines agent-facing transport)
|
# 9420 git-gate smart HTTP (VM-backend agent-facing transport)
|
||||||
# 9100 supervise (MCP HTTP)
|
# 9100 supervise (MCP HTTP)
|
||||||
|
|
||||||
# Stage 1: gitleaks binary. The upstream gitleaks image is alpine
|
# Stage 1: gitleaks binary. The upstream gitleaks image is alpine
|
||||||
@@ -64,11 +71,19 @@ COPY --from=gitleaks-src /usr/bin/gitleaks /usr/bin/gitleaks
|
|||||||
COPY bot_bottle/egress_addon_core.py /app/egress_addon_core.py
|
COPY bot_bottle/egress_addon_core.py /app/egress_addon_core.py
|
||||||
COPY bot_bottle/egress_dlp_config.py /app/egress_dlp_config.py
|
COPY bot_bottle/egress_dlp_config.py /app/egress_dlp_config.py
|
||||||
COPY bot_bottle/egress_addon.py /app/egress_addon.py
|
COPY bot_bottle/egress_addon.py /app/egress_addon.py
|
||||||
|
COPY bot_bottle/policy_resolver.py /app/policy_resolver.py
|
||||||
COPY bot_bottle/dlp_detectors.py /app/dlp_detectors.py
|
COPY bot_bottle/dlp_detectors.py /app/dlp_detectors.py
|
||||||
COPY bot_bottle/yaml_subset.py /app/yaml_subset.py
|
COPY bot_bottle/yaml_subset.py /app/yaml_subset.py
|
||||||
|
COPY bot_bottle/paths.py /app/paths.py
|
||||||
|
COPY bot_bottle/migrations.py /app/migrations.py
|
||||||
|
COPY bot_bottle/db_store.py /app/db_store.py
|
||||||
|
COPY bot_bottle/supervise_types.py /app/supervise_types.py
|
||||||
|
COPY bot_bottle/queue_store.py /app/queue_store.py
|
||||||
|
COPY bot_bottle/audit_store.py /app/audit_store.py
|
||||||
|
COPY bot_bottle/store_manager.py /app/store_manager.py
|
||||||
COPY bot_bottle/supervise.py /app/supervise.py
|
COPY bot_bottle/supervise.py /app/supervise.py
|
||||||
COPY bot_bottle/supervise_server.py /app/supervise_server.py
|
COPY bot_bottle/supervise_server.py /app/supervise_server.py
|
||||||
COPY bot_bottle/sidecar_init.py /app/sidecar_init.py
|
COPY bot_bottle/gateway_init.py /app/gateway_init.py
|
||||||
COPY bot_bottle/git_http_backend.py /app/git_http_backend.py
|
COPY bot_bottle/git_http_backend.py /app/git_http_backend.py
|
||||||
COPY bot_bottle/egress_entrypoint.sh /app/egress-entrypoint.sh
|
COPY bot_bottle/egress_entrypoint.sh /app/egress-entrypoint.sh
|
||||||
RUN chmod +x /app/egress-entrypoint.sh
|
RUN chmod +x /app/egress-entrypoint.sh
|
||||||
@@ -81,7 +96,7 @@ RUN mkdir -p \
|
|||||||
/etc/git-gate \
|
/etc/git-gate \
|
||||||
/git-gate/creds \
|
/git-gate/creds \
|
||||||
/git \
|
/git \
|
||||||
/run/supervise/queue \
|
/run/supervise \
|
||||||
/home/mitmproxy/.mitmproxy
|
/home/mitmproxy/.mitmproxy
|
||||||
|
|
||||||
# Documentation only — the compose renderer publishes whichever
|
# Documentation only — the compose renderer publishes whichever
|
||||||
@@ -94,4 +109,4 @@ WORKDIR /app
|
|||||||
|
|
||||||
# PID 1 is the supervisor. It owns signal handling and exit-code
|
# PID 1 is the supervisor. It owns signal handling and exit-code
|
||||||
# propagation; no `exec` chain in the entrypoint itself.
|
# propagation; no `exec` chain in the entrypoint itself.
|
||||||
ENTRYPOINT ["python3", "/app/sidecar_init.py"]
|
ENTRYPOINT ["python3", "/app/gateway_init.py"]
|
||||||
@@ -0,0 +1,54 @@
|
|||||||
|
# Orchestrator control-plane image (PRD 0070, #384) + in-VM agent-image
|
||||||
|
# builder (PRD 0069 Stage 3).
|
||||||
|
#
|
||||||
|
# The per-host orchestrator runs `python3 -m bot_bottle.orchestrator`.
|
||||||
|
# The `bot_bottle` package is **stdlib-only** by design, so the control
|
||||||
|
# plane itself needs nothing but a Python runtime — none of the
|
||||||
|
# gateway's mitmproxy / git / gitleaks payload (that is the separate
|
||||||
|
# `bot-bottle-gateway` image, Dockerfile.gateway). Splitting them keeps
|
||||||
|
# the secret-dense control plane (it concentrates every bottle's egress
|
||||||
|
# tokens — see PRD 0070's "secret concentration") on a minimal
|
||||||
|
# dependency surface.
|
||||||
|
#
|
||||||
|
# The repo is bind-mounted read-only into the container at run time (see
|
||||||
|
# `orchestrator/lifecycle.py`), so the source is NOT copied in here: the
|
||||||
|
# image is just the runtime. `ensure_running` recreates the container
|
||||||
|
# only when the bind-mounted source hash changes (#381), which is why
|
||||||
|
# the code stays a mount rather than a baked layer.
|
||||||
|
|
||||||
|
FROM python:3.12-slim
|
||||||
|
|
||||||
|
# --- in-VM agent-image builder (PRD 0069 Stage 3) -------------------
|
||||||
|
# The Firecracker backend removes the host Docker daemon by building
|
||||||
|
# users' agent Dockerfiles *inside the orchestrator VM* with buildah
|
||||||
|
# (rootless, daemonless) instead of on the host. The host then needs no
|
||||||
|
# Docker daemon and no root-equivalent `docker` group; an untrusted
|
||||||
|
# Dockerfile builds inside the confined orchestrator VM, never on the
|
||||||
|
# host — strictly more isolated than host `docker build`.
|
||||||
|
#
|
||||||
|
# `git` lets buildah resolve git-context builds and lets the backend
|
||||||
|
# clone/pull; `ca-certificates` is needed for `FROM` pulls over TLS.
|
||||||
|
# buildah's runtime helpers (stripped by --no-install-recommends, so
|
||||||
|
# listed explicitly): `crun` is the OCI runtime that executes build
|
||||||
|
# steps; `netavark` + `aardvark-dns` are the network backend buildah
|
||||||
|
# uses to give `FROM` pulls and `RUN` steps network access.
|
||||||
|
RUN apt-get update \
|
||||||
|
&& apt-get install -y --no-install-recommends \
|
||||||
|
buildah crun netavark aardvark-dns git ca-certificates \
|
||||||
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
# vfs storage + chroot isolation: buildah then needs neither
|
||||||
|
# fuse-overlayfs / an overlay kernel module nor configured subuid maps
|
||||||
|
# (newuidmap/newgidmap), so it works unconditionally as root in a
|
||||||
|
# minimal microVM rootfs. vfs copies layers rather than stacking them —
|
||||||
|
# slower and heavier than overlay; a build-cache optimization (overlay
|
||||||
|
# where available, a persistent cache disk) is tracked for later.
|
||||||
|
ENV STORAGE_DRIVER=vfs \
|
||||||
|
BUILDAH_ISOLATION=chroot
|
||||||
|
|
||||||
|
# No third-party *Python* deps — the control plane stays stdlib only.
|
||||||
|
WORKDIR /app
|
||||||
|
|
||||||
|
# Documentation only; lifecycle.py overrides the entrypoint to
|
||||||
|
# `python3 -m bot_bottle.orchestrator` with the runtime flags.
|
||||||
|
ENTRYPOINT ["python3", "-m", "bot_bottle.orchestrator"]
|
||||||
@@ -5,10 +5,8 @@
|
|||||||
# bot-bottle
|
# bot-bottle
|
||||||
|
|
||||||
[](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
|
[](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
|
||||||
[](https://github.com/PyCQA/pylint)
|
[](https://coverage.readthedocs.io/)
|
||||||
[](https://github.com/microsoft/pyright)
|
[](https://gitea.dideric.is/didericis/bot-bottle/src/branch/main/docs/decisions/0004-coverage-policy.md)
|
||||||
[](https://coverage.readthedocs.io/)
|
|
||||||
[](https://gitea.dideric.is/didericis/bot-bottle/src/branch/main/docs/decisions/0004-coverage-policy.md)
|
|
||||||
|
|
||||||
**Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.
|
**Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.
|
||||||
|
|
||||||
@@ -18,7 +16,7 @@
|
|||||||
|
|
||||||
- **Per-bottle egress allowlist** — TLS-bumped HTTP/HTTPS chokepoint with a per-manifest host allowlist; per-route path/method/header `matches` filtering; outbound DLP scanning for known tokens and secrets, inbound DLP scanning for prompt-injection attempts; DoH and arbitrary hosts blocked by default.
|
- **Per-bottle egress allowlist** — TLS-bumped HTTP/HTTPS chokepoint with a per-manifest host allowlist; per-route path/method/header `matches` filtering; outbound DLP scanning for known tokens and secrets, inbound DLP scanning for prompt-injection attempts; DoH and arbitrary hosts blocked by default.
|
||||||
- **Per-route token-match policy** — each egress route picks what happens when the outbound DLP catches a token via `dlp.outbound_on_match`: `supervise` (default) holds the request and surfaces it in `./cli.py supervise` for approval (an approved value is remembered for the life of the proxy); `redact` scrubs the value and forwards; `block` is a hard `403`. Cuts false-positive friction without weakening default-deny.
|
- **Per-route token-match policy** — each egress route picks what happens when the outbound DLP catches a token via `dlp.outbound_on_match`: `supervise` (default) holds the request and surfaces it in `./cli.py supervise` for approval (an approved value is remembered for the life of the proxy); `redact` scrubs the value and forwards; `block` is a hard `403`. Cuts false-positive friction without weakening default-deny.
|
||||||
- **Tokens the agent never sees** — host secrets live in a sidecar; the agent dials `http://sidecar:9099/<path>` and the proxy strips inbound `Authorization` and injects the real token before forwarding. `printenv` in the agent shows proxy URLs only.
|
- **Tokens the agent never sees** — host secrets live in a gateway; the agent dials `http://gateway:9099/<path>` and the proxy strips inbound `Authorization` and injects the real token before forwarding. `printenv` in the agent shows proxy URLs only.
|
||||||
- **Gitleaks-scanned push (git-gate)** — `bottle.git` remotes route through a per-bottle `git daemon` that gitleaks-scans incoming refs pre-receive and forwards clean refs upstream over SSH. The agent never holds the upstream credential.
|
- **Gitleaks-scanned push (git-gate)** — `bottle.git` remotes route through a per-bottle `git daemon` that gitleaks-scans incoming refs pre-receive and forwards clean refs upstream over SSH. The agent never holds the upstream credential.
|
||||||
- **Manifest-scoped skills + secrets** — each bottle declares its skills, env, git identity, remotes, and egress routes; unknown keys die at load.
|
- **Manifest-scoped skills + secrets** — each bottle declares its skills, env, git identity, remotes, and egress routes; unknown keys die at load.
|
||||||
- **Trust boundary at `$HOME`** — bottles (credentials, egress, remotes) live only under `~/.bot-bottle/bottles/`. Repos may ship agents but not bottles, so a cloned repo can't redirect an env var to an attacker host.
|
- **Trust boundary at `$HOME`** — bottles (credentials, egress, remotes) live only under `~/.bot-bottle/bottles/`. Repos may ship agents but not bottles, so a cloned repo can't redirect an env var to an attacker host.
|
||||||
@@ -26,17 +24,17 @@
|
|||||||
- **Parallel, isolated bottles** — each bottle runs in its own backend-owned isolation boundary; bottles don't share state or talk to each other.
|
- **Parallel, isolated bottles** — each bottle runs in its own backend-owned isolation boundary; bottles don't share state or talk to each other.
|
||||||
- **Provider templates (Claude, Codex)** — `Dockerfile.claude` / `Dockerfile.codex`, or a bottle-supplied Dockerfile. Claude auth via long-lived OAuth token; Codex via opt-in host device-auth forwarding.
|
- **Provider templates (Claude, Codex)** — `Dockerfile.claude` / `Dockerfile.codex`, or a bottle-supplied Dockerfile. Claude auth via long-lived OAuth token; Codex via opt-in host device-auth forwarding.
|
||||||
- **gVisor auto-detect** — on Linux hosts where `runsc` is registered with Docker, every bottle launches under it for a userspace syscall barrier; no manifest config required.
|
- **gVisor auto-detect** — on Linux hosts where `runsc` is registered with Docker, every bottle launches under it for a userspace syscall barrier; no manifest config required.
|
||||||
- **Apple Container backend (macOS default when available)** — runs the agent and sidecar bundle with Apple's `container` CLI, using a host-only agent network plus a separate sidecar egress network.
|
- **Apple Container backend (macOS default when available)** — runs the agent and gateway with Apple's `container` CLI, using a host-only agent network plus a separate gateway egress network.
|
||||||
- **Smolmachines backend** — runs the agent in a libkrun micro-VM while the sidecar bundle stays in Docker. TSI and smolmachines DNS filtering close the raw DNS exfiltration gap that exists in the legacy Docker backend.
|
- **Firecracker backend (Linux default when available)** — runs the agent in a KVM Firecracker microVM reached over SSH on a point-to-point TAP, with the gateway in Docker. A dedicated, fail-closed `nftables` table isolates the guest, closing the raw DNS/IP exfiltration gap that exists in the legacy Docker backend. Requires KVM (`/dev/kvm`) and a one-time privileged network-pool setup.
|
||||||
- **Legacy Docker backend** — still available for examples, CI, and hosts without Apple Container via `BOT_BOTTLE_BACKEND=docker` or `--backend=docker`.
|
- **Legacy Docker backend** — still available for examples, CI, and hosts without Apple Container or KVM via `BOT_BOTTLE_BACKEND=docker` or `--backend=docker`.
|
||||||
|
|
||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
On the default macOS Apple Container backend, a bottle is an agent container on a host-only internal network plus a sidecar bundle attached to both that internal network and a NAT egress network. The agent gets HTTP(S)_PROXY and CA bundle env vars pointing at the sidecar's internal-network IP, so HTTP/HTTPS traffic flows through the sidecar instead of direct egress. `bottle.git` / git-gate is intentionally deferred on this backend until a safe Apple Container key-delivery path exists.
|
On the default macOS Apple Container backend, a bottle is an agent container on a host-only internal network plus a gateway attached to both that internal network and a NAT egress network. The agent gets HTTP(S)_PROXY and CA bundle env vars pointing at the gateway's internal-network IP, so HTTP/HTTPS traffic flows through the gateway instead of direct egress. `bottle.git` / git-gate is intentionally deferred on this backend until a safe Apple Container key-delivery path exists.
|
||||||
|
|
||||||
On the smolmachines backend, a bottle is an agent micro-VM plus a Docker sidecar bundle for egress, git-gate, and supervise. The VM reaches the sidecars through a per-bottle loopback alias allowed by TSI; smolmachines handles DNS filtering below the guest OS.
|
On the Firecracker backend, a bottle is an agent microVM plus a Docker gateway for egress, git-gate, and supervise. The VM reaches the gateway over a per-bottle point-to-point TAP link; a dedicated fail-closed `nftables` table (`inet bot_bottle_fc`) confines the guest to that link, so nothing leaves the box except through the gateway. The TAP pool and nft table are provisioned once (root); per-launch needs no privilege.
|
||||||
|
|
||||||
On the legacy Docker backend, the same logical bottle is two containers per agent: an `agent` container and a `sidecars` container. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
|
On the legacy Docker backend, the same logical bottle is two containers per agent: an `agent` container and a `companion containers` container. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
|
||||||
|
|
||||||
The Docker topology looks like this:
|
The Docker topology looks like this:
|
||||||
|
|
||||||
@@ -69,13 +67,28 @@ The Docker topology looks like this:
|
|||||||
└─────────────────────────────────────────────────────────────────────┘
|
└─────────────────────────────────────────────────────────────────────┘
|
||||||
```
|
```
|
||||||
|
|
||||||
When the agent exits, `cli.py` tears down every sidecar and both networks; nothing about a bottle persists between runs.
|
When the agent exits, `cli.py` tears down every gateway and both networks; nothing about a bottle persists between runs.
|
||||||
|
|
||||||
## Quickstart
|
## Quickstart
|
||||||
|
|
||||||
On compatible macOS hosts, the default backend requires Apple's `container` CLI and does not require Docker. The smolmachines backend requires Docker on the host for the sidecar bundle plus smolvm. The legacy Docker backend requires Docker. Claude bottles also need a long-lived Claude Code OAuth token (`claude setup-token`) exported as `BOT_BOTTLE_CLAUDE_OAUTH_TOKEN`.
|
On compatible macOS hosts, the default backend requires Apple's `container` CLI and does not require Docker. The Firecracker backend (Linux) requires Docker on the host for the gateway plus the `firecracker` binary and KVM. The legacy Docker backend requires Docker. Claude bottles also need a long-lived Claude Code OAuth token (`claude setup-token`) exported as `BOT_BOTTLE_CLAUDE_OAUTH_TOKEN`.
|
||||||
|
|
||||||
Use `BOT_BOTTLE_BACKEND=docker ./cli.py start <agent>` on hosts where Apple Container is not installed and Docker is the desired backend.
|
Use `BOT_BOTTLE_BACKEND=docker ./cli.py start <agent>` on hosts where neither Apple Container nor KVM is available and Docker is the desired backend.
|
||||||
|
|
||||||
|
### Firecracker on Linux
|
||||||
|
|
||||||
|
On Linux, a KVM-capable host defaults to the Firecracker backend. It needs:
|
||||||
|
|
||||||
|
- **`/dev/kvm`** present and accessible. Load `kvm-intel` or `kvm-amd` (and enable virtualization in BIOS/firmware). The invoking user must be in the `kvm` group: `sudo usermod -aG kvm "$USER"` then re-login. bot-bottle preflights this and reports exactly what's missing.
|
||||||
|
- **`firecracker`** on `PATH`: grab a release from <https://github.com/firecracker-microvm/firecracker/releases>. Start flows print this pointer when the binary is missing.
|
||||||
|
- **Docker** for the gateway and image build.
|
||||||
|
- **A one-time privileged network setup** — the per-bottle TAP pool plus the fail-closed `nftables` isolation table. Run `./cli.py backend setup --backend=firecracker` for the host-appropriate config (a NixOS module, a `sudo` script elsewhere); `./cli.py backend status --backend=firecracker` reports what's present, including whether the pool range collides with an existing route. The pool defaults to `10.243.0.0/16` (an obscure RFC-1918 block that dodges docker/libvirt/LAN and, deliberately, Tailscale's `100.64.0.0/10` CGNAT range); override with `BOT_BOTTLE_FC_IP_BASE` if it clashes on your host.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
BOT_BOTTLE_BACKEND=firecracker ./cli.py start <agent>
|
||||||
|
```
|
||||||
|
|
||||||
|
> **NixOS:** enable `virtualisation.docker`, ensure the KVM module is loaded (`boot.kernelModules = [ "kvm-intel" ];` or `kvm-amd`), and add your user to the `kvm` and `docker` groups. For the network pool, consume the flake module — `imports = [ inputs.bot-bottle.nixosModules.firecracker-netpool ]; services.bot-bottle-firecracker = { enable = true; owner = "you"; };` — then `nixos-rebuild switch` (imperative nft/TAP rules don't survive a rebuild; channel users can `imports = [ <bot-bottle>/nix/firecracker-netpool.nix ]`). `firecracker` isn't in nixpkgs by default as a user binary — install the release binary (pin the version) and put it on `PATH`.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
./cli.py start <agent> # builds the image on first run, drops you into claude
|
./cli.py start <agent> # builds the image on first run, drops you into claude
|
||||||
|
|||||||
@@ -61,6 +61,13 @@ class AgentProviderRuntime:
|
|||||||
prompt_mode: PromptMode
|
prompt_mode: PromptMode
|
||||||
bypass_args: tuple[str, ...]
|
bypass_args: tuple[str, ...]
|
||||||
resume_args: tuple[str, ...]
|
resume_args: tuple[str, ...]
|
||||||
|
# argv run inside a throwaway container of a freshly built agent
|
||||||
|
# image, right after `build_image()`, to catch a build that
|
||||||
|
# exited 0 but produced a broken CLI (e.g. an npm
|
||||||
|
# optionalDependencies fetch for a platform-native binary that
|
||||||
|
# silently no-ops on a transient failure). Empty tuple skips the
|
||||||
|
# check — not every provider has opted in yet.
|
||||||
|
smoke_test: tuple[str, ...] = ()
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
@dataclass(frozen=True)
|
||||||
@@ -204,11 +211,20 @@ class AgentProvider(ABC):
|
|||||||
bottle: "Bottle",
|
bottle: "Bottle",
|
||||||
supervise_url: str,
|
supervise_url: str,
|
||||||
) -> None:
|
) -> None:
|
||||||
"""Register the per-bottle supervise sidecar as an MCP server
|
"""Register the per-bottle supervise daemon as an MCP server
|
||||||
in the provider's in-guest config. Called by the backend after
|
in the provider's in-guest config. Called by the backend after
|
||||||
the supervise sidecar is reachable. No-op when
|
the supervise daemon is reachable. No-op when
|
||||||
`plan.supervise_plan is None`."""
|
`plan.supervise_plan is None`."""
|
||||||
|
|
||||||
|
@abstractmethod
|
||||||
|
def headless_prompt(self, prompt: str) -> list[str]:
|
||||||
|
"""Return the agent CLI args that deliver `prompt` as the
|
||||||
|
initial task in a non-interactive (headless) session.
|
||||||
|
|
||||||
|
Called only when ``--prompt`` is passed to
|
||||||
|
``./cli.py start --headless``; the returned args are appended
|
||||||
|
after the provider's ``bypass_args`` and ``startup_args``."""
|
||||||
|
|
||||||
def provision_ca(self, bottle: "Bottle", plan: "BottlePlan") -> None:
|
def provision_ca(self, bottle: "Bottle", plan: "BottlePlan") -> None:
|
||||||
"""Install the egress MITM CA into the agent's trust store.
|
"""Install the egress MITM CA into the agent's trust store.
|
||||||
|
|
||||||
@@ -218,6 +234,10 @@ class AgentProvider(ABC):
|
|||||||
from .backend.util import AGENT_CA_PATH, log_ca_fingerprint, select_ca_cert
|
from .backend.util import AGENT_CA_PATH, log_ca_fingerprint, select_ca_cert
|
||||||
from .log import die
|
from .log import die
|
||||||
cert_host_path, label = select_ca_cert(plan.egress_plan)
|
cert_host_path, label = select_ca_cert(plan.egress_plan)
|
||||||
|
# Ensure the target directory exists. A backend's rootfs build
|
||||||
|
# may not preserve the empty /usr/local/share/ca-certificates/
|
||||||
|
# directory; mkdir -p is idempotent and safe for all backends.
|
||||||
|
bottle.exec("mkdir -p /usr/local/share/ca-certificates", user="root")
|
||||||
bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
|
bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
|
||||||
r = bottle.exec(
|
r = bottle.exec(
|
||||||
f"chmod 644 {AGENT_CA_PATH} && update-ca-certificates",
|
f"chmod 644 {AGENT_CA_PATH} && update-ca-certificates",
|
||||||
|
|||||||
@@ -0,0 +1,93 @@
|
|||||||
|
"""SQLite-backed audit store for supervise (PRD 0013)."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import sqlite3
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
try:
|
||||||
|
from .supervise_types import AuditEntry
|
||||||
|
from .paths import host_db_path
|
||||||
|
from .db_store import DbStore
|
||||||
|
from .migrations import TableMigrations
|
||||||
|
except ImportError:
|
||||||
|
from supervise_types import AuditEntry # type: ignore[import-not-found] # pylint: disable=import-error,no-name-in-module
|
||||||
|
from paths import host_db_path # type: ignore[import-not-found] # pylint: disable=import-error,no-name-in-module
|
||||||
|
from db_store import DbStore # type: ignore[import-not-found] # pylint: disable=import-error,no-name-in-module
|
||||||
|
from migrations import TableMigrations # type: ignore[import-not-found] # pylint: disable=import-error,no-name-in-module
|
||||||
|
|
||||||
|
|
||||||
|
class AuditStore(DbStore):
|
||||||
|
"""SQLite-backed persistent store for supervise audit entries."""
|
||||||
|
|
||||||
|
def __init__(self, db_path: Path | None = None) -> None:
|
||||||
|
# One entry per schema version: migrations[0] brings a fresh DB to
|
||||||
|
# version 1, [1] to version 2, etc. Add new entries at the end; never
|
||||||
|
# edit existing ones.
|
||||||
|
migrations = TableMigrations("audit_store", [
|
||||||
|
# v1 — initial schema
|
||||||
|
"""
|
||||||
|
CREATE TABLE IF NOT EXISTS supervise_audit_entries (
|
||||||
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||||
|
timestamp TEXT NOT NULL,
|
||||||
|
bottle_slug TEXT NOT NULL,
|
||||||
|
component TEXT NOT NULL,
|
||||||
|
operator_action TEXT NOT NULL,
|
||||||
|
operator_notes TEXT NOT NULL,
|
||||||
|
justification TEXT NOT NULL,
|
||||||
|
diff TEXT NOT NULL
|
||||||
|
)
|
||||||
|
""",
|
||||||
|
])
|
||||||
|
super().__init__(db_path or host_db_path(), migrations)
|
||||||
|
|
||||||
|
def write_audit_entry(self, entry: AuditEntry) -> Path:
|
||||||
|
with self._connect() as conn:
|
||||||
|
conn.execute(
|
||||||
|
"""
|
||||||
|
INSERT INTO supervise_audit_entries (
|
||||||
|
timestamp, bottle_slug, component, operator_action,
|
||||||
|
operator_notes, justification, diff
|
||||||
|
) VALUES (?, ?, ?, ?, ?, ?, ?)
|
||||||
|
""",
|
||||||
|
(
|
||||||
|
entry.timestamp,
|
||||||
|
entry.bottle_slug,
|
||||||
|
entry.component,
|
||||||
|
entry.operator_action,
|
||||||
|
entry.operator_notes,
|
||||||
|
entry.justification,
|
||||||
|
entry.diff,
|
||||||
|
),
|
||||||
|
)
|
||||||
|
self._chmod()
|
||||||
|
return self.db_path
|
||||||
|
|
||||||
|
def read_audit_entries(self, component: str, slug: str) -> list[AuditEntry]:
|
||||||
|
if not self.db_path.is_file():
|
||||||
|
return []
|
||||||
|
with self._connect() as conn:
|
||||||
|
rows = conn.execute(
|
||||||
|
"""
|
||||||
|
SELECT * FROM supervise_audit_entries
|
||||||
|
WHERE component = ? AND bottle_slug = ?
|
||||||
|
ORDER BY id
|
||||||
|
""",
|
||||||
|
(component, slug),
|
||||||
|
).fetchall()
|
||||||
|
return [self._row_to_entry(row) for row in rows]
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _row_to_entry(row: sqlite3.Row) -> AuditEntry:
|
||||||
|
return AuditEntry(
|
||||||
|
timestamp=row["timestamp"],
|
||||||
|
bottle_slug=row["bottle_slug"],
|
||||||
|
component=row["component"],
|
||||||
|
operator_action=row["operator_action"],
|
||||||
|
operator_notes=row["operator_notes"],
|
||||||
|
justification=row["justification"],
|
||||||
|
diff=row["diff"],
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = ["AuditStore"]
|
||||||
@@ -26,8 +26,9 @@ backend exposes five methods:
|
|||||||
|
|
||||||
Selection is driven by `--backend` on `start` or BOT_BOTTLE_BACKEND
|
Selection is driven by `--backend` on `start` or BOT_BOTTLE_BACKEND
|
||||||
(env var). When neither is set, compatible macOS hosts default to
|
(env var). When neither is set, compatible macOS hosts default to
|
||||||
`macos-container`; other hosts default to `smolmachines`. Per PRD 0003
|
`macos-container`; Linux hosts with KVM default to `firecracker`;
|
||||||
the manifest does not carry a backend field; the host picks.
|
otherwise `docker`. Per PRD 0003 the manifest does not carry a
|
||||||
|
backend field; the host picks.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
@@ -75,6 +76,9 @@ class BottleSpec:
|
|||||||
# Ordered bottle names selected at launch (issue #269). When non-empty
|
# Ordered bottle names selected at launch (issue #269). When non-empty
|
||||||
# they are merged in order and replace the agent's `bottle:` field.
|
# they are merged in order and replace the agent's `bottle:` field.
|
||||||
bottle_names: tuple[str, ...] = ()
|
bottle_names: tuple[str, ...] = ()
|
||||||
|
# True when launched via --headless (no TTY, no interactive prompts).
|
||||||
|
# The git-gate host-key preflight uses this to error rather than prompt.
|
||||||
|
headless: bool = False
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
@dataclass(frozen=True)
|
||||||
@@ -94,14 +98,14 @@ class BottlePlan(ABC):
|
|||||||
@property
|
@property
|
||||||
def git_gate_insteadof_host(self) -> str:
|
def git_gate_insteadof_host(self) -> str:
|
||||||
"""Host (and optional port) used in git-gate insteadOf URLs.
|
"""Host (and optional port) used in git-gate insteadOf URLs.
|
||||||
Docker uses the compose-network DNS alias; smolmachines
|
Docker uses the compose-network DNS alias; VM backends may
|
||||||
overrides with a loopback IP:port since TSI has no DNS."""
|
override with an IP:port when the guest has no DNS."""
|
||||||
return "git-gate"
|
return "git-gate"
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def git_gate_insteadof_scheme(self) -> str:
|
def git_gate_insteadof_scheme(self) -> str:
|
||||||
"""URL scheme for git-gate insteadOf rewrites. 'git' for
|
"""URL scheme for git-gate insteadOf rewrites. 'git' for
|
||||||
Docker (git daemon); 'http' for smolmachines (HTTP proxy
|
Docker (git daemon); VM backends may override (e.g. 'http'
|
||||||
over a published host port)."""
|
over a published host port)."""
|
||||||
return "git"
|
return "git"
|
||||||
egress_plan: EgressPlan
|
egress_plan: EgressPlan
|
||||||
@@ -179,8 +183,8 @@ class BottleCleanupPlan(ABC):
|
|||||||
class ExecResult:
|
class ExecResult:
|
||||||
"""Captured result of `Bottle.exec`. Backend-neutral: the Docker
|
"""Captured result of `Bottle.exec`. Backend-neutral: the Docker
|
||||||
impl populates it from a `subprocess.CompletedProcess`, but a
|
impl populates it from a `subprocess.CompletedProcess`, but a
|
||||||
future fly/smolmachines backend could populate it from any source
|
VM backend could populate it from any source that produces a
|
||||||
that produces a returncode + captured streams."""
|
returncode + captured streams."""
|
||||||
|
|
||||||
returncode: int
|
returncode: int
|
||||||
stdout: str
|
stdout: str
|
||||||
@@ -195,10 +199,10 @@ class ActiveAgent:
|
|||||||
bottle is the container, the agent is what runs in it.)
|
bottle is the container, the agent is what runs in it.)
|
||||||
|
|
||||||
Fields are deliberately backend-neutral. `services` is the set
|
Fields are deliberately backend-neutral. `services` is the set
|
||||||
of sidecar daemons currently up for this bottle (`egress`,
|
of gateway daemons currently up for this bottle (`egress`,
|
||||||
`git-gate`, `supervise`); the dashboard uses it to
|
`git-gate`, `supervise`); the dashboard uses it to
|
||||||
gate edit verbs. `backend_name` is the matching key in
|
gate edit verbs. `backend_name` is the matching key in
|
||||||
`_BACKENDS` (`docker` / `smolmachines` / `macos-container`) — used by the active-
|
`_BACKENDS` (`docker` / `firecracker` / `macos-container`) — used by the active-
|
||||||
list rendering to disambiguate and by the dashboard's
|
list rendering to disambiguate and by the dashboard's
|
||||||
re-attach path."""
|
re-attach path."""
|
||||||
|
|
||||||
@@ -247,7 +251,7 @@ class Bottle(ABC):
|
|||||||
`user` (default `node`, matching the agent image's USER
|
`user` (default `node`, matching the agent image's USER
|
||||||
directive) and return the captured stdout/stderr/returncode.
|
directive) and return the captured stdout/stderr/returncode.
|
||||||
The bottle's environment (including HTTPS_PROXY pointing at
|
The bottle's environment (including HTTPS_PROXY pointing at
|
||||||
the egress sidecar) is inherited by the child. Non-zero
|
the egress daemon) is inherited by the child. Non-zero
|
||||||
exit does not raise — callers inspect `returncode`
|
exit does not raise — callers inspect `returncode`
|
||||||
themselves.
|
themselves.
|
||||||
|
|
||||||
@@ -300,6 +304,13 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
|
|||||||
|
|
||||||
self._preflight()
|
self._preflight()
|
||||||
|
|
||||||
|
from ..git_gate_host_key import preflight_host_keys
|
||||||
|
manifest = preflight_host_keys(
|
||||||
|
manifest,
|
||||||
|
headless=spec.headless,
|
||||||
|
home_md=spec.manifest.home_md,
|
||||||
|
)
|
||||||
|
|
||||||
manifest_bottle = manifest.bottle
|
manifest_bottle = manifest.bottle
|
||||||
manifest_agent_provider = manifest_bottle.agent_provider
|
manifest_agent_provider = manifest_bottle.agent_provider
|
||||||
agent_provider = get_provider(manifest_agent_provider.template)
|
agent_provider = get_provider(manifest_agent_provider.template)
|
||||||
@@ -443,7 +454,7 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
|
|||||||
declarative provision-plan apply, supervise MCP registration)
|
declarative provision-plan apply, supervise MCP registration)
|
||||||
live on the `AgentProvider` plugin. The backend only owns the
|
live on the `AgentProvider` plugin. The backend only owns the
|
||||||
steps that are about backend infrastructure (CA, workspace,
|
steps that are about backend infrastructure (CA, workspace,
|
||||||
git) and surfaces the supervise sidecar URL its launch step
|
git) and surfaces the supervise daemon URL its launch step
|
||||||
knows about via `supervise_mcp_url`.
|
knows about via `supervise_mcp_url`.
|
||||||
|
|
||||||
PRD 0017: cred-proxy's agent-side dotfile rewrites (~/.npmrc,
|
PRD 0017: cred-proxy's agent-side dotfile rewrites (~/.npmrc,
|
||||||
@@ -491,12 +502,12 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
|
|||||||
|
|
||||||
def supervise_mcp_url(self, plan: PlanT) -> str:
|
def supervise_mcp_url(self, plan: PlanT) -> str:
|
||||||
"""Return the agent-side URL of the per-bottle supervise
|
"""Return the agent-side URL of the per-bottle supervise
|
||||||
sidecar, or "" when this bottle has no sidecar. The provider
|
gateway, or "" when this bottle has no gateway. The provider
|
||||||
plugin's `provision_supervise_mcp` uses it to register the
|
plugin's `provision_supervise_mcp` uses it to register the
|
||||||
MCP entry inside the guest.
|
MCP entry inside the guest.
|
||||||
|
|
||||||
Default returns "" so backends without supervise support
|
Default returns "" so backends without supervise support
|
||||||
don't have to implement it. Docker and smolmachines override."""
|
don't have to implement it. Docker and firecracker override."""
|
||||||
del plan
|
del plan
|
||||||
return ""
|
return ""
|
||||||
|
|
||||||
@@ -513,27 +524,60 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
|
|||||||
def enumerate_active(self) -> Sequence[ActiveAgent]:
|
def enumerate_active(self) -> Sequence[ActiveAgent]:
|
||||||
"""Return every currently-running agent on this backend.
|
"""Return every currently-running agent on this backend.
|
||||||
Empty when none. Backend-specific: docker queries `docker
|
Empty when none. Backend-specific: docker queries `docker
|
||||||
compose ls`; smolmachines queries `smolvm machine ls --json`
|
compose ls`; firecracker cross-references its running gateway
|
||||||
+ cross-references its bundle container."""
|
containers against per-bottle metadata."""
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
@abstractmethod
|
@abstractmethod
|
||||||
def is_available(cls) -> bool:
|
def is_available(cls) -> bool:
|
||||||
"""Whether this backend's runtime prerequisites are satisfied
|
"""Whether this backend's runtime prerequisites are satisfied
|
||||||
on the current host. Docker → `docker` on PATH; smolmachines
|
on the current host. Docker → `docker` on PATH; firecracker →
|
||||||
→ `smolvm` on PATH. Used by the cross-backend
|
Linux + KVM. Used by the cross-backend
|
||||||
`enumerate_active_agents` / `cmd_cleanup` to skip backends
|
`enumerate_active_agents` / `cmd_cleanup` to skip backends
|
||||||
the operator hasn't installed, so a docker-only host
|
the operator hasn't installed, so a docker-only host
|
||||||
doesn't fail when `cli.py list active` walks past
|
doesn't fail when `cli.py list active` walks past
|
||||||
smolmachines."""
|
firecracker."""
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
@abstractmethod
|
||||||
|
def setup(cls) -> int:
|
||||||
|
"""Emit this backend's one-time host setup — privileged network
|
||||||
|
pool, daemon bring-up, install pointers, etc. — as
|
||||||
|
host-appropriate config or commands. Prints to stdout/stderr and
|
||||||
|
returns a shell exit code (0 = nothing to report / success). A
|
||||||
|
backend that needs no host setup prints a short note and returns
|
||||||
|
0. Invoked generically by `./cli.py backend setup [--backend=…]`
|
||||||
|
so operators can provision any backend without a
|
||||||
|
backend-specific command. Classmethod (like `is_available`) —
|
||||||
|
it's a host query, not per-bottle state."""
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
@abstractmethod
|
||||||
|
def status(cls) -> int:
|
||||||
|
"""Report whether this backend's prerequisites are satisfied on
|
||||||
|
the host — binaries, daemon reachability, network pool, range
|
||||||
|
conflicts, etc. Prints a human-readable summary; returns 0 when
|
||||||
|
the backend is ready to launch and non-zero when something is
|
||||||
|
missing. Invoked by `./cli.py backend status [--backend=…]`."""
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
@abstractmethod
|
||||||
|
def teardown(cls) -> int:
|
||||||
|
"""Undo `setup()` — the inverse operation, surfaced as
|
||||||
|
`./cli.py backend teardown [--backend=…]` (uninstall). Symmetric
|
||||||
|
with setup: where setup is advisory (prints the privileged
|
||||||
|
commands / declarative config to apply), teardown prints the
|
||||||
|
commands / config change to remove the host prerequisites. A
|
||||||
|
backend with no host setup prints a short note and returns 0.
|
||||||
|
Not called by the launch path or the test suite."""
|
||||||
|
|
||||||
|
|
||||||
# Import concrete backend classes AFTER the base types are defined, so
|
# Import concrete backend classes AFTER the base types are defined, so
|
||||||
# each backend module can pull BottleSpec / BottlePlan / BottleBackend
|
# each backend module can pull BottleSpec / BottlePlan / BottleBackend
|
||||||
# via `from . import ...` without hitting a partially-initialized module.
|
# via `from . import ...` without hitting a partially-initialized module.
|
||||||
from .docker import DockerBottleBackend # noqa: E402 # pylint: disable=wrong-import-position
|
from .docker import DockerBottleBackend # noqa: E402 # pylint: disable=wrong-import-position
|
||||||
|
from .firecracker import FirecrackerBottleBackend # noqa: E402 # pylint: disable=wrong-import-position
|
||||||
from .macos_container import MacosContainerBottleBackend # noqa: E402 # pylint: disable=wrong-import-position
|
from .macos_container import MacosContainerBottleBackend # noqa: E402 # pylint: disable=wrong-import-position
|
||||||
from .smolmachines import SmolmachinesBottleBackend # noqa: E402 # pylint: disable=wrong-import-position
|
|
||||||
|
|
||||||
# Freezer is imported after the backend classes for the same reason:
|
# Freezer is imported after the backend classes for the same reason:
|
||||||
# Freezer.commit_slug constructs ActiveAgent, which must be fully
|
# Freezer.commit_slug constructs ActiveAgent, which must be fully
|
||||||
@@ -547,8 +591,8 @@ from .freeze import CommitCancelled, Freezer, get_freezer # noqa: E402 # pylin
|
|||||||
# unparameterized methods (prepare → plan → launch(plan), cleanup, etc.).
|
# unparameterized methods (prepare → plan → launch(plan), cleanup, etc.).
|
||||||
_BACKENDS: dict[str, BottleBackend[Any, Any]] = {
|
_BACKENDS: dict[str, BottleBackend[Any, Any]] = {
|
||||||
"docker": DockerBottleBackend(),
|
"docker": DockerBottleBackend(),
|
||||||
|
"firecracker": FirecrackerBottleBackend(),
|
||||||
"macos-container": MacosContainerBottleBackend(),
|
"macos-container": MacosContainerBottleBackend(),
|
||||||
"smolmachines": SmolmachinesBottleBackend(),
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -561,7 +605,8 @@ def get_bottle_backend(
|
|||||||
1. explicit arg (CLI `--backend=<name>` passes through here)
|
1. explicit arg (CLI `--backend=<name>` passes through here)
|
||||||
2. BOT_BOTTLE_BACKEND env var
|
2. BOT_BOTTLE_BACKEND env var
|
||||||
3. `macos-container` on compatible macOS hosts
|
3. `macos-container` on compatible macOS hosts
|
||||||
4. default `smolmachines`
|
4. `firecracker` on KVM-capable Linux hosts
|
||||||
|
5. default `docker`
|
||||||
|
|
||||||
Dies with a pointer at the known backends if the chosen name
|
Dies with a pointer at the known backends if the chosen name
|
||||||
isn't implemented."""
|
isn't implemented."""
|
||||||
@@ -575,7 +620,13 @@ def get_bottle_backend(
|
|||||||
def _default_backend_name() -> str:
|
def _default_backend_name() -> str:
|
||||||
if has_backend("macos-container"):
|
if has_backend("macos-container"):
|
||||||
return "macos-container"
|
return "macos-container"
|
||||||
return "smolmachines"
|
# A KVM-capable Linux host defaults to firecracker even when the
|
||||||
|
# `firecracker` binary isn't installed yet: selecting it here routes
|
||||||
|
# start through firecracker's preflight, which prints an install
|
||||||
|
# pointer, instead of silently falling back to docker.
|
||||||
|
if FirecrackerBottleBackend.is_host_capable():
|
||||||
|
return "firecracker"
|
||||||
|
return "docker"
|
||||||
|
|
||||||
|
|
||||||
def known_backend_names() -> tuple[str, ...]:
|
def known_backend_names() -> tuple[str, ...]:
|
||||||
@@ -589,7 +640,7 @@ def has_backend(name: str) -> bool:
|
|||||||
"""Whether the named backend's runtime prerequisites are
|
"""Whether the named backend's runtime prerequisites are
|
||||||
available on the current host. Cross-backend callers (list,
|
available on the current host. Cross-backend callers (list,
|
||||||
cleanup) skip unavailable backends so a docker-only host
|
cleanup) skip unavailable backends so a docker-only host
|
||||||
doesn't fail when the smolmachines backend isn't installed,
|
doesn't fail when the firecracker backend isn't usable,
|
||||||
and vice versa.
|
and vice versa.
|
||||||
|
|
||||||
Returns False for unknown names so callers can pass
|
Returns False for unknown names so callers can pass
|
||||||
|
|||||||
@@ -54,6 +54,21 @@ class DockerBottleBackend(BottleBackend["DockerBottlePlan", "DockerBottleCleanup
|
|||||||
launch."""
|
launch."""
|
||||||
return shutil.which("docker") is not None
|
return shutil.which("docker") is not None
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def setup(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.setup()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def status(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.status()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def teardown(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.teardown()
|
||||||
|
|
||||||
def _preflight(self) -> None:
|
def _preflight(self) -> None:
|
||||||
_resolve_plan.preflight()
|
_resolve_plan.preflight()
|
||||||
|
|
||||||
@@ -91,11 +106,16 @@ class DockerBottleBackend(BottleBackend["DockerBottlePlan", "DockerBottleCleanup
|
|||||||
yield bottle
|
yield bottle
|
||||||
|
|
||||||
def supervise_mcp_url(self, plan: DockerBottlePlan) -> str:
|
def supervise_mcp_url(self, plan: DockerBottlePlan) -> str:
|
||||||
"""Docker bottles reach the supervise sidecar via the
|
"""Docker bottles reach the supervise daemon via the
|
||||||
compose-network alias `supervise:9100`. No per-bottle URL
|
compose-network alias `supervise:9100`. No per-bottle URL
|
||||||
plumbing needed; the alias resolves inside the bridge."""
|
plumbing needed; the alias resolves inside the bridge."""
|
||||||
if plan.supervise_plan is None:
|
if plan.supervise_plan is None:
|
||||||
return ""
|
return ""
|
||||||
|
# Consolidated: the supervise daemon lives on the shared gateway, so
|
||||||
|
# the agent registers the gateway address (NO_PROXY bypasses egress),
|
||||||
|
# not the per-bottle `supervise` alias.
|
||||||
|
if plan.agent_supervise_url:
|
||||||
|
return plan.agent_supervise_url
|
||||||
return f"http://{SUPERVISE_HOSTNAME}:{SUPERVISE_PORT}/"
|
return f"http://{SUPERVISE_HOSTNAME}:{SUPERVISE_PORT}/"
|
||||||
|
|
||||||
def prepare_cleanup(self) -> DockerBottleCleanupPlan:
|
def prepare_cleanup(self) -> DockerBottleCleanupPlan:
|
||||||
|
|||||||
@@ -28,11 +28,30 @@ class DockerBottlePlan(BottlePlan):
|
|||||||
# accidental log of the plan dataclass.
|
# accidental log of the plan dataclass.
|
||||||
forwarded_env: dict[str, str] = field(repr=False)
|
forwarded_env: dict[str, str] = field(repr=False)
|
||||||
use_runsc: bool
|
use_runsc: bool
|
||||||
|
# Consolidated mode (PRD 0070): the agent reaches git-gate over HTTP at the
|
||||||
|
# shared gateway's address (`http://<gateway_ip>:9420`), set at launch.
|
||||||
|
# Empty → single-tenant defaults (the `git-gate` alias over git://).
|
||||||
|
agent_git_gate_url: str = ""
|
||||||
|
# Likewise the supervise MCP endpoint at the gateway (`http://<gw>:9100/`);
|
||||||
|
# empty → the single-tenant `supervise` alias.
|
||||||
|
agent_supervise_url: str = ""
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def container_name(self) -> str:
|
def container_name(self) -> str:
|
||||||
return self.agent_provision.instance_name
|
return self.agent_provision.instance_name
|
||||||
|
|
||||||
|
@property
|
||||||
|
def git_gate_insteadof_host(self) -> str:
|
||||||
|
if self.agent_git_gate_url.startswith("http://"):
|
||||||
|
return self.agent_git_gate_url.removeprefix("http://").rstrip("/")
|
||||||
|
return super().git_gate_insteadof_host
|
||||||
|
|
||||||
|
@property
|
||||||
|
def git_gate_insteadof_scheme(self) -> str:
|
||||||
|
if self.agent_git_gate_url.startswith("http://"):
|
||||||
|
return "http"
|
||||||
|
return super().git_gate_insteadof_scheme
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def image(self) -> str:
|
def image(self) -> str:
|
||||||
return self.agent_provision.image
|
return self.agent_provision.image
|
||||||
|
|||||||
@@ -18,8 +18,7 @@ scan, just as a fallback bucket alongside the project list.
|
|||||||
|
|
||||||
`cleanup` removes everything in the plan.
|
`cleanup` removes everything in the plan.
|
||||||
|
|
||||||
Active-agent enumeration lives in `backend/docker/enumerate.py`
|
Active-agent enumeration lives in `backend/docker/enumerate.py`.
|
||||||
(mirror of `backend/smolmachines/enumerate.py`).
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
@@ -27,7 +26,7 @@ from __future__ import annotations
|
|||||||
import shutil
|
import shutil
|
||||||
import subprocess
|
import subprocess
|
||||||
|
|
||||||
from ... import supervise as _supervise
|
from ...paths import bot_bottle_root
|
||||||
from ...log import info, warn
|
from ...log import info, warn
|
||||||
from . import util as docker_mod
|
from . import util as docker_mod
|
||||||
from .bottle_cleanup_plan import DockerBottleCleanupPlan
|
from .bottle_cleanup_plan import DockerBottleCleanupPlan
|
||||||
@@ -93,9 +92,9 @@ def _list_orphan_state_dirs(
|
|||||||
|
|
||||||
`protected_identities` is the set of slugs that are live in
|
`protected_identities` is the set of slugs that are live in
|
||||||
ANY backend — used so this docker-side check doesn't reap a
|
ANY backend — used so this docker-side check doesn't reap a
|
||||||
running smolmachines bottle's state dir (the layout is shared
|
running non-docker bottle's state dir (the layout is shared
|
||||||
across both backends)."""
|
across backends)."""
|
||||||
state_root = _supervise.bot_bottle_root() / "state"
|
state_root = bot_bottle_root() / "state"
|
||||||
if not state_root.is_dir():
|
if not state_root.is_dir():
|
||||||
return []
|
return []
|
||||||
orphans: list[str] = []
|
orphans: list[str] = []
|
||||||
@@ -119,7 +118,7 @@ def prepare_cleanup() -> DockerBottleCleanupPlan:
|
|||||||
|
|
||||||
Pulls the union of live identities across backends via
|
Pulls the union of live identities across backends via
|
||||||
`enumerate_active_agents()` so the orphan-state-dir bucket
|
`enumerate_active_agents()` so the orphan-state-dir bucket
|
||||||
doesn't include slugs whose smolmachines VM is still up."""
|
doesn't include slugs whose non-docker bottle is still up."""
|
||||||
docker_mod.require_docker()
|
docker_mod.require_docker()
|
||||||
projects = list_compose_projects()
|
projects = list_compose_projects()
|
||||||
project_set = set(projects)
|
project_set = set(projects)
|
||||||
|
|||||||
@@ -1,20 +1,10 @@
|
|||||||
"""Compose-spec rendering for a Docker bottle (PRD 0018, chunk 1).
|
"""Docker compose lifecycle helpers (PRD 0018).
|
||||||
|
|
||||||
`bottle_plan_to_compose(plan)` returns a Compose v2 spec dict
|
Serialize a compose spec to disk, drive `docker compose up/down`,
|
||||||
describing the per-bottle container topology — one project per
|
dump the merged log on teardown, and enumerate `bot-bottle-*`
|
||||||
bottle instance, services for the agent + every applicable sidecar,
|
projects. The spec itself is built by `consolidated_compose.py`
|
||||||
two networks, no named volumes.
|
(the consolidated per-host gateway topology); this module owns the
|
||||||
|
I/O side that persists and runs it.
|
||||||
Pure function. No I/O, no subprocess. Expects every launch-time
|
|
||||||
field (network names, CA host paths, etc.) on the plan's inner
|
|
||||||
plans to be populated; chunks 2+3 own that ordering.
|
|
||||||
|
|
||||||
Conditional services follow the plan content:
|
|
||||||
|
|
||||||
- agent + sidecars bundle: always.
|
|
||||||
- git-gate: iff plan.git_gate_plan.upstreams.
|
|
||||||
- egress: iff plan.egress_plan.routes.
|
|
||||||
- supervise: iff plan.supervise_plan is not None.
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
@@ -25,234 +15,7 @@ import sys
|
|||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from typing import Any
|
from typing import Any
|
||||||
|
|
||||||
from ...egress import (
|
|
||||||
EGRESS_HOSTNAME,
|
|
||||||
EGRESS_ROUTES_IN_CONTAINER,
|
|
||||||
egress_agent_env_entries,
|
|
||||||
egress_sidecar_env_entries,
|
|
||||||
)
|
|
||||||
from ...git_gate import GIT_GATE_HOSTNAME
|
|
||||||
from ...log import die, warn
|
from ...log import die, warn
|
||||||
from ...supervise import (
|
|
||||||
QUEUE_DIR_IN_CONTAINER,
|
|
||||||
SUPERVISE_HOSTNAME,
|
|
||||||
SUPERVISE_PORT,
|
|
||||||
)
|
|
||||||
from ...util import expand_tilde
|
|
||||||
from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH
|
|
||||||
from .bottle_plan import DockerBottlePlan
|
|
||||||
from .egress import (
|
|
||||||
EGRESS_CA_IN_CONTAINER,
|
|
||||||
EGRESS_PORT,
|
|
||||||
)
|
|
||||||
from .git_gate import (
|
|
||||||
GIT_GATE_ACCESS_HOOK_IN_CONTAINER,
|
|
||||||
GIT_GATE_CREDS_DIR_IN_CONTAINER,
|
|
||||||
GIT_GATE_ENTRYPOINT_IN_CONTAINER,
|
|
||||||
GIT_GATE_HOOK_IN_CONTAINER,
|
|
||||||
)
|
|
||||||
from . import network as network_mod
|
|
||||||
from .sidecar_bundle import (
|
|
||||||
SIDECAR_BUNDLE_DOCKERFILE,
|
|
||||||
SIDECAR_BUNDLE_IMAGE,
|
|
||||||
sidecar_bundle_container_name,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
# Repo root, used as the build context for the bundle Dockerfile.
|
|
||||||
_REPO_DIR = str(Path(__file__).resolve().parent.parent.parent.parent)
|
|
||||||
|
|
||||||
|
|
||||||
def bottle_plan_to_compose(plan: DockerBottlePlan) -> dict[str, Any]:
|
|
||||||
"""Render a Compose v2 spec dict from a fully-resolved
|
|
||||||
DockerBottlePlan.
|
|
||||||
|
|
||||||
The plan must have its inner plans (`git_gate_plan`,
|
|
||||||
`egress_plan`, `supervise_plan`) populated with launch-time
|
|
||||||
fields — network names, CA host paths. The renderer doesn't
|
|
||||||
validate; callers feed it a fully-resolved plan or get an
|
|
||||||
incomplete compose spec back.
|
|
||||||
"""
|
|
||||||
project = f"bot-bottle-{plan.slug}"
|
|
||||||
services: dict[str, Any] = {
|
|
||||||
"sidecars": _sidecar_bundle_service(plan),
|
|
||||||
"agent": _agent_service(plan),
|
|
||||||
}
|
|
||||||
return {
|
|
||||||
"name": project,
|
|
||||||
"services": services,
|
|
||||||
"networks": _networks(plan),
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def _networks(plan: DockerBottlePlan) -> dict[str, Any]:
|
|
||||||
"""Compose-managed networks with explicit `name:` matching the
|
|
||||||
existing slug-suffixed convention. Compose creates them on `up`
|
|
||||||
and destroys them on `down`. The internal one is `--internal`
|
|
||||||
(no default gateway); the egress one is a normal user-defined
|
|
||||||
bridge."""
|
|
||||||
return {
|
|
||||||
"internal": {
|
|
||||||
"name": network_mod.network_name_for_slug(plan.slug),
|
|
||||||
"internal": True,
|
|
||||||
},
|
|
||||||
"egress": {
|
|
||||||
"name": network_mod.network_egress_name_for_slug(plan.slug),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def _bind(host: str | Path, target: str, *, read_only: bool = True) -> dict[str, Any]:
|
|
||||||
"""One bind-mount entry in the long-form `volumes:` shape.
|
|
||||||
Long form is preferred over `host:target:ro` strings because
|
|
||||||
it's easier to inspect in tests and survives whitespace in
|
|
||||||
host paths."""
|
|
||||||
return {
|
|
||||||
"type": "bind",
|
|
||||||
"source": str(host),
|
|
||||||
"target": target,
|
|
||||||
"read_only": read_only,
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
|
|
||||||
"""The `sidecars` service: one container per bottle, bundle
|
|
||||||
image, all daemons under a Python init supervisor.
|
|
||||||
|
|
||||||
Daemon subset narrows via `BOT_BOTTLE_SIDECAR_DAEMONS` env.
|
|
||||||
egress is always present; git-gate / supervise are conditional.
|
|
||||||
"""
|
|
||||||
daemons: list[str] = ["egress"]
|
|
||||||
if plan.git_gate_plan.upstreams:
|
|
||||||
daemons.append("git-gate")
|
|
||||||
if plan.supervise_plan is not None:
|
|
||||||
daemons.append("supervise")
|
|
||||||
|
|
||||||
env: list[str] = [f"BOT_BOTTLE_SIDECAR_DAEMONS={','.join(daemons)}"]
|
|
||||||
volumes: list[dict[str, Any]] = []
|
|
||||||
|
|
||||||
# --- egress -------------------------------------------------------
|
|
||||||
ep = plan.egress_plan
|
|
||||||
volumes.append(_bind(ep.mitmproxy_ca_host_path, EGRESS_CA_IN_CONTAINER))
|
|
||||||
if ep.routes:
|
|
||||||
volumes.append(_bind(ep.routes_path.parent, str(Path(EGRESS_ROUTES_IN_CONTAINER).parent)))
|
|
||||||
env.extend(egress_sidecar_env_entries(ep))
|
|
||||||
|
|
||||||
# --- git-gate -----------------------------------------------------
|
|
||||||
gp = plan.git_gate_plan
|
|
||||||
if gp.upstreams:
|
|
||||||
volumes += [
|
|
||||||
_bind(gp.entrypoint_script, GIT_GATE_ENTRYPOINT_IN_CONTAINER),
|
|
||||||
_bind(gp.hook_script, GIT_GATE_HOOK_IN_CONTAINER),
|
|
||||||
_bind(gp.access_hook_script, GIT_GATE_ACCESS_HOOK_IN_CONTAINER),
|
|
||||||
]
|
|
||||||
for u in gp.upstreams:
|
|
||||||
keypath = expand_tilde(u.identity_file)
|
|
||||||
volumes.append(_bind(
|
|
||||||
keypath,
|
|
||||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{u.name}-key",
|
|
||||||
))
|
|
||||||
if u.known_hosts_file:
|
|
||||||
volumes.append(_bind(
|
|
||||||
u.known_hosts_file,
|
|
||||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{u.name}-known_hosts",
|
|
||||||
))
|
|
||||||
|
|
||||||
# --- supervise ----------------------------------------------------
|
|
||||||
sp = plan.supervise_plan
|
|
||||||
if sp is not None:
|
|
||||||
env += [
|
|
||||||
f"SUPERVISE_BOTTLE_SLUG={plan.slug}",
|
|
||||||
f"SUPERVISE_QUEUE_DIR={QUEUE_DIR_IN_CONTAINER}",
|
|
||||||
f"SUPERVISE_PORT={SUPERVISE_PORT}",
|
|
||||||
]
|
|
||||||
volumes.append({
|
|
||||||
"type": "bind",
|
|
||||||
"source": str(sp.queue_dir),
|
|
||||||
"target": QUEUE_DIR_IN_CONTAINER,
|
|
||||||
"read_only": False,
|
|
||||||
})
|
|
||||||
|
|
||||||
internal_aliases = [EGRESS_HOSTNAME]
|
|
||||||
if gp.upstreams:
|
|
||||||
internal_aliases.append(GIT_GATE_HOSTNAME)
|
|
||||||
if sp is not None:
|
|
||||||
internal_aliases.append(SUPERVISE_HOSTNAME)
|
|
||||||
|
|
||||||
service: dict[str, Any] = {
|
|
||||||
"image": SIDECAR_BUNDLE_IMAGE,
|
|
||||||
"build": {
|
|
||||||
"context": _REPO_DIR,
|
|
||||||
"dockerfile": SIDECAR_BUNDLE_DOCKERFILE,
|
|
||||||
},
|
|
||||||
"container_name": sidecar_bundle_container_name(plan.slug),
|
|
||||||
"networks": {
|
|
||||||
"internal": {"aliases": internal_aliases},
|
|
||||||
"egress": None,
|
|
||||||
},
|
|
||||||
"environment": env,
|
|
||||||
"volumes": volumes,
|
|
||||||
}
|
|
||||||
return service
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_service(plan: DockerBottlePlan) -> dict[str, Any]:
|
|
||||||
"""Agent container. Runs `sleep infinity`; claude is `docker
|
|
||||||
exec -it`'d into it later. HTTP_PROXY/HTTPS_PROXY point at the
|
|
||||||
egress sidecar."""
|
|
||||||
proxy_url = _agent_proxy_url(plan)
|
|
||||||
no_proxy = _agent_no_proxy(plan)
|
|
||||||
env: list[str] = [
|
|
||||||
f"HTTPS_PROXY={proxy_url}",
|
|
||||||
f"HTTP_PROXY={proxy_url}",
|
|
||||||
f"https_proxy={proxy_url}",
|
|
||||||
f"http_proxy={proxy_url}",
|
|
||||||
f"NO_PROXY={no_proxy}",
|
|
||||||
f"no_proxy={no_proxy}",
|
|
||||||
f"NODE_EXTRA_CA_CERTS={AGENT_CA_PATH}",
|
|
||||||
f"SSL_CERT_FILE={AGENT_CA_BUNDLE}",
|
|
||||||
f"REQUESTS_CA_BUNDLE={AGENT_CA_BUNDLE}",
|
|
||||||
]
|
|
||||||
for name, value in sorted(plan.agent_provision.guest_env.items()):
|
|
||||||
env.append(f"{name}={value}")
|
|
||||||
# Forwarded vars (OAuth token, manifest host-interpolations):
|
|
||||||
# bare name → inherits from compose-up process env, value
|
|
||||||
# never lands on argv or in the compose file.
|
|
||||||
for name in sorted(plan.forwarded_env.keys()):
|
|
||||||
env.append(name)
|
|
||||||
env.extend(egress_agent_env_entries(plan.egress_plan))
|
|
||||||
|
|
||||||
service: dict[str, Any] = {
|
|
||||||
"image": plan.image,
|
|
||||||
"container_name": plan.container_name,
|
|
||||||
"command": ["sleep", "infinity"],
|
|
||||||
"networks": {"internal": None},
|
|
||||||
"environment": env,
|
|
||||||
}
|
|
||||||
if plan.use_runsc:
|
|
||||||
service["runtime"] = "runsc"
|
|
||||||
|
|
||||||
# The init supervisor inside the bundle owns intra-bundle
|
|
||||||
# daemon ordering, so the agent only waits for the bundle
|
|
||||||
# container itself.
|
|
||||||
service["depends_on"] = ["sidecars"]
|
|
||||||
|
|
||||||
return service
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_proxy_url(plan: DockerBottlePlan) -> str:
|
|
||||||
"""Agent's HTTP_PROXY — always points at egress."""
|
|
||||||
return f"http://{EGRESS_HOSTNAME}:{EGRESS_PORT}"
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_no_proxy(plan: DockerBottlePlan) -> str:
|
|
||||||
"""NO_PROXY for the agent: loopback always; supervise hostname
|
|
||||||
when the supervise sidecar is up (MCP long-poll must bypass
|
|
||||||
the egress proxy)."""
|
|
||||||
hosts = ["localhost", "127.0.0.1"]
|
|
||||||
if plan.supervise_plan is not None:
|
|
||||||
hosts.append(SUPERVISE_HOSTNAME)
|
|
||||||
return ",".join(hosts)
|
|
||||||
|
|
||||||
|
|
||||||
# --- Lifecycle helpers (PRD 0018 chunk 3) ----------------------------------
|
# --- Lifecycle helpers (PRD 0018 chunk 3) ----------------------------------
|
||||||
@@ -443,7 +206,6 @@ __all__ = [
|
|||||||
"COMPOSE_FILE_NAME",
|
"COMPOSE_FILE_NAME",
|
||||||
"COMPOSE_LOG_NAME",
|
"COMPOSE_LOG_NAME",
|
||||||
"COMPOSE_PROJECT_PREFIX",
|
"COMPOSE_PROJECT_PREFIX",
|
||||||
"bottle_plan_to_compose",
|
|
||||||
"compose_down",
|
"compose_down",
|
||||||
"compose_dump_logs",
|
"compose_dump_logs",
|
||||||
"compose_file_path",
|
"compose_file_path",
|
||||||
|
|||||||
@@ -0,0 +1,78 @@
|
|||||||
|
"""Agent-only compose for the consolidated docker backend (PRD 0070).
|
||||||
|
|
||||||
|
The per-bottle model rendered a compose project with the agent *and* a
|
||||||
|
gateway on two per-bottle networks. In the consolidated model the
|
||||||
|
per-bottle companion containers are gone — one shared gateway serves every bottle — so this renders
|
||||||
|
just the agent, attached to the **external shared gateway network** with the
|
||||||
|
pinned source IP the orchestrator allocated, and pointed at the gateway's
|
||||||
|
address for egress (and, around the proxy, for git-http / supervise).
|
||||||
|
|
||||||
|
Pure: it takes the launch-time `LaunchContext` values (gateway address,
|
||||||
|
source IP, network) and the prepared plan, and returns a compose dict — no
|
||||||
|
docker, so it's testable in isolation.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from typing import Any
|
||||||
|
|
||||||
|
from ...egress import egress_agent_env_entries
|
||||||
|
from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH
|
||||||
|
from .bottle_plan import DockerBottlePlan
|
||||||
|
from .egress import EGRESS_PORT
|
||||||
|
|
||||||
|
|
||||||
|
def consolidated_agent_compose(
|
||||||
|
plan: DockerBottlePlan,
|
||||||
|
*,
|
||||||
|
gateway_ip: str,
|
||||||
|
source_ip: str,
|
||||||
|
network: str,
|
||||||
|
) -> dict[str, Any]:
|
||||||
|
"""A compose spec with only the agent service, on the external gateway
|
||||||
|
network at `source_ip`, proxying egress through `gateway_ip`."""
|
||||||
|
proxy_url = f"http://{gateway_ip}:{EGRESS_PORT}"
|
||||||
|
# git-http + supervise live on the gateway too and must NOT go through the
|
||||||
|
# egress proxy — the agent reaches them directly by the gateway address.
|
||||||
|
no_proxy = f"localhost,127.0.0.1,{gateway_ip}"
|
||||||
|
env: list[str] = [
|
||||||
|
f"HTTPS_PROXY={proxy_url}",
|
||||||
|
f"HTTP_PROXY={proxy_url}",
|
||||||
|
f"https_proxy={proxy_url}",
|
||||||
|
f"http_proxy={proxy_url}",
|
||||||
|
f"NO_PROXY={no_proxy}",
|
||||||
|
f"no_proxy={no_proxy}",
|
||||||
|
f"NODE_EXTRA_CA_CERTS={AGENT_CA_PATH}",
|
||||||
|
f"SSL_CERT_FILE={AGENT_CA_BUNDLE}",
|
||||||
|
f"REQUESTS_CA_BUNDLE={AGENT_CA_BUNDLE}",
|
||||||
|
]
|
||||||
|
for name, value in sorted(plan.agent_provision.guest_env.items()):
|
||||||
|
env.append(f"{name}={value}")
|
||||||
|
# Forwarded vars: bare name → inherits from the compose-up process env so
|
||||||
|
# the secret value never lands on argv or in the compose file.
|
||||||
|
for name in sorted(plan.forwarded_env.keys()):
|
||||||
|
env.append(name)
|
||||||
|
env.extend(egress_agent_env_entries(plan.egress_plan))
|
||||||
|
|
||||||
|
service: dict[str, Any] = {
|
||||||
|
"image": plan.image,
|
||||||
|
"container_name": plan.container_name,
|
||||||
|
"command": ["sleep", "infinity"],
|
||||||
|
# Pinned address on the shared gateway network — the orchestrator
|
||||||
|
# registered this IP, and the gateway attributes the bottle by it.
|
||||||
|
"networks": {network: {"ipv4_address": source_ip}},
|
||||||
|
"environment": env,
|
||||||
|
}
|
||||||
|
if plan.use_runsc:
|
||||||
|
service["runtime"] = "runsc"
|
||||||
|
|
||||||
|
return {
|
||||||
|
"name": f"bot-bottle-{plan.slug}",
|
||||||
|
"services": {"agent": service},
|
||||||
|
# The gateway network is created + owned by the orchestrator; compose
|
||||||
|
# attaches to it (external) and must not create or destroy it.
|
||||||
|
"networks": {network: {"external": True}},
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = ["consolidated_agent_compose"]
|
||||||
@@ -0,0 +1,153 @@
|
|||||||
|
"""Consolidated bottle launch sequence for the docker backend (PRD 0070).
|
||||||
|
|
||||||
|
Composes the orchestrator primitives into the register/teardown sequence that
|
||||||
|
replaces the per-bottle gateway:
|
||||||
|
|
||||||
|
1. ensure the orchestrator control plane + shared gateway are up;
|
||||||
|
2. allocate the bottle a pinned source IP on the gateway network (the
|
||||||
|
attribution key), skipping the gateway's own address + live bottles;
|
||||||
|
3. register it (egress policy blob + slug metadata) → bottle id + identity
|
||||||
|
token;
|
||||||
|
4. provision its git-gate repos/creds into the running gateway.
|
||||||
|
|
||||||
|
It returns a `LaunchContext` with everything the agent container needs to
|
||||||
|
attach — network, pinned IP, the gateway's address (its proxy target), the
|
||||||
|
orchestrator URL, and the identity token. The agent `docker run` itself is
|
||||||
|
the backend's job (it owns provider provisioning); this owns the
|
||||||
|
orchestrator-facing wiring so that sequence stays testable in isolation.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from dataclasses import dataclass
|
||||||
|
|
||||||
|
from ...docker_cmd import run_docker
|
||||||
|
from ...egress import EgressPlan
|
||||||
|
from ...git_gate import GitGatePlan
|
||||||
|
from ...orchestrator.client import OrchestratorClient
|
||||||
|
from ...orchestrator.gateway import GATEWAY_NAME, GATEWAY_NETWORK
|
||||||
|
from ...orchestrator.lifecycle import OrchestratorService
|
||||||
|
from ...orchestrator.registration import registration_inputs
|
||||||
|
from .gateway_net import next_free_ip
|
||||||
|
from .gateway_provision import deprovision_git_gate, provision_git_gate
|
||||||
|
|
||||||
|
|
||||||
|
class ConsolidatedLaunchError(RuntimeError):
|
||||||
|
"""The consolidated register/provision sequence could not complete."""
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class LaunchContext:
|
||||||
|
"""What the agent container needs to join the shared gateway."""
|
||||||
|
|
||||||
|
bottle_id: str
|
||||||
|
identity_token: str
|
||||||
|
source_ip: str # the agent's pinned address (attribution key)
|
||||||
|
network: str # the shared gateway network to attach to
|
||||||
|
gateway_ip: str # the gateway's address — the agent's proxy target
|
||||||
|
orchestrator_url: str
|
||||||
|
|
||||||
|
|
||||||
|
def _network_cidr(network: str) -> str:
|
||||||
|
"""The gateway network's IPv4 subnet, or raise."""
|
||||||
|
proc = run_docker([
|
||||||
|
"docker", "network", "inspect",
|
||||||
|
"--format", "{{range .IPAM.Config}}{{.Subnet}}{{end}}", network,
|
||||||
|
])
|
||||||
|
cidr = proc.stdout.strip()
|
||||||
|
if proc.returncode != 0 or not cidr:
|
||||||
|
raise ConsolidatedLaunchError(
|
||||||
|
f"gateway network {network} has no subnet: {proc.stderr.strip()}"
|
||||||
|
)
|
||||||
|
return cidr
|
||||||
|
|
||||||
|
|
||||||
|
def _container_ip(name: str, network: str) -> str:
|
||||||
|
"""A container's IPv4 address on `network`, or raise."""
|
||||||
|
proc = run_docker([
|
||||||
|
"docker", "inspect", "--format",
|
||||||
|
f'{{{{(index .NetworkSettings.Networks "{network}").IPAddress}}}}', name,
|
||||||
|
])
|
||||||
|
ip = proc.stdout.strip()
|
||||||
|
if proc.returncode != 0 or not ip:
|
||||||
|
raise ConsolidatedLaunchError(
|
||||||
|
f"gateway {name} has no address on {network}: {proc.stderr.strip()}"
|
||||||
|
)
|
||||||
|
return ip
|
||||||
|
|
||||||
|
|
||||||
|
def _network_container_ips(network: str) -> list[str]:
|
||||||
|
"""Every address currently assigned on the gateway network — the ground
|
||||||
|
truth for "in use": the gateway + orchestrator infrastructure containers
|
||||||
|
and every live agent. Read from the network so a new bottle can't collide
|
||||||
|
with anything actually attached (a registry-only view would miss the
|
||||||
|
orchestrator/gateway containers)."""
|
||||||
|
proc = run_docker([
|
||||||
|
"docker", "network", "inspect", "--format",
|
||||||
|
"{{range .Containers}}{{.IPv4Address}} {{end}}", network,
|
||||||
|
])
|
||||||
|
ips: list[str] = []
|
||||||
|
for entry in proc.stdout.split():
|
||||||
|
# entries look like "172.20.0.2/16" — keep the address.
|
||||||
|
ips.append(entry.split("/", 1)[0])
|
||||||
|
return ips
|
||||||
|
|
||||||
|
|
||||||
|
def launch_consolidated(
|
||||||
|
egress_plan: EgressPlan,
|
||||||
|
git_gate_plan: GitGatePlan,
|
||||||
|
*,
|
||||||
|
image_ref: str = "",
|
||||||
|
tokens: dict[str, str] | None = None,
|
||||||
|
service: OrchestratorService | None = None,
|
||||||
|
gateway_name: str = GATEWAY_NAME,
|
||||||
|
network: str = GATEWAY_NETWORK,
|
||||||
|
) -> LaunchContext:
|
||||||
|
"""Ensure the orchestrator + gateway are up, allocate + register the
|
||||||
|
bottle, and provision its git-gate state. Returns the agent's attach
|
||||||
|
context. Raises `ConsolidatedLaunchError` (or the primitives' own errors)
|
||||||
|
if any step fails — the caller tears down on failure."""
|
||||||
|
service = service or OrchestratorService()
|
||||||
|
url = service.ensure_running()
|
||||||
|
client = OrchestratorClient(url)
|
||||||
|
|
||||||
|
cidr = _network_cidr(network)
|
||||||
|
gateway_ip = _container_ip(gateway_name, network)
|
||||||
|
source_ip = next_free_ip(cidr, _network_container_ips(network))
|
||||||
|
|
||||||
|
inputs = registration_inputs(egress_plan)
|
||||||
|
reg = client.register_bottle(
|
||||||
|
source_ip, image_ref=image_ref, policy=inputs.policy,
|
||||||
|
metadata=inputs.metadata, tokens=tokens,
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
provision_git_gate(gateway_name, reg.bottle_id, git_gate_plan)
|
||||||
|
except Exception:
|
||||||
|
# Roll the registration back so a provisioning failure leaves no orphan.
|
||||||
|
client.teardown_bottle(reg.bottle_id)
|
||||||
|
raise
|
||||||
|
return LaunchContext(
|
||||||
|
bottle_id=reg.bottle_id,
|
||||||
|
identity_token=reg.identity_token,
|
||||||
|
source_ip=source_ip,
|
||||||
|
network=network,
|
||||||
|
gateway_ip=gateway_ip,
|
||||||
|
orchestrator_url=url,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def teardown_consolidated(
|
||||||
|
bottle_id: str, *, orchestrator_url: str, gateway_name: str = GATEWAY_NAME,
|
||||||
|
) -> None:
|
||||||
|
"""Deregister the bottle and remove its git-gate state from the gateway.
|
||||||
|
Both steps are idempotent so this is safe from a cleanup trap."""
|
||||||
|
OrchestratorClient(orchestrator_url).teardown_bottle(bottle_id)
|
||||||
|
deprovision_git_gate(gateway_name, bottle_id)
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = [
|
||||||
|
"LaunchContext",
|
||||||
|
"launch_consolidated",
|
||||||
|
"teardown_consolidated",
|
||||||
|
"ConsolidatedLaunchError",
|
||||||
|
]
|
||||||
@@ -4,7 +4,7 @@ prepare-time routes-yaml rendering itself lives on the
|
|||||||
platform-neutral `Egress` ABC — backends instantiate it directly.
|
platform-neutral `Egress` ABC — backends instantiate it directly.
|
||||||
|
|
||||||
The per-container `.start()` / `.stop()` lifecycle was removed in
|
The per-container `.start()` / `.stop()` lifecycle was removed in
|
||||||
PRD 0024 chunk 3; the sidecar bundle (PRD 0024) runs egress
|
PRD 0024 chunk 3; the gateway (PRD 0024) runs egress
|
||||||
under its python init supervisor."""
|
under its python init supervisor."""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|||||||
@@ -1,60 +1,29 @@
|
|||||||
"""Host-side helper for egress sidecar inspection and live updates.
|
"""Host-side egress route-apply for the docker backend.
|
||||||
|
|
||||||
The approve path uses this module to validate a proposed routes file,
|
The per-bottle companion container this used to signal (`docker kill
|
||||||
write it to the bottle's live egress state dir, and signal the sidecar
|
--signal HUP <container>`) was removed in the companion-container removal (#385).
|
||||||
bundle so the mitmproxy addon reloads it.
|
In the consolidated model the shared gateway resolves egress policy
|
||||||
|
per-request against the orchestrator rather than reloading a per-bottle
|
||||||
|
routes file, so the live per-bottle reload is not supported here and
|
||||||
|
fails closed until the gateway-side apply lands.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import os
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
from ...egress import EGRESS_ROUTES_IN_CONTAINER
|
|
||||||
from ...log import warn
|
|
||||||
from ..egress_apply import EgressApplicator, EgressApplyError
|
from ..egress_apply import EgressApplicator, EgressApplyError
|
||||||
from .sidecar_bundle import sidecar_bundle_container_name
|
|
||||||
|
|
||||||
|
|
||||||
def fetch_current_routes(slug: str) -> str:
|
|
||||||
container = sidecar_bundle_container_name(slug)
|
|
||||||
r = subprocess.run(
|
|
||||||
["docker", "exec", container, "cat", EGRESS_ROUTES_IN_CONTAINER],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
raise EgressApplyError(
|
|
||||||
f"could not read routes.yaml from {container}: "
|
|
||||||
f"{(r.stderr or '').strip() or 'container not running?'}"
|
|
||||||
)
|
|
||||||
return r.stdout
|
|
||||||
|
|
||||||
|
|
||||||
class DockerEgressApplicator(EgressApplicator):
|
class DockerEgressApplicator(EgressApplicator):
|
||||||
def _signal_bundle_reload(self, slug: str) -> None:
|
def _signal_bundle_reload(self, slug: str) -> None:
|
||||||
container = sidecar_bundle_container_name(slug)
|
del slug
|
||||||
result = subprocess.run(
|
raise EgressApplyError(
|
||||||
["docker", "kill", "--signal", "HUP", container],
|
"live egress route-apply was removed with the per-bottle "
|
||||||
capture_output=True, text=True, check=False, env=os.environ,
|
"companion container (#385); route changes will flow through "
|
||||||
|
"the consolidated gateway in a follow-up."
|
||||||
)
|
)
|
||||||
if result.returncode != 0:
|
|
||||||
last_error = (result.stderr or "").strip() or (result.stdout or "").strip()
|
|
||||||
warn(
|
|
||||||
f"egress: routes updated on disk for {slug}, but bundle reload failed: "
|
|
||||||
f"{last_error or 'docker kill failed'}"
|
|
||||||
)
|
|
||||||
raise EgressApplyError(
|
|
||||||
f"could not reload egress bundle {container}: "
|
|
||||||
f"{last_error or 'docker kill failed'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
applicator = DockerEgressApplicator()
|
applicator = DockerEgressApplicator()
|
||||||
|
|
||||||
|
|
||||||
__all__ = [
|
__all__ = ["DockerEgressApplicator", "EgressApplyError", "applicator"]
|
||||||
"DockerEgressApplicator",
|
|
||||||
"EgressApplyError",
|
|
||||||
"applicator",
|
|
||||||
"fetch_current_routes",
|
|
||||||
]
|
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
"""Active-agent enumeration for the docker backend.
|
"""Active-agent enumeration for the docker backend.
|
||||||
|
|
||||||
Mirrors `backend/smolmachines/enumerate.py`: returns
|
Returns `ActiveAgent` records the CLI `list active` command and the
|
||||||
`ActiveAgent` records the CLI `list active` command and the
|
|
||||||
dashboard agents pane consume. Empty when docker isn't reachable
|
dashboard agents pane consume. Empty when docker isn't reachable
|
||||||
— gated by `has_backend('docker')` at the cross-backend caller
|
— gated by `has_backend('docker')` at the cross-backend caller
|
||||||
so this module trusts that docker is available when called.
|
so this module trusts that docker is available when called.
|
||||||
|
|||||||
@@ -0,0 +1,47 @@
|
|||||||
|
"""Shared-gateway source-IP allocation for the consolidated docker backend
|
||||||
|
(PRD 0070).
|
||||||
|
|
||||||
|
In the consolidated model one gateway container serves every bottle over a
|
||||||
|
single shared docker network, and each agent bottle attaches with a pinned,
|
||||||
|
deterministic address that the gateway uses as its **attribution key**. This
|
||||||
|
allocates those addresses from the network's subnet, skipping the reserved
|
||||||
|
ones — the network address and broadcast (excluded by `hosts()`), docker's
|
||||||
|
router `.1`, and everything already in use (`taken`: the gateway container
|
||||||
|
plus every live bottle, which the caller reads from the registry).
|
||||||
|
|
||||||
|
Pure `ipaddress` logic — the docker-specific bits (the subnet CIDR, the
|
||||||
|
gateway container's own address) are gathered by the caller and passed in, so
|
||||||
|
this stays testable without docker.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import ipaddress
|
||||||
|
from collections.abc import Iterable
|
||||||
|
|
||||||
|
|
||||||
|
class NoFreeAddressError(RuntimeError):
|
||||||
|
"""The shared gateway network's subnet is exhausted — every host address
|
||||||
|
is reserved or already assigned to a bottle."""
|
||||||
|
|
||||||
|
|
||||||
|
def next_free_ip(cidr: str, taken: Iterable[str]) -> str:
|
||||||
|
"""The lowest host address in `cidr` not in `taken` and not docker's
|
||||||
|
router (`.1`). `taken` must include the gateway container's own address
|
||||||
|
and every live bottle's. Raises `NoFreeAddressError` if the subnet is
|
||||||
|
full."""
|
||||||
|
net = ipaddress.ip_network(cidr, strict=False)
|
||||||
|
reserved = {str(a) for a in taken}
|
||||||
|
# Docker assigns the network's first host (.1) to the bridge router; a
|
||||||
|
# bottle must never be handed that address.
|
||||||
|
reserved.add(str(net.network_address + 1))
|
||||||
|
for host in net.hosts(): # hosts() already excludes network + broadcast
|
||||||
|
candidate = str(host)
|
||||||
|
if candidate not in reserved:
|
||||||
|
return candidate
|
||||||
|
raise NoFreeAddressError(
|
||||||
|
f"no free address in {cidr} ({len(reserved)} reserved/assigned)"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = ["next_free_ip", "NoFreeAddressError"]
|
||||||
@@ -0,0 +1,100 @@
|
|||||||
|
"""Provision one bottle's git-gate state into the running shared gateway
|
||||||
|
(PRD 0070, docker slice).
|
||||||
|
|
||||||
|
The consolidated gateway serves every bottle's repos under `/git/<bottle_id>/`
|
||||||
|
with per-repo credentials under `/git-gate/creds/<bottle_id>/`. When a bottle
|
||||||
|
is registered the launcher must place *its* deploy keys + known_hosts into
|
||||||
|
that per-bottle creds dir and init its bare repos there — so this copies the
|
||||||
|
credential files into the live gateway container and runs the (namespaced,
|
||||||
|
init-only) provisioning script produced by `git_gate_render_provision`.
|
||||||
|
|
||||||
|
Isolating each bottle's creds dir + repo root by id is what keeps one
|
||||||
|
bottle's push credentials out of another's repos on the shared gateway.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import re
|
||||||
|
|
||||||
|
from ...docker_cmd import run_docker
|
||||||
|
from ...git_gate import GitGatePlan, git_gate_render_provision
|
||||||
|
|
||||||
|
# bottle ids index the gateway's per-bottle repo + creds dirs; they land in
|
||||||
|
# `docker cp`/`rm` path arguments, so validate before any path is built (a
|
||||||
|
# traversal id like "../etc" must never reach the container). Registry ids are
|
||||||
|
# token_hex — this is defense in depth at the docker boundary.
|
||||||
|
_SAFE_BOTTLE_ID = re.compile(r"[A-Za-z0-9_-]+")
|
||||||
|
|
||||||
|
|
||||||
|
class GatewayProvisionError(RuntimeError):
|
||||||
|
"""A git-gate provisioning step against the running gateway failed."""
|
||||||
|
|
||||||
|
|
||||||
|
def _require_safe(bottle_id: str) -> None:
|
||||||
|
if not _SAFE_BOTTLE_ID.fullmatch(bottle_id):
|
||||||
|
raise GatewayProvisionError(f"unsafe bottle id {bottle_id!r}")
|
||||||
|
|
||||||
|
|
||||||
|
def _creds_dir(bottle_id: str) -> str:
|
||||||
|
return f"/git-gate/creds/{bottle_id}"
|
||||||
|
|
||||||
|
|
||||||
|
def _exec(gateway: str, argv: list[str]) -> None:
|
||||||
|
"""`docker exec` a command in the gateway, raising on non-zero exit."""
|
||||||
|
proc = run_docker(["docker", "exec", gateway, *argv])
|
||||||
|
if proc.returncode != 0:
|
||||||
|
raise GatewayProvisionError(
|
||||||
|
f"gateway exec {argv!r} failed: {proc.stderr.strip()}"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _cp_into(gateway: str, src: str, dest: str) -> None:
|
||||||
|
"""`docker cp` a host file into the gateway, raising on non-zero exit."""
|
||||||
|
proc = run_docker(["docker", "cp", src, f"{gateway}:{dest}"])
|
||||||
|
if proc.returncode != 0:
|
||||||
|
raise GatewayProvisionError(
|
||||||
|
f"gateway cp {src} -> {dest} failed: {proc.stderr.strip()}"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def provision_git_gate(gateway: str, bottle_id: str, plan: GitGatePlan) -> None:
|
||||||
|
"""Place `bottle_id`'s git-gate credentials into the running `gateway`
|
||||||
|
container and init its bare repos under `/git/<bottle_id>/`.
|
||||||
|
|
||||||
|
Copies each upstream's identity key (and known_hosts, when present) into
|
||||||
|
`/git-gate/creds/<bottle_id>/`, then runs the namespaced provisioning
|
||||||
|
script. No-op for a bottle with no git upstreams."""
|
||||||
|
_require_safe(bottle_id)
|
||||||
|
if not plan.upstreams:
|
||||||
|
return
|
||||||
|
# The pre-receive + access hooks are bottle-agnostic and shared by every
|
||||||
|
# bottle's repos; install them into the gateway (idempotent — same content
|
||||||
|
# each time). The per-bottle model cp'd these into each bundle at start.
|
||||||
|
_exec(gateway, ["mkdir", "-p", "/etc/git-gate"])
|
||||||
|
_cp_into(gateway, str(plan.hook_script), "/etc/git-gate/pre-receive")
|
||||||
|
_cp_into(gateway, str(plan.access_hook_script), "/etc/git-gate/access-hook")
|
||||||
|
creds = _creds_dir(bottle_id)
|
||||||
|
_exec(gateway, ["mkdir", "-p", creds])
|
||||||
|
for u in plan.upstreams:
|
||||||
|
if u.identity_file:
|
||||||
|
_cp_into(gateway, u.identity_file, f"{creds}/{u.name}-key")
|
||||||
|
known_hosts = str(u.known_hosts_file)
|
||||||
|
if known_hosts and known_hosts != ".":
|
||||||
|
_cp_into(gateway, known_hosts, f"{creds}/{u.name}-known_hosts")
|
||||||
|
# Init the bare repos + per-repo credential config for this namespace.
|
||||||
|
script = git_gate_render_provision(bottle_id, plan.upstreams)
|
||||||
|
_exec(gateway, ["sh", "-c", script])
|
||||||
|
|
||||||
|
|
||||||
|
def deprovision_git_gate(gateway: str, bottle_id: str) -> None:
|
||||||
|
"""Remove a bottle's repos + creds from the gateway on teardown. Idempotent
|
||||||
|
— an already-absent namespace is a clean no-op (best effort; a stray dir
|
||||||
|
can't leak, since attribution is by source IP and the bottle is gone)."""
|
||||||
|
_require_safe(bottle_id)
|
||||||
|
run_docker([
|
||||||
|
"docker", "exec", gateway, "rm", "-rf",
|
||||||
|
f"/git/{bottle_id}", _creds_dir(bottle_id),
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = ["provision_git_gate", "deprovision_git_gate", "GatewayProvisionError"]
|
||||||
@@ -2,7 +2,7 @@
|
|||||||
bind-mounts target + the listening port. The prepare-time entrypoint
|
bind-mounts target + the listening port. The prepare-time entrypoint
|
||||||
/ hook render lives on the platform-neutral `GitGate` ABC — backends
|
/ hook render lives on the platform-neutral `GitGate` ABC — backends
|
||||||
instantiate it directly. The git-gate daemon's container lifecycle
|
instantiate it directly. The git-gate daemon's container lifecycle
|
||||||
is owned by the sidecar bundle (PRD 0024)."""
|
is owned by the gateway (PRD 0024)."""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@ PRD 0018 chunk 3: each instance is one `docker compose` project.
|
|||||||
The flow is:
|
The flow is:
|
||||||
|
|
||||||
1. Build the agent image from the provider Dockerfile (compose
|
1. Build the agent image from the provider Dockerfile (compose
|
||||||
builds the sidecar images via the `build:` directive on first up).
|
builds the gateway image on first up).
|
||||||
2. Mint the per-bottle egress CA (chunk 2 writes it under
|
2. Mint the per-bottle egress CA (chunk 2 writes it under
|
||||||
state/<slug>/egress/).
|
state/<slug>/egress/).
|
||||||
3. Populate the inner plans with launch-time fields so the
|
3. Populate the inner plans with launch-time fields so the
|
||||||
@@ -36,10 +36,13 @@ from contextlib import ExitStack, contextmanager
|
|||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from typing import Callable, Generator
|
from typing import Callable, Generator
|
||||||
|
|
||||||
|
from ...agent_provider import runtime_for
|
||||||
from ...egress import egress_resolve_token_values
|
from ...egress import egress_resolve_token_values
|
||||||
from ...git_gate import revoke_git_gate_provisioned_keys
|
from ...git_gate import (
|
||||||
|
provision_git_gate_dynamic_keys,
|
||||||
|
revoke_git_gate_provisioned_keys,
|
||||||
|
)
|
||||||
from ...log import info, warn
|
from ...log import info, warn
|
||||||
from . import network as network_mod
|
|
||||||
from . import util as docker_mod
|
from . import util as docker_mod
|
||||||
from .bottle import DockerBottle
|
from .bottle import DockerBottle
|
||||||
from .bottle_plan import DockerBottlePlan
|
from .bottle_plan import DockerBottlePlan
|
||||||
@@ -50,7 +53,6 @@ from ...bottle_state import (
|
|||||||
read_committed_image,
|
read_committed_image,
|
||||||
)
|
)
|
||||||
from .compose import (
|
from .compose import (
|
||||||
bottle_plan_to_compose,
|
|
||||||
compose_down,
|
compose_down,
|
||||||
compose_dump_logs,
|
compose_dump_logs,
|
||||||
compose_file_path,
|
compose_file_path,
|
||||||
@@ -59,7 +61,9 @@ from .compose import (
|
|||||||
compose_up,
|
compose_up,
|
||||||
write_compose_file,
|
write_compose_file,
|
||||||
)
|
)
|
||||||
from .egress import egress_tls_init
|
from .consolidated_compose import consolidated_agent_compose
|
||||||
|
from .consolidated_launch import launch_consolidated, teardown_consolidated
|
||||||
|
from ...orchestrator.gateway import DockerGateway
|
||||||
|
|
||||||
|
|
||||||
# Where the repo root lives, for `docker build` context. Computed once.
|
# Where the repo root lives, for `docker build` context. Computed once.
|
||||||
@@ -94,8 +98,7 @@ def launch(
|
|||||||
try:
|
try:
|
||||||
# Step 1: agent image. Use a committed snapshot when one exists
|
# Step 1: agent image. Use a committed snapshot when one exists
|
||||||
# and is present in the local daemon; otherwise build from the
|
# and is present in the local daemon; otherwise build from the
|
||||||
# Dockerfile. Sidecar images get built lazily by `docker compose
|
# Dockerfile. (The gateway image is built by the orchestrator.)
|
||||||
# up` via the renderer's `build:` directives.
|
|
||||||
committed = read_committed_image(plan.slug)
|
committed = read_committed_image(plan.slug)
|
||||||
if committed and docker_mod.image_exists(committed):
|
if committed and docker_mod.image_exists(committed):
|
||||||
info(f"using committed image {committed!r}")
|
info(f"using committed image {committed!r}")
|
||||||
@@ -108,78 +111,86 @@ def launch(
|
|||||||
plan.image, _REPO_DIR,
|
plan.image, _REPO_DIR,
|
||||||
dockerfile=plan.dockerfile_path,
|
dockerfile=plan.dockerfile_path,
|
||||||
)
|
)
|
||||||
|
docker_mod.verify_agent_image(
|
||||||
|
plan.image, runtime_for(plan.agent_provider_template).smoke_test,
|
||||||
|
)
|
||||||
|
|
||||||
internal_network = network_mod.network_name_for_slug(plan.slug)
|
# Step 2: mint the git-gate dynamic (gitea) deploy keys, if any, before
|
||||||
egress_network = network_mod.network_egress_name_for_slug(plan.slug)
|
# provisioning the bottle's repos into the shared gateway.
|
||||||
|
|
||||||
egress_ca_host, egress_ca_cert_only = egress_tls_init(
|
|
||||||
egress_state_dir(plan.slug),
|
|
||||||
)
|
|
||||||
|
|
||||||
git_gate_plan = plan.git_gate_plan
|
git_gate_plan = plan.git_gate_plan
|
||||||
if git_gate_plan.upstreams:
|
if git_gate_plan.upstreams:
|
||||||
git_gate_plan = dataclasses.replace(
|
git_gate_plan = provision_git_gate_dynamic_keys(
|
||||||
git_gate_plan,
|
plan.manifest.bottle, git_gate_plan, git_gate_state_dir(plan.slug),
|
||||||
internal_network=internal_network,
|
|
||||||
egress_network=egress_network,
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Step 3: register on the orchestrator + provision this bottle's
|
||||||
|
# git-gate state into the shared gateway; get the agent's attach
|
||||||
|
# context (pinned source IP, gateway address, shared network). The
|
||||||
|
# per-bottle egress auth tokens are resolved from the host env now and
|
||||||
|
# handed to the orchestrator (in memory) for the gateway to inject —
|
||||||
|
# the agent never sees them.
|
||||||
|
effective_env = {**os.environ, **plan.agent_provision.provisioned_env}
|
||||||
|
token_values = egress_resolve_token_values(
|
||||||
|
plan.egress_plan.token_env_map, effective_env,
|
||||||
|
)
|
||||||
|
ctx = launch_consolidated(
|
||||||
|
plan.egress_plan, git_gate_plan, image_ref=plan.image, tokens=token_values,
|
||||||
|
)
|
||||||
|
stack.callback(
|
||||||
|
teardown_consolidated, ctx.bottle_id, orchestrator_url=ctx.orchestrator_url,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Step 4: install the SHARED gateway CA into the agent (replaces the
|
||||||
|
# per-bottle CA) — read it out of the running gateway.
|
||||||
|
ca_dir = egress_state_dir(plan.slug) / "gateway-ca"
|
||||||
|
ca_dir.mkdir(parents=True, exist_ok=True)
|
||||||
|
ca_file = ca_dir / "gateway-ca.pem"
|
||||||
|
ca_file.write_text(DockerGateway(network=ctx.network).ca_cert_pem())
|
||||||
egress_plan = dataclasses.replace(
|
egress_plan = dataclasses.replace(
|
||||||
plan.egress_plan,
|
plan.egress_plan,
|
||||||
internal_network=internal_network,
|
mitmproxy_ca_host_path=ca_file,
|
||||||
egress_network=egress_network,
|
mitmproxy_ca_cert_only_host_path=ca_file,
|
||||||
mitmproxy_ca_host_path=egress_ca_host,
|
)
|
||||||
mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
|
# Point the agent's git-gate insteadOf rewrites at the shared gateway's
|
||||||
|
# HTTP git endpoint (9420) instead of the dead per-bottle `git-gate`
|
||||||
|
# alias. git-http + supervise on the gateway bypass the egress proxy
|
||||||
|
# (NO_PROXY includes the gateway address).
|
||||||
|
git_gate_url = (
|
||||||
|
f"http://{ctx.gateway_ip}:9420" if git_gate_plan.upstreams else ""
|
||||||
|
)
|
||||||
|
supervise_url = (
|
||||||
|
f"http://{ctx.gateway_ip}:9100/" if plan.supervise_plan is not None else ""
|
||||||
)
|
)
|
||||||
supervise_plan = plan.supervise_plan
|
|
||||||
if supervise_plan is not None:
|
|
||||||
supervise_plan = dataclasses.replace(
|
|
||||||
supervise_plan,
|
|
||||||
internal_network=internal_network,
|
|
||||||
)
|
|
||||||
plan = dataclasses.replace(
|
plan = dataclasses.replace(
|
||||||
plan,
|
plan,
|
||||||
git_gate_plan=git_gate_plan,
|
git_gate_plan=git_gate_plan,
|
||||||
egress_plan=egress_plan,
|
egress_plan=egress_plan,
|
||||||
supervise_plan=supervise_plan,
|
agent_git_gate_url=git_gate_url,
|
||||||
|
agent_supervise_url=supervise_url,
|
||||||
)
|
)
|
||||||
|
|
||||||
# Step 6: render + write the compose file. metadata.json
|
# Step 5: render + up the agent-only compose, pinned on the shared
|
||||||
# was written at prepare time and already carries
|
# gateway network and proxied through the gateway's address.
|
||||||
# compose_project; nothing to update here.
|
|
||||||
state_dir = bottle_state_dir(plan.slug)
|
state_dir = bottle_state_dir(plan.slug)
|
||||||
spec = bottle_plan_to_compose(plan)
|
spec = consolidated_agent_compose(
|
||||||
|
plan, gateway_ip=ctx.gateway_ip, source_ip=ctx.source_ip, network=ctx.network,
|
||||||
|
)
|
||||||
compose_file = write_compose_file(spec, compose_file_path(state_dir))
|
compose_file = write_compose_file(spec, compose_file_path(state_dir))
|
||||||
project = compose_project_name(plan.slug)
|
project = compose_project_name(plan.slug)
|
||||||
|
# Forwarded vars (OAuth token, host interpolations) flow through the
|
||||||
# Step 7: compose up. Token values + the OAuth placeholder
|
# subprocess env as bare names so values never land in the file.
|
||||||
# flow through subprocess env; the compose file holds only
|
compose_env: dict[str, str] = {**os.environ, **plan.forwarded_env}
|
||||||
# bare names for the secret-carrying entries.
|
|
||||||
effective_env = {**dict(os.environ), **plan.agent_provision.provisioned_env}
|
|
||||||
token_values = egress_resolve_token_values(
|
|
||||||
plan.egress_plan.token_env_map, effective_env,
|
|
||||||
)
|
|
||||||
compose_env: dict[str, str] = {
|
|
||||||
**os.environ,
|
|
||||||
**plan.forwarded_env,
|
|
||||||
**token_values,
|
|
||||||
}
|
|
||||||
info(
|
info(
|
||||||
f"docker compose up -d (project {project}, "
|
f"docker compose up -d (project {project}, agent on shared "
|
||||||
f"{len(spec['services'])} services)"
|
f"gateway {ctx.gateway_ip}, ip {ctx.source_ip})"
|
||||||
)
|
)
|
||||||
compose_up(project, compose_file, env=compose_env)
|
compose_up(project, compose_file, env=compose_env)
|
||||||
|
|
||||||
# Register teardown in reverse order: log dump first, then
|
|
||||||
# `compose down`. Networks come down last via callbacks
|
|
||||||
# registered in step 2.
|
|
||||||
stack.callback(compose_down, project, compose_file)
|
stack.callback(compose_down, project, compose_file)
|
||||||
stack.callback(
|
stack.callback(
|
||||||
compose_dump_logs, project, compose_file, compose_log_path(state_dir),
|
compose_dump_logs, project, compose_file, compose_log_path(state_dir),
|
||||||
)
|
)
|
||||||
|
|
||||||
# Step 8: provision. Create the bottle first so provisioners
|
# Step 6: provision (CA install now uses the gateway CA) + yield.
|
||||||
# can use bottle.exec / bottle.cp_in; set the prompt path
|
|
||||||
# returned by provision_prompt after the fact.
|
|
||||||
bottle = DockerBottle(
|
bottle = DockerBottle(
|
||||||
plan.container_name,
|
plan.container_name,
|
||||||
teardown,
|
teardown,
|
||||||
@@ -192,10 +203,6 @@ def launch(
|
|||||||
agent_workdir=plan.workspace_plan.workdir,
|
agent_workdir=plan.workspace_plan.workdir,
|
||||||
)
|
)
|
||||||
bottle.prompt_path = provision(plan, bottle)
|
bottle.prompt_path = provision(plan, bottle)
|
||||||
|
|
||||||
# Step 9: yield. exec_agent continues to use `docker exec -it`
|
|
||||||
# — the agent runs `sleep infinity` per the renderer's
|
|
||||||
# service spec.
|
|
||||||
yield bottle
|
yield bottle
|
||||||
finally:
|
finally:
|
||||||
teardown()
|
teardown()
|
||||||
|
|||||||
@@ -76,7 +76,7 @@ def network_create_internal(slug: str) -> str:
|
|||||||
|
|
||||||
def network_create_egress(slug: str) -> str:
|
def network_create_egress(slug: str) -> str:
|
||||||
"""Create a per-agent user-defined bridge (NOT the legacy `bridge`)
|
"""Create a per-agent user-defined bridge (NOT the legacy `bridge`)
|
||||||
so the egress sidecar has working DNS for upstream hostnames."""
|
so the egress daemon has working DNS for upstream hostnames."""
|
||||||
return _network_create_with_prefix(network_egress_name_for_slug(slug), internal=False)
|
return _network_create_with_prefix(network_egress_name_for_slug(slug), internal=False)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,89 @@
|
|||||||
|
"""Host setup + status for the Docker backend.
|
||||||
|
|
||||||
|
Unlike Firecracker, the Docker backend needs no privileged one-time
|
||||||
|
host provisioning (no TAP pool / nft table) — networks and the gateway
|
||||||
|
bundle are created per-launch. So `setup()` is mostly an install/daemon
|
||||||
|
pointer, and `status()` reports whether docker is usable.
|
||||||
|
|
||||||
|
This is intentionally minimal; a richer version (daemon config checks,
|
||||||
|
gVisor/runsc install guidance, rootless-docker hints) is tracked
|
||||||
|
separately. Reached via `DockerBottleBackend.setup` / `.status`, which
|
||||||
|
the generic `./cli.py backend {setup,status}` dispatches to.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import shutil
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from . import util as _util
|
||||||
|
|
||||||
|
|
||||||
|
def _docker_on_path() -> bool:
|
||||||
|
return shutil.which("docker") is not None
|
||||||
|
|
||||||
|
|
||||||
|
def _daemon_reachable() -> bool:
|
||||||
|
if not _docker_on_path():
|
||||||
|
return False
|
||||||
|
return subprocess.run(
|
||||||
|
["docker", "info"],
|
||||||
|
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False,
|
||||||
|
).returncode == 0
|
||||||
|
|
||||||
|
|
||||||
|
def _print_install_pointer() -> None:
|
||||||
|
sys.stderr.write("Docker is required but was not found on PATH.\n")
|
||||||
|
sys.stderr.write(" macOS: Docker Desktop https://docs.docker.com/desktop/install/mac-install/\n")
|
||||||
|
sys.stderr.write(" Linux: Docker Engine https://docs.docker.com/engine/install/\n")
|
||||||
|
|
||||||
|
|
||||||
|
def setup() -> int:
|
||||||
|
if not _docker_on_path():
|
||||||
|
_print_install_pointer()
|
||||||
|
return 1
|
||||||
|
sys.stderr.write(
|
||||||
|
"Docker backend: no privileged host setup required — networks and "
|
||||||
|
"the gateway are created per-launch.\n"
|
||||||
|
)
|
||||||
|
if not _daemon_reachable():
|
||||||
|
sys.stderr.write(
|
||||||
|
"The Docker daemon isn't reachable; start it (e.g. Docker "
|
||||||
|
"Desktop, or `systemctl start docker`).\n"
|
||||||
|
)
|
||||||
|
return 1
|
||||||
|
if not _util.runsc_available():
|
||||||
|
sys.stderr.write(
|
||||||
|
"Optional: register the gVisor (`runsc`) runtime with Docker for "
|
||||||
|
"a userspace syscall barrier; bottles auto-detect and use it.\n"
|
||||||
|
)
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def teardown() -> int:
|
||||||
|
sys.stderr.write(
|
||||||
|
"Docker backend: nothing to undo — it provisions no privileged host "
|
||||||
|
"state (networks and the gateway are per-launch and are "
|
||||||
|
"removed by `./cli.py cleanup`). Docker itself is left installed.\n"
|
||||||
|
)
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def status() -> int:
|
||||||
|
ok = True
|
||||||
|
if _docker_on_path():
|
||||||
|
sys.stderr.write("docker on PATH: yes\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write("docker on PATH: NO\n")
|
||||||
|
ok = False
|
||||||
|
if ok and _daemon_reachable():
|
||||||
|
sys.stderr.write("docker daemon: reachable\n")
|
||||||
|
elif ok:
|
||||||
|
sys.stderr.write("docker daemon: UNREACHABLE\n")
|
||||||
|
ok = False
|
||||||
|
runsc = _docker_on_path() and _util.runsc_available()
|
||||||
|
sys.stderr.write(f"gVisor runsc runtime: {'registered' if runsc else 'not registered (optional)'}\n")
|
||||||
|
if not ok:
|
||||||
|
sys.stderr.write("\nRun: ./cli.py backend setup --backend=docker\n")
|
||||||
|
return 0 if ok else 1
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
"""Sidecar bundle constants + helpers for the Docker backend
|
|
||||||
(PRD 0024).
|
|
||||||
|
|
||||||
The bundle image (built by Dockerfile.sidecars, PRD 0024 chunk 1)
|
|
||||||
runs egress + git-gate + supervise as one container per bottle
|
|
||||||
under a small Python init supervisor. As of chunk 5 the bundle
|
|
||||||
is the only shape — the legacy four-sidecar topology and its
|
|
||||||
`BOT_BOTTLE_SIDECAR_BUNDLE` feature flag are gone."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import os
|
|
||||||
|
|
||||||
|
|
||||||
# Bundle image. Defaults to a built-locally tag (built from the
|
|
||||||
# repo's Dockerfile.sidecars via compose `build:`). Operators
|
|
||||||
# pinning to a published digest can override via env.
|
|
||||||
SIDECAR_BUNDLE_IMAGE = os.environ.get(
|
|
||||||
"BOT_BOTTLE_SIDECAR_IMAGE",
|
|
||||||
"bot-bottle-sidecars:latest",
|
|
||||||
)
|
|
||||||
|
|
||||||
SIDECAR_BUNDLE_DOCKERFILE = "Dockerfile.sidecars"
|
|
||||||
|
|
||||||
|
|
||||||
def sidecar_bundle_container_name(slug: str) -> str:
|
|
||||||
"""`bot-bottle-sidecars-<slug>`. Same prefix scheme as the
|
|
||||||
per-sidecar containers it replaces, so the dashboard's
|
|
||||||
discovery-by-prefix logic keeps working."""
|
|
||||||
return f"bot-bottle-sidecars-{slug}"
|
|
||||||
@@ -4,11 +4,13 @@ existence, and building images."""
|
|||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import os
|
||||||
import re
|
import re
|
||||||
import shutil
|
import shutil
|
||||||
import subprocess
|
import subprocess
|
||||||
from typing import Iterable, Iterator
|
from typing import Iterable, Iterator
|
||||||
|
|
||||||
|
from ...docker_cmd import run_docker
|
||||||
from ...log import die, info
|
from ...log import die, info
|
||||||
# from ...workspace import WorkspacePlan
|
# from ...workspace import WorkspacePlan
|
||||||
|
|
||||||
@@ -88,6 +90,29 @@ def docker_exec_root(container: str, argv: list[str]) -> None:
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def docker_exec(container: str, argv: list[str], *, user: str = "") -> None:
|
||||||
|
"""Run `docker exec` in the named container, dying with the
|
||||||
|
command's own stderr on failure. Pass `user=\"0\"` to run as root."""
|
||||||
|
cmd = ["docker", "exec"]
|
||||||
|
if user:
|
||||||
|
cmd += ["-u", user]
|
||||||
|
cmd += [container, *argv]
|
||||||
|
result = run_docker(cmd)
|
||||||
|
if result.returncode != 0:
|
||||||
|
die(
|
||||||
|
f"docker exec in {container} failed: "
|
||||||
|
f"{(result.stderr or '').strip() or '<no stderr>'}"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def docker_cp(src: str, dest: str) -> None:
|
||||||
|
"""Run `docker cp`, dying with the command's own stderr on failure."""
|
||||||
|
result = run_docker(["docker", "cp", src, dest])
|
||||||
|
if result.returncode != 0:
|
||||||
|
die(f"docker cp {src} -> {dest} failed: "
|
||||||
|
f"{(result.stderr or '').strip() or '<no stderr>'}")
|
||||||
|
|
||||||
|
|
||||||
_SLUG_RE = re.compile(r"[^a-z0-9]+")
|
_SLUG_RE = re.compile(r"[^a-z0-9]+")
|
||||||
|
|
||||||
|
|
||||||
@@ -108,15 +133,40 @@ def build_image(ref: str, context: str, *, dockerfile: str = "") -> None:
|
|||||||
|
|
||||||
`dockerfile` is an optional path (relative to `context`, or
|
`dockerfile` is an optional path (relative to `context`, or
|
||||||
absolute) for callers that need to build from a non-default
|
absolute) for callers that need to build from a non-default
|
||||||
Dockerfile in the same context — e.g. `Dockerfile.git-gate`."""
|
Dockerfile in the same context — e.g. `Dockerfile.git-gate`.
|
||||||
|
|
||||||
|
Set `BOT_BOTTLE_NO_CACHE=1` (the `start --no-cache` flag) to force
|
||||||
|
`--no-cache`. The npm/curl installers some provider Dockerfiles
|
||||||
|
shell out to can silently no-op on a transient network failure —
|
||||||
|
e.g. an `optionalDependencies` fetch for a platform-native binary —
|
||||||
|
and Docker will then cache that broken layer indefinitely."""
|
||||||
info(f"building image {ref} from {context} (layer cache keeps repeat builds fast)")
|
info(f"building image {ref} from {context} (layer cache keeps repeat builds fast)")
|
||||||
args = ["docker", "build", "-t", ref]
|
args = ["docker", "build", "-t", ref]
|
||||||
|
if os.environ.get("BOT_BOTTLE_NO_CACHE") == "1":
|
||||||
|
args.append("--no-cache")
|
||||||
if dockerfile:
|
if dockerfile:
|
||||||
args.extend(["-f", dockerfile])
|
args.extend(["-f", dockerfile])
|
||||||
args.append(context)
|
args.append(context)
|
||||||
subprocess.run(args, check=True)
|
subprocess.run(args, check=True)
|
||||||
|
|
||||||
|
|
||||||
|
def verify_agent_image(image: str, argv: tuple[str, ...]) -> None:
|
||||||
|
"""Run `argv` inside a throwaway container of a freshly built agent
|
||||||
|
image and die loudly if it fails, instead of shipping an image
|
||||||
|
whose CLI only breaks at first real use. No-op when the provider
|
||||||
|
hasn't declared a smoke test (`AgentProviderRuntime.smoke_test`)."""
|
||||||
|
if not argv:
|
||||||
|
return
|
||||||
|
result = run_docker(["docker", "run", "--rm", "--entrypoint", argv[0], image, *argv[1:]])
|
||||||
|
if result.returncode != 0:
|
||||||
|
detail = (result.stderr or result.stdout or "").strip()
|
||||||
|
die(
|
||||||
|
f"agent image {image!r} failed its post-build smoke test "
|
||||||
|
f"({' '.join(argv)}): {detail}\n"
|
||||||
|
f"Try rebuilding from scratch: bot-bottle start --no-cache"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
# def build_image_with_cwd(
|
# def build_image_with_cwd(
|
||||||
# derived: str,
|
# derived: str,
|
||||||
# base: str,
|
# base: str,
|
||||||
@@ -167,36 +217,6 @@ def commit_container(container_name: str, image_tag: str) -> None:
|
|||||||
info(f"committed {container_name!r} → {image_tag!r}")
|
info(f"committed {container_name!r} → {image_tag!r}")
|
||||||
|
|
||||||
|
|
||||||
def image_id(ref: str) -> str:
|
|
||||||
"""Return the content-addressed image ID (e.g.
|
|
||||||
`sha256:abcd...`) for `ref`. The smolmachines backend keys its
|
|
||||||
`.smolmachine` artifact cache on this, so a Dockerfile change
|
|
||||||
that produces a new image automatically invalidates the cache."""
|
|
||||||
r = subprocess.run(
|
|
||||||
["docker", "image", "inspect", "--format", "{{.Id}}", ref],
|
|
||||||
capture_output=True,
|
|
||||||
text=True,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"docker image inspect for {ref!r} failed: "
|
|
||||||
f"{(r.stderr or '').strip() or '<no stderr>'}"
|
|
||||||
)
|
|
||||||
return r.stdout.strip()
|
|
||||||
|
|
||||||
|
|
||||||
def save(ref: str, output: str) -> None:
|
|
||||||
"""`docker save REF -o OUTPUT`. Writes a tarball of the image
|
|
||||||
layers + manifest to the host path. Used by smolmachines
|
|
||||||
prepare to hand the agent image to a containerized crane that
|
|
||||||
pushes it to the ephemeral registry — bypassing the docker
|
|
||||||
daemon's `docker push` (which on Docker Desktop can't reach a
|
|
||||||
host-loopback registry and refuses plain-HTTP pushes to
|
|
||||||
non-loopback hosts)."""
|
|
||||||
subprocess.run(["docker", "save", ref, "-o", output], check=True)
|
|
||||||
|
|
||||||
|
|
||||||
def _silent_run(cmd: Iterable[str]) -> int:
|
def _silent_run(cmd: Iterable[str]) -> int:
|
||||||
return subprocess.run(
|
return subprocess.run(
|
||||||
list(cmd),
|
list(cmd),
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
"""Firecracker backend: Linux KVM microVM isolation (issue #342)."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from .backend import FirecrackerBottleBackend
|
||||||
|
|
||||||
|
__all__ = ["FirecrackerBottleBackend"]
|
||||||
+46
-35
@@ -1,11 +1,10 @@
|
|||||||
"""SmolmachinesBottleBackend — the smolmachines implementation of
|
"""FirecrackerBottleBackend — Linux microVM implementation.
|
||||||
BottleBackend (PRD 0023).
|
|
||||||
|
|
||||||
Per PRD 0050 the per-provider provisioning steps (prompt, skills,
|
Replaces smolmachines on Linux (issue #342): mature KVM-based
|
||||||
the declarative provision-plan apply, supervise MCP registration)
|
isolation via Firecracker, SSH control over a point-to-point TAP, and a
|
||||||
live on the `AgentProvider` plugin under `bot_bottle/contrib/`. The
|
fail-closed nftables egress boundary. Selected by
|
||||||
smolmachines backend only owns the steps that are about backend
|
`BOT_BOTTLE_BACKEND=firecracker` or `--backend=firecracker`.
|
||||||
infrastructure: CA install (no-op for now), workspace, git copy-in."""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
@@ -17,34 +16,50 @@ from ...agent_provider import AgentProvisionPlan
|
|||||||
from ...egress import EgressPlan
|
from ...egress import EgressPlan
|
||||||
from ...env import ResolvedEnv
|
from ...env import ResolvedEnv
|
||||||
from ...git_gate import GitGatePlan
|
from ...git_gate import GitGatePlan
|
||||||
from ...supervise import SupervisePlan
|
|
||||||
from ...manifest import Manifest
|
from ...manifest import Manifest
|
||||||
|
from ...supervise import SupervisePlan
|
||||||
from .. import ActiveAgent, BottleBackend, BottleSpec
|
from .. import ActiveAgent, BottleBackend, BottleSpec
|
||||||
from . import cleanup as _cleanup
|
from . import cleanup as _cleanup
|
||||||
from . import enumerate as _enumerate
|
from . import enumerate as _enumerate
|
||||||
from . import launch as _launch
|
from . import launch as _launch
|
||||||
from . import resolve_plan as _resolve_plan
|
from . import resolve_plan as _resolve_plan
|
||||||
from . import smolvm as _smolvm
|
from . import util as _util
|
||||||
from .bottle import SmolmachinesBottle
|
from .bottle import FirecrackerBottle
|
||||||
from .bottle_cleanup_plan import SmolmachinesBottleCleanupPlan
|
from .bottle_cleanup_plan import FirecrackerBottleCleanupPlan
|
||||||
from .bottle_plan import SmolmachinesBottlePlan
|
from .bottle_plan import FirecrackerBottlePlan
|
||||||
|
|
||||||
|
|
||||||
class SmolmachinesBottleBackend(
|
class FirecrackerBottleBackend(
|
||||||
BottleBackend["SmolmachinesBottlePlan", "SmolmachinesBottleCleanupPlan"]
|
BottleBackend["FirecrackerBottlePlan", "FirecrackerBottleCleanupPlan"]
|
||||||
):
|
):
|
||||||
"""smolmachines backend. Selected by
|
name = "firecracker"
|
||||||
`BOT_BOTTLE_BACKEND=smolmachines`."""
|
|
||||||
|
|
||||||
name = "smolmachines"
|
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def is_available(cls) -> bool:
|
def is_available(cls) -> bool:
|
||||||
"""`smolvm` on PATH. The backend additionally needs macOS
|
return _util.is_available()
|
||||||
for libkrun + TSI, but `enumerate_active` / `cleanup` are
|
|
||||||
host-shell ops that gracefully no-op on Linux too — the
|
@classmethod
|
||||||
runtime check happens at `prepare`."""
|
def is_host_capable(cls) -> bool:
|
||||||
return _smolvm.is_available()
|
"""Linux + KVM, regardless of whether the `firecracker` binary
|
||||||
|
is installed. Drives default-backend selection so a capable host
|
||||||
|
without the binary still lands on firecracker and gets an
|
||||||
|
install pointer at launch."""
|
||||||
|
return _util.is_host_capable()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def setup(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.setup()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def status(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.status()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def teardown(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.teardown()
|
||||||
|
|
||||||
def _preflight(self) -> None:
|
def _preflight(self) -> None:
|
||||||
_resolve_plan.preflight()
|
_resolve_plan.preflight()
|
||||||
@@ -64,7 +79,7 @@ class SmolmachinesBottleBackend(
|
|||||||
git_gate_plan: GitGatePlan,
|
git_gate_plan: GitGatePlan,
|
||||||
supervise_plan: SupervisePlan | None,
|
supervise_plan: SupervisePlan | None,
|
||||||
stage_dir: Path,
|
stage_dir: Path,
|
||||||
) -> SmolmachinesBottlePlan:
|
) -> FirecrackerBottlePlan:
|
||||||
return _resolve_plan.resolve_plan(
|
return _resolve_plan.resolve_plan(
|
||||||
spec,
|
spec,
|
||||||
manifest=manifest,
|
manifest=manifest,
|
||||||
@@ -79,23 +94,19 @@ class SmolmachinesBottleBackend(
|
|||||||
|
|
||||||
@contextmanager
|
@contextmanager
|
||||||
def launch(
|
def launch(
|
||||||
self, plan: SmolmachinesBottlePlan
|
self, plan: FirecrackerBottlePlan
|
||||||
) -> Generator[SmolmachinesBottle, None, None]:
|
) -> Generator[FirecrackerBottle, None, None]:
|
||||||
with _launch.launch(plan, provision=self.provision) as bottle:
|
with _launch.launch(plan, provision=self.provision) as bottle:
|
||||||
yield bottle
|
yield bottle
|
||||||
|
|
||||||
def supervise_mcp_url(self, plan: SmolmachinesBottlePlan) -> str:
|
def prepare_cleanup(self) -> FirecrackerBottleCleanupPlan:
|
||||||
"""The smolmachines guest reaches the supervise sidecar via a
|
|
||||||
host-published random port the launch step pinned earlier
|
|
||||||
(`http://<loopback_ip>:<random_port>/`). `agent_supervise_url`
|
|
||||||
on the plan is "" when the bottle has no sidecar."""
|
|
||||||
return plan.agent_supervise_url
|
|
||||||
|
|
||||||
def prepare_cleanup(self) -> SmolmachinesBottleCleanupPlan:
|
|
||||||
return _cleanup.prepare_cleanup()
|
return _cleanup.prepare_cleanup()
|
||||||
|
|
||||||
def cleanup(self, plan: SmolmachinesBottleCleanupPlan) -> None:
|
def cleanup(self, plan: FirecrackerBottleCleanupPlan) -> None:
|
||||||
_cleanup.cleanup(plan)
|
_cleanup.cleanup(plan)
|
||||||
|
|
||||||
def enumerate_active(self) -> Sequence[ActiveAgent]:
|
def enumerate_active(self) -> Sequence[ActiveAgent]:
|
||||||
return _enumerate.enumerate_active()
|
return _enumerate.enumerate_active()
|
||||||
|
|
||||||
|
def supervise_mcp_url(self, plan: FirecrackerBottlePlan) -> str:
|
||||||
|
return plan.agent_supervise_url
|
||||||
@@ -0,0 +1,189 @@
|
|||||||
|
"""Bottle handle for a Firecracker microVM, over SSH.
|
||||||
|
|
||||||
|
Every operation routes through SSH to the guest (dropbear, listening on
|
||||||
|
the TAP link). `exec` pipes a script over stdin and captures output;
|
||||||
|
`cp_in` uses scp; `exec_agent` uses `ssh -t` for an interactive PTY
|
||||||
|
session. `ssh -t` forwards the host terminal's SIGWINCH to the remote
|
||||||
|
PTY natively, so no separate resize bridge is needed.
|
||||||
|
|
||||||
|
Commands run as the image's `node` user via `runuser`, with HOME/USER/
|
||||||
|
PATH and the bottle env (HTTPS_PROXY at the gateway, CA paths, …) set
|
||||||
|
per-invocation through `env` (the VM itself just runs the init; it has
|
||||||
|
no baked-in process env like a `docker run` container would).
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import os
|
||||||
|
import shlex
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import Mapping, cast
|
||||||
|
|
||||||
|
from ...agent_provider import PromptMode, prompt_args
|
||||||
|
from .. import Bottle, ExecResult
|
||||||
|
from ..terminal import exec_shell_script
|
||||||
|
from . import util
|
||||||
|
|
||||||
|
|
||||||
|
_HOME_FOR = {"node": "/home/node", "root": "/root"}
|
||||||
|
_DEFAULT_PATH_FOR = {
|
||||||
|
"node": (
|
||||||
|
"/home/node/.local/bin:"
|
||||||
|
"/home/node/.codex/packages/standalone/current/bin:"
|
||||||
|
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
),
|
||||||
|
"root": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def _env_assignments_for(user: str, env: Mapping[str, str]) -> list[str]:
|
||||||
|
home = _HOME_FOR.get(user, f"/home/{user}")
|
||||||
|
out = [f"HOME={home}", f"USER={user}"]
|
||||||
|
if "PATH" not in env:
|
||||||
|
out.append(f"PATH={_DEFAULT_PATH_FOR.get(user, _DEFAULT_PATH_FOR['root'])}")
|
||||||
|
for k, v in env.items():
|
||||||
|
out.append(f"{k}={v}")
|
||||||
|
return out
|
||||||
|
|
||||||
|
|
||||||
|
class FirecrackerBottle(Bottle):
|
||||||
|
def __init__(
|
||||||
|
self,
|
||||||
|
name: str,
|
||||||
|
*,
|
||||||
|
private_key: Path,
|
||||||
|
guest_ip: str,
|
||||||
|
guest_env: Mapping[str, str] | None = None,
|
||||||
|
prompt_path_in_guest: str | None = None,
|
||||||
|
agent_command: str = "claude",
|
||||||
|
agent_prompt_mode: PromptMode = "append_file",
|
||||||
|
agent_provider_template: str = "claude",
|
||||||
|
terminal_title: str = "",
|
||||||
|
terminal_color: str = "",
|
||||||
|
agent_workdir: str = "/home/node",
|
||||||
|
) -> None:
|
||||||
|
self.name = name
|
||||||
|
self._private_key = private_key
|
||||||
|
self._guest_ip = guest_ip
|
||||||
|
self._guest_env = dict(guest_env or {})
|
||||||
|
self.prompt_path = prompt_path_in_guest
|
||||||
|
self._agent_prompt_mode = agent_prompt_mode
|
||||||
|
self.agent_command = agent_command
|
||||||
|
self.terminal_title = terminal_title
|
||||||
|
self.terminal_color = terminal_color
|
||||||
|
self.agent_provider_template = agent_provider_template
|
||||||
|
self.agent_workdir = agent_workdir
|
||||||
|
|
||||||
|
def _ssh(self, *, tty: bool) -> list[str]:
|
||||||
|
argv = util.ssh_base_argv(self._private_key, self._guest_ip)
|
||||||
|
if tty:
|
||||||
|
# -t: allocate a remote PTY and forward window-size changes.
|
||||||
|
argv.insert(1, "-t")
|
||||||
|
return argv
|
||||||
|
|
||||||
|
def _agent_remote_argv(self, argv: list[str]) -> list[str]:
|
||||||
|
"""The `runuser … <agent> …` command run inside the guest."""
|
||||||
|
full_argv = list(argv)
|
||||||
|
full_argv.extend(
|
||||||
|
prompt_args(
|
||||||
|
cast(PromptMode, self._agent_prompt_mode),
|
||||||
|
self.prompt_path,
|
||||||
|
argv=full_argv,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
# ALWAYS cd into the workdir before exec'ing the agent. The
|
||||||
|
# control SSH logs in as root, so the inherited cwd is /root —
|
||||||
|
# which the agent (running as node) can't even read now that
|
||||||
|
# /root is root-owned. Run the agent from the node workdir
|
||||||
|
# (default /home/node) so its cwd is node-accessible; otherwise
|
||||||
|
# Node's process.cwd(), the shell-snapshot machinery, and
|
||||||
|
# `/doctor` all fail on the unreadable /root.
|
||||||
|
# Run the agent from the node workdir (default /home/node), NOT
|
||||||
|
# the /root cwd inherited from the root SSH login — /root is now
|
||||||
|
# root-owned and unreadable by node, which breaks Node's
|
||||||
|
# process.cwd(), the shell-snapshot machinery, and `/doctor`.
|
||||||
|
# Use `env --chdir` rather than a `sh -c 'cd … && exec "$@"'`
|
||||||
|
# wrapper: ssh space-joins everything after the host into one
|
||||||
|
# string for the guest shell, so a quoted script + $@ would be
|
||||||
|
# re-split and mangled (exec'ing the $0 placeholder). All-simple
|
||||||
|
# words survive that join.
|
||||||
|
workdir = self.agent_workdir or _HOME_FOR["node"]
|
||||||
|
remote = ["runuser", "-u", "node", "--",
|
||||||
|
"env", f"--chdir={workdir}",
|
||||||
|
*_env_assignments_for("node", self._guest_env),
|
||||||
|
self.agent_command, *full_argv]
|
||||||
|
return remote
|
||||||
|
|
||||||
|
def agent_argv(self, argv: list[str], *, tty: bool = True) -> list[str]:
|
||||||
|
return [*self._ssh(tty=tty), "--", *self._agent_remote_argv(argv)]
|
||||||
|
|
||||||
|
def exec_agent(self, argv: list[str], *, tty: bool = True) -> int:
|
||||||
|
agent_argv = self.agent_argv(argv, tty=tty)
|
||||||
|
script = (
|
||||||
|
exec_shell_script(agent_argv, self.terminal_title, self.terminal_color)
|
||||||
|
if tty else None
|
||||||
|
)
|
||||||
|
if script is None:
|
||||||
|
return subprocess.run(agent_argv, check=False).returncode
|
||||||
|
return subprocess.run(["sh", "-lc", script], check=False).returncode
|
||||||
|
|
||||||
|
def exec(self, script: str, *, user: str = "node") -> ExecResult:
|
||||||
|
# Pipe the script over stdin (`sh -s`) so nothing needs shell
|
||||||
|
# quoting through the SSH command line.
|
||||||
|
remote = ["runuser", "-u", user, "--",
|
||||||
|
"env", *_env_assignments_for(user, self._guest_env),
|
||||||
|
"/bin/sh", "-s"]
|
||||||
|
result = subprocess.run(
|
||||||
|
[*self._ssh(tty=False), "--", *remote],
|
||||||
|
input=script, capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
return ExecResult(
|
||||||
|
returncode=result.returncode,
|
||||||
|
stdout=result.stdout,
|
||||||
|
stderr=result.stderr,
|
||||||
|
)
|
||||||
|
|
||||||
|
def cp_in(self, host_path: str, container_path: str) -> None:
|
||||||
|
# Stream a tar over the SSH exec channel rather than scp: the
|
||||||
|
# guest runs dropbear, which ships no sftp-server/scp, but every
|
||||||
|
# agent image has `tar`. Copy so `container_path` becomes a copy
|
||||||
|
# of `host_path` (docker cp semantics — callers rm -rf the
|
||||||
|
# destination first).
|
||||||
|
host_parent = os.path.dirname(host_path.rstrip("/")) or "/"
|
||||||
|
host_base = os.path.basename(host_path.rstrip("/"))
|
||||||
|
guest_parent = os.path.dirname(container_path.rstrip("/")) or "/"
|
||||||
|
guest_base = os.path.basename(container_path.rstrip("/"))
|
||||||
|
remote = (
|
||||||
|
f"mkdir -p {shlex.quote(guest_parent)} && "
|
||||||
|
f"cd {shlex.quote(guest_parent)} && "
|
||||||
|
f"rm -rf {shlex.quote(guest_base)} && tar -xf - && "
|
||||||
|
f"{{ [ {shlex.quote(host_base)} = {shlex.quote(guest_base)} ] || "
|
||||||
|
f"mv {shlex.quote(host_base)} {shlex.quote(guest_base)}; }}"
|
||||||
|
)
|
||||||
|
tar = subprocess.Popen(
|
||||||
|
["tar", "-C", host_parent, "-cf", "-", host_base],
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
)
|
||||||
|
# Pass the command as one arg: ssh space-joins everything after
|
||||||
|
# the host into a single string for the guest's login shell, so a
|
||||||
|
# `sh -c <remote>` split would drop everything past the first word
|
||||||
|
# (the guest shell runs `<remote>` directly; stdin carries the
|
||||||
|
# tar).
|
||||||
|
ssh = subprocess.run(
|
||||||
|
[*self._ssh(tty=False), "--", remote],
|
||||||
|
stdin=tar.stdout, capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
tar.wait()
|
||||||
|
if tar.returncode != 0 or ssh.returncode != 0:
|
||||||
|
sys.stderr.write(ssh.stderr)
|
||||||
|
raise subprocess.CalledProcessError(
|
||||||
|
ssh.returncode or tar.returncode,
|
||||||
|
["cp_in", host_path, container_path],
|
||||||
|
)
|
||||||
|
|
||||||
|
def close(self) -> None:
|
||||||
|
# Real teardown (VM terminate, TAP release) lives on the launch
|
||||||
|
# ExitStack; this is the idempotent alias the ABC expects.
|
||||||
|
pass
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
"""Cleanup plan for the Firecracker backend."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from dataclasses import dataclass
|
||||||
|
|
||||||
|
from ...log import info
|
||||||
|
from .. import BottleCleanupPlan
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class FirecrackerBottleCleanupPlan(BottleCleanupPlan):
|
||||||
|
# PIDs of orphaned firecracker VMM processes and the per-bottle run
|
||||||
|
# dirs left behind by previous bottles.
|
||||||
|
vm_pids: tuple[int, ...] = ()
|
||||||
|
run_dirs: tuple[str, ...] = ()
|
||||||
|
|
||||||
|
def print(self) -> None:
|
||||||
|
if self.empty:
|
||||||
|
info("firecracker cleanup: nothing to remove")
|
||||||
|
return
|
||||||
|
for pid in self.vm_pids:
|
||||||
|
info(f"firecracker VM process: pid {pid}")
|
||||||
|
for path in self.run_dirs:
|
||||||
|
info(f"firecracker run dir: {path}")
|
||||||
|
|
||||||
|
@property
|
||||||
|
def empty(self) -> bool:
|
||||||
|
return not (self.vm_pids or self.run_dirs)
|
||||||
@@ -0,0 +1,63 @@
|
|||||||
|
"""Plan type for the Firecracker backend."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from dataclasses import dataclass, field
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...agent_provider import PromptMode
|
||||||
|
from .. import BottlePlan
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class FirecrackerBottlePlan(BottlePlan):
|
||||||
|
slug: str
|
||||||
|
forwarded_env: dict[str, str] = field(repr=False)
|
||||||
|
# Stamped by launch once the gateway is up and its ports are
|
||||||
|
# published on the host-side TAP IP (empty at prepare time).
|
||||||
|
agent_proxy_url: str = ""
|
||||||
|
agent_git_gate_url: str = ""
|
||||||
|
agent_supervise_url: str = ""
|
||||||
|
|
||||||
|
@property
|
||||||
|
def container_name(self) -> str:
|
||||||
|
"""Instance name, reused for the gateway container + VM run dir.
|
||||||
|
Matches the `bot-bottle-<slug>` convention the other backends
|
||||||
|
use so cleanup/enumerate discovery-by-prefix keeps working."""
|
||||||
|
return self.agent_provision.instance_name
|
||||||
|
|
||||||
|
@property
|
||||||
|
def image(self) -> str:
|
||||||
|
return self.agent_provision.image
|
||||||
|
|
||||||
|
@property
|
||||||
|
def dockerfile_path(self) -> str:
|
||||||
|
return self.agent_provision.dockerfile
|
||||||
|
|
||||||
|
@property
|
||||||
|
def prompt_file(self) -> Path:
|
||||||
|
return self.agent_provision.prompt_file
|
||||||
|
|
||||||
|
@property
|
||||||
|
def agent_command(self) -> str:
|
||||||
|
return self.agent_provision.command
|
||||||
|
|
||||||
|
@property
|
||||||
|
def agent_prompt_mode(self) -> PromptMode:
|
||||||
|
return self.agent_provision.prompt_mode
|
||||||
|
|
||||||
|
@property
|
||||||
|
def agent_provider_template(self) -> str:
|
||||||
|
return self.agent_provision.template
|
||||||
|
|
||||||
|
@property
|
||||||
|
def git_gate_insteadof_host(self) -> str:
|
||||||
|
if self.agent_git_gate_url.startswith("http://"):
|
||||||
|
return self.agent_git_gate_url.removeprefix("http://").rstrip("/")
|
||||||
|
return super().git_gate_insteadof_host
|
||||||
|
|
||||||
|
@property
|
||||||
|
def git_gate_insteadof_scheme(self) -> str:
|
||||||
|
if self.agent_git_gate_url.startswith("http://"):
|
||||||
|
return "http"
|
||||||
|
return super().git_gate_insteadof_scheme
|
||||||
@@ -0,0 +1,69 @@
|
|||||||
|
"""Cleanup for the Firecracker backend.
|
||||||
|
|
||||||
|
Orphans are: firecracker VMM processes whose config lives under our run
|
||||||
|
dir, and the per-bottle run dirs. TAP slots free themselves (the flock
|
||||||
|
drops when the launcher exits), so there is nothing to reclaim there.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import os
|
||||||
|
import shutil
|
||||||
|
import signal
|
||||||
|
import subprocess
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...log import info
|
||||||
|
from . import util
|
||||||
|
from .bottle_cleanup_plan import FirecrackerBottleCleanupPlan
|
||||||
|
|
||||||
|
|
||||||
|
def _run_root() -> Path:
|
||||||
|
return util.cache_dir() / "run"
|
||||||
|
|
||||||
|
|
||||||
|
def _orphan_vm_pids() -> list[int]:
|
||||||
|
"""firecracker processes whose --config-file is under our run dir."""
|
||||||
|
run_root = str(_run_root())
|
||||||
|
result = subprocess.run(
|
||||||
|
["pgrep", "-a", "firecracker"],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
if result.returncode != 0:
|
||||||
|
return []
|
||||||
|
pids: list[int] = []
|
||||||
|
for line in result.stdout.splitlines():
|
||||||
|
parts = line.split(None, 1)
|
||||||
|
if len(parts) != 2 or run_root not in parts[1]:
|
||||||
|
continue
|
||||||
|
try:
|
||||||
|
pids.append(int(parts[0]))
|
||||||
|
except ValueError:
|
||||||
|
continue
|
||||||
|
return pids
|
||||||
|
|
||||||
|
|
||||||
|
def _run_dirs() -> list[str]:
|
||||||
|
run_root = _run_root()
|
||||||
|
if not run_root.is_dir():
|
||||||
|
return []
|
||||||
|
return sorted(str(p) for p in run_root.iterdir() if p.is_dir())
|
||||||
|
|
||||||
|
|
||||||
|
def prepare_cleanup() -> FirecrackerBottleCleanupPlan:
|
||||||
|
return FirecrackerBottleCleanupPlan(
|
||||||
|
vm_pids=tuple(_orphan_vm_pids()),
|
||||||
|
run_dirs=tuple(_run_dirs()),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def cleanup(plan: FirecrackerBottleCleanupPlan) -> None:
|
||||||
|
for pid in plan.vm_pids:
|
||||||
|
info(f"kill firecracker VM pid {pid}")
|
||||||
|
try:
|
||||||
|
os.kill(pid, signal.SIGTERM)
|
||||||
|
except ProcessLookupError:
|
||||||
|
pass
|
||||||
|
for path in plan.run_dirs:
|
||||||
|
info(f"rm -rf {path}")
|
||||||
|
shutil.rmtree(path, ignore_errors=True)
|
||||||
@@ -0,0 +1,164 @@
|
|||||||
|
"""Consolidated bottle launch sequence for the Firecracker backend (PRD 0070).
|
||||||
|
|
||||||
|
Mirrors bot_bottle.backend.docker.consolidated_launch but wired for
|
||||||
|
Firecracker's TAP-based network topology instead of a shared Docker bridge.
|
||||||
|
|
||||||
|
The per-bottle sidecar bundle (one `docker run` per bottle, published on the
|
||||||
|
slot's host-side TAP IP) is replaced by a single persistent gateway that
|
||||||
|
every Firecracker VM shares. The gateway runs as a Docker container in the
|
||||||
|
dev-harness (a Firecracker VM is stage B per PRD 0070), with its ports
|
||||||
|
published on the host (`0.0.0.0:PORT`). VMs reach it at their slot's
|
||||||
|
host-side TAP IP because Docker's iptables PREROUTING DNAT redirects
|
||||||
|
port 9099/9100/9420 traffic to the gateway container — a path the nft
|
||||||
|
isolation table already allows via `ct status dnat accept` in the forward
|
||||||
|
chain.
|
||||||
|
|
||||||
|
Attribution is by the VM's guest IP, which is unspoofable by construction:
|
||||||
|
the /31 point-to-point TAP topology + the `bot_bottle_fc` nft table ensure
|
||||||
|
that only the expected VM can source-IP that address.
|
||||||
|
|
||||||
|
Sequence:
|
||||||
|
1. ensure the Firecracker-flavoured orchestrator + gateway are up;
|
||||||
|
2. register the bottle by its guest IP (attribution key) → bottle id +
|
||||||
|
identity token;
|
||||||
|
3. provision its git-gate repos/creds into the running gateway;
|
||||||
|
4. fetch the shared gateway CA for the provisioner to install in the rootfs.
|
||||||
|
|
||||||
|
The TAP slot allocation, rootfs build, and VM boot are the caller's job.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from dataclasses import dataclass
|
||||||
|
|
||||||
|
from ...egress import EgressPlan
|
||||||
|
from ...git_gate import GitGatePlan
|
||||||
|
from ...orchestrator.client import OrchestratorClient
|
||||||
|
from ...orchestrator.gateway import (
|
||||||
|
GATEWAY_NETWORK,
|
||||||
|
DockerGateway,
|
||||||
|
)
|
||||||
|
from ...orchestrator.lifecycle import (
|
||||||
|
OrchestratorService,
|
||||||
|
OrchestratorStartError, # re-exported so callers can catch it
|
||||||
|
)
|
||||||
|
from ...orchestrator.registration import registration_inputs
|
||||||
|
from ..docker.egress import EGRESS_PORT
|
||||||
|
from ..docker.gateway_provision import deprovision_git_gate, provision_git_gate
|
||||||
|
from ...supervise import SUPERVISE_PORT
|
||||||
|
|
||||||
|
_GIT_HTTP_PORT = 9420
|
||||||
|
|
||||||
|
# Separate names from the Docker gateway so both backends can coexist on one
|
||||||
|
# host (and for clarity in `docker ps` output).
|
||||||
|
_FC_GATEWAY_NAME = "bot-bottle-fc-gateway"
|
||||||
|
_FC_ORCHESTRATOR_NAME = "bot-bottle-fc-orchestrator"
|
||||||
|
_FC_ORCHESTRATOR_LABEL = "bot-bottle-fc-orchestrator=1"
|
||||||
|
# Ports the gateway publishes on the host so Firecracker VMs can reach it
|
||||||
|
# via their TAP link. Docker's PREROUTING DNAT + nft's `ct status dnat
|
||||||
|
# accept` in the forward chain route the traffic.
|
||||||
|
_FC_GATEWAY_HOST_PORTS = (EGRESS_PORT, SUPERVISE_PORT, _GIT_HTTP_PORT)
|
||||||
|
|
||||||
|
|
||||||
|
class ConsolidatedLaunchError(RuntimeError):
|
||||||
|
"""The consolidated register/provision sequence could not complete."""
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class LaunchContext:
|
||||||
|
"""What the Firecracker launch needs from the consolidated sequence."""
|
||||||
|
|
||||||
|
bottle_id: str
|
||||||
|
identity_token: str
|
||||||
|
source_ip: str # the VM's guest IP — the attribution key
|
||||||
|
gateway_ca_pem: str # the shared gateway CA the provisioner installs
|
||||||
|
orchestrator_url: str
|
||||||
|
|
||||||
|
|
||||||
|
class _FirecrackerOrchestratorService(OrchestratorService):
|
||||||
|
"""Dev-harness orchestrator for the Firecracker backend.
|
||||||
|
|
||||||
|
Uses a gateway that publishes its ports on the host so Firecracker VMs can
|
||||||
|
reach it via their TAP link. The gateway and orchestrator containers use
|
||||||
|
`*-fc-*` names so both backends can run independently on the same host.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, **kwargs: object) -> None:
|
||||||
|
super().__init__(
|
||||||
|
orchestrator_name=_FC_ORCHESTRATOR_NAME,
|
||||||
|
orchestrator_label=_FC_ORCHESTRATOR_LABEL,
|
||||||
|
**kwargs, # type: ignore[arg-type]
|
||||||
|
)
|
||||||
|
|
||||||
|
def _gateway(self) -> DockerGateway:
|
||||||
|
# The heavy data-plane image (#384 split it from the lean control-plane
|
||||||
|
# `image` this service's orchestrator container runs).
|
||||||
|
return DockerGateway(
|
||||||
|
self._gateway_image,
|
||||||
|
name=_FC_GATEWAY_NAME,
|
||||||
|
network=self.network,
|
||||||
|
orchestrator_url=self.internal_url,
|
||||||
|
host_port_bindings=_FC_GATEWAY_HOST_PORTS,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def launch_consolidated(
|
||||||
|
egress_plan: EgressPlan,
|
||||||
|
git_gate_plan: GitGatePlan,
|
||||||
|
*,
|
||||||
|
guest_ip: str,
|
||||||
|
image_ref: str = "",
|
||||||
|
tokens: dict[str, str] | None = None,
|
||||||
|
service: OrchestratorService | None = None,
|
||||||
|
gateway_name: str = _FC_GATEWAY_NAME,
|
||||||
|
) -> LaunchContext:
|
||||||
|
"""Ensure the orchestrator + Firecracker gateway are up, register the
|
||||||
|
bottle by its guest IP, and provision its git-gate state. Returns the
|
||||||
|
context the VM launch needs. Raises `ConsolidatedLaunchError` (or the
|
||||||
|
primitives' own errors) on failure — the caller tears down on failure."""
|
||||||
|
service = service or _FirecrackerOrchestratorService()
|
||||||
|
url = service.ensure_running()
|
||||||
|
client = OrchestratorClient(url)
|
||||||
|
|
||||||
|
inputs = registration_inputs(egress_plan)
|
||||||
|
reg = client.register_bottle(
|
||||||
|
guest_ip, image_ref=image_ref, policy=inputs.policy,
|
||||||
|
metadata=inputs.metadata, tokens=tokens,
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
provision_git_gate(gateway_name, reg.bottle_id, git_gate_plan)
|
||||||
|
except Exception:
|
||||||
|
client.teardown_bottle(reg.bottle_id)
|
||||||
|
raise
|
||||||
|
|
||||||
|
# Fetch the shared gateway CA here so the caller can install it in the
|
||||||
|
# rootfs (the same CA every agent on this host trusts for TLS interception).
|
||||||
|
gateway_ca_pem = DockerGateway(
|
||||||
|
name=gateway_name, network=GATEWAY_NETWORK,
|
||||||
|
).ca_cert_pem()
|
||||||
|
|
||||||
|
return LaunchContext(
|
||||||
|
bottle_id=reg.bottle_id,
|
||||||
|
identity_token=reg.identity_token,
|
||||||
|
source_ip=guest_ip,
|
||||||
|
gateway_ca_pem=gateway_ca_pem,
|
||||||
|
orchestrator_url=url,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def teardown_consolidated(
|
||||||
|
bottle_id: str, *, orchestrator_url: str, gateway_name: str = _FC_GATEWAY_NAME,
|
||||||
|
) -> None:
|
||||||
|
"""Deregister the bottle and remove its git-gate state from the gateway.
|
||||||
|
Both steps are idempotent so this is safe from a cleanup trap."""
|
||||||
|
OrchestratorClient(orchestrator_url).teardown_bottle(bottle_id)
|
||||||
|
deprovision_git_gate(gateway_name, bottle_id)
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = [
|
||||||
|
"LaunchContext",
|
||||||
|
"launch_consolidated",
|
||||||
|
"teardown_consolidated",
|
||||||
|
"ConsolidatedLaunchError",
|
||||||
|
"OrchestratorStartError",
|
||||||
|
]
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
"""Active-agent enumeration for the Firecracker backend.
|
||||||
|
|
||||||
|
The backend is disabled during the companion-container removal (#385) — it can't
|
||||||
|
launch bottles, so there are none to enumerate. Real enumeration returns
|
||||||
|
with the backend's consolidated relaunch (#354).
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from .. import ActiveAgent
|
||||||
|
|
||||||
|
|
||||||
|
def enumerate_active() -> list[ActiveAgent]:
|
||||||
|
return []
|
||||||
@@ -0,0 +1,173 @@
|
|||||||
|
"""Firecracker microVM process lifecycle.
|
||||||
|
|
||||||
|
A bottle VM is one `firecracker` process booted from a JSON config
|
||||||
|
(kernel + writable rootfs ext4 + one TAP network interface). We run it
|
||||||
|
`--no-api`: all configuration is in the config file, and teardown is a
|
||||||
|
process signal — the microVM dies with its VMM, which is exactly the
|
||||||
|
ephemeral-bottle semantics we want. No API socket, no runtime
|
||||||
|
reconfiguration.
|
||||||
|
|
||||||
|
The guest gets its IP from the kernel `ip=` cmdline (kernel-level
|
||||||
|
autoconfig, no in-guest iproute2) and its SSH pubkey from a `bb_pubkey=`
|
||||||
|
cmdline arg the init decodes.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import base64
|
||||||
|
import json
|
||||||
|
import signal
|
||||||
|
import subprocess
|
||||||
|
import time
|
||||||
|
from dataclasses import dataclass
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...log import die, info
|
||||||
|
from . import util
|
||||||
|
|
||||||
|
|
||||||
|
# Serial console off the critical path but captured to a log for
|
||||||
|
# debugging boot failures. `reboot=k panic=1 pci=off` are the standard
|
||||||
|
# Firecracker guest args; `i8042.*` skip the (absent) PS/2 probe to
|
||||||
|
# shave boot time.
|
||||||
|
_BASE_BOOT_ARGS = (
|
||||||
|
"console=ttyS0 reboot=k panic=1 pci=off "
|
||||||
|
"i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd "
|
||||||
|
"root=/dev/vda rw init=/bb-init"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass
|
||||||
|
class VmHandle:
|
||||||
|
"""A running microVM: its VMM process, guest IP, and console log."""
|
||||||
|
|
||||||
|
process: subprocess.Popen[bytes]
|
||||||
|
guest_ip: str
|
||||||
|
console_log: Path
|
||||||
|
|
||||||
|
def is_alive(self) -> bool:
|
||||||
|
return self.process.poll() is None
|
||||||
|
|
||||||
|
def terminate(self) -> None:
|
||||||
|
"""Stop the VMM (and thus the guest). SIGTERM, then SIGKILL."""
|
||||||
|
if self.process.poll() is not None:
|
||||||
|
return
|
||||||
|
self.process.send_signal(signal.SIGTERM)
|
||||||
|
try:
|
||||||
|
self.process.wait(timeout=5)
|
||||||
|
except subprocess.TimeoutExpired:
|
||||||
|
self.process.kill()
|
||||||
|
self.process.wait(timeout=5)
|
||||||
|
|
||||||
|
|
||||||
|
def _boot_args(guest_ip: str, host_ip: str, pubkey: str) -> str:
|
||||||
|
# ip=<client>::<gw>:<netmask>::<dev>:off — /31 point-to-point link,
|
||||||
|
# so netmask is 255.255.255.254 and the gateway is the host TAP IP.
|
||||||
|
ip_arg = f"ip={guest_ip}::{host_ip}:255.255.255.254::eth0:off"
|
||||||
|
pub_b64 = base64.b64encode(pubkey.encode()).decode()
|
||||||
|
return f"{_BASE_BOOT_ARGS} {ip_arg} bb_pubkey={pub_b64}"
|
||||||
|
|
||||||
|
|
||||||
|
def _config(
|
||||||
|
*,
|
||||||
|
rootfs: Path,
|
||||||
|
tap: str,
|
||||||
|
guest_ip: str,
|
||||||
|
host_ip: str,
|
||||||
|
pubkey: str,
|
||||||
|
vcpus: int,
|
||||||
|
mem_mib: int,
|
||||||
|
guest_mac: str,
|
||||||
|
) -> dict[str, object]:
|
||||||
|
return {
|
||||||
|
"boot-source": {
|
||||||
|
"kernel_image_path": str(util.kernel_path()),
|
||||||
|
"boot_args": _boot_args(guest_ip, host_ip, pubkey),
|
||||||
|
},
|
||||||
|
"drives": [
|
||||||
|
{
|
||||||
|
"drive_id": "rootfs",
|
||||||
|
"path_on_host": str(rootfs),
|
||||||
|
"is_root_device": True,
|
||||||
|
"is_read_only": False,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"network-interfaces": [
|
||||||
|
{
|
||||||
|
"iface_id": "eth0",
|
||||||
|
"host_dev_name": tap,
|
||||||
|
"guest_mac": guest_mac,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"machine-config": {
|
||||||
|
"vcpu_count": vcpus,
|
||||||
|
"mem_size_mib": mem_mib,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def boot(
|
||||||
|
*,
|
||||||
|
name: str,
|
||||||
|
rootfs: Path,
|
||||||
|
tap: str,
|
||||||
|
guest_ip: str,
|
||||||
|
host_ip: str,
|
||||||
|
pubkey: str,
|
||||||
|
run_dir: Path,
|
||||||
|
vcpus: int = 2,
|
||||||
|
mem_mib: int = 2048,
|
||||||
|
guest_mac: str = "06:00:AC:10:00:02",
|
||||||
|
) -> VmHandle:
|
||||||
|
"""Write the config and launch the VMM. Returns once the process is
|
||||||
|
spawned; callers wait for SSH readiness separately."""
|
||||||
|
run_dir.mkdir(parents=True, exist_ok=True)
|
||||||
|
config_path = run_dir / "config.json"
|
||||||
|
console_log = run_dir / "console.log"
|
||||||
|
config_path.write_text(json.dumps(
|
||||||
|
_config(
|
||||||
|
rootfs=rootfs, tap=tap, guest_ip=guest_ip, host_ip=host_ip,
|
||||||
|
pubkey=pubkey, vcpus=vcpus, mem_mib=mem_mib, guest_mac=guest_mac,
|
||||||
|
),
|
||||||
|
indent=2,
|
||||||
|
))
|
||||||
|
|
||||||
|
info(f"booting microVM {name} on {tap} (guest {guest_ip})")
|
||||||
|
log_fh = console_log.open("wb")
|
||||||
|
process = subprocess.Popen(
|
||||||
|
["firecracker", "--no-api", "--config-file", str(config_path)],
|
||||||
|
stdout=log_fh, stderr=subprocess.STDOUT, stdin=subprocess.DEVNULL,
|
||||||
|
)
|
||||||
|
return VmHandle(process=process, guest_ip=guest_ip, console_log=console_log)
|
||||||
|
|
||||||
|
|
||||||
|
def wait_for_ssh(
|
||||||
|
vm: VmHandle, private_key: Path, *, timeout: float = 30.0,
|
||||||
|
) -> None:
|
||||||
|
"""Poll SSH until the guest accepts a command or the deadline
|
||||||
|
passes. Dies (with the console tail) if the VMM exits early or the
|
||||||
|
guest never comes up — a boot failure must be loud, not a hang."""
|
||||||
|
deadline = time.monotonic() + timeout
|
||||||
|
probe = util.ssh_base_argv(private_key, vm.guest_ip) + ["true"]
|
||||||
|
while time.monotonic() < deadline:
|
||||||
|
if not vm.is_alive():
|
||||||
|
die(f"microVM exited during boot (rc={vm.process.returncode}).\n"
|
||||||
|
f"{_console_tail(vm.console_log)}")
|
||||||
|
result = subprocess.run(
|
||||||
|
probe, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
|
||||||
|
check=False,
|
||||||
|
)
|
||||||
|
if result.returncode == 0:
|
||||||
|
return
|
||||||
|
time.sleep(0.5)
|
||||||
|
die(f"microVM {vm.guest_ip} did not accept SSH within {timeout:.0f}s.\n"
|
||||||
|
f"{_console_tail(vm.console_log)}")
|
||||||
|
|
||||||
|
|
||||||
|
def _console_tail(console_log: Path, lines: int = 25) -> str:
|
||||||
|
try:
|
||||||
|
text = console_log.read_text(errors="replace").splitlines()
|
||||||
|
except OSError:
|
||||||
|
return "(no console log)"
|
||||||
|
tail = "\n".join(text[-lines:])
|
||||||
|
return f"--- guest console (last {lines} lines) ---\n{tail}"
|
||||||
@@ -0,0 +1,76 @@
|
|||||||
|
"""FirecrackerFreezer — snapshot a running microVM to a Docker image.
|
||||||
|
|
||||||
|
The VM is live and can't be block-copied safely, so — like the macOS
|
||||||
|
backend — we stream the guest root filesystem out over the control
|
||||||
|
channel (SSH here) and rebuild an image from it. The bottle keeps
|
||||||
|
running after the snapshot.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
import tempfile
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...log import die, info
|
||||||
|
from .. import ActiveAgent
|
||||||
|
from ..freeze import Freezer
|
||||||
|
from . import util
|
||||||
|
|
||||||
|
|
||||||
|
class FirecrackerFreezer(Freezer):
|
||||||
|
backend_name = "firecracker"
|
||||||
|
|
||||||
|
def _freeze(self, agent: ActiveAgent) -> str:
|
||||||
|
run_dir = util.cache_dir() / "run" / agent.slug
|
||||||
|
private_key = run_dir / "bottle_id_ed25519"
|
||||||
|
guest_ip = _guest_ip_from_config(run_dir / "config.json")
|
||||||
|
if not private_key.is_file() or not guest_ip:
|
||||||
|
die(f"cannot freeze {agent.slug}: run dir {run_dir} is missing the "
|
||||||
|
f"SSH key or VM config (is the bottle still running?)")
|
||||||
|
image_tag = f"bot-bottle-committed-{agent.slug}:latest"
|
||||||
|
_commit_via_ssh(private_key, guest_ip, image_tag)
|
||||||
|
info(f"committed {agent.slug} -> {image_tag!r}")
|
||||||
|
return image_tag
|
||||||
|
|
||||||
|
def _export_hint(self, slug: str, image_ref: str) -> None:
|
||||||
|
info(f"to export for migration: docker image save {image_ref} "
|
||||||
|
f"-o {slug}.tar")
|
||||||
|
|
||||||
|
|
||||||
|
def _guest_ip_from_config(config_path: Path) -> str:
|
||||||
|
try:
|
||||||
|
cfg = json.loads(config_path.read_text())
|
||||||
|
except (OSError, json.JSONDecodeError):
|
||||||
|
return ""
|
||||||
|
boot_args = cfg.get("boot-source", {}).get("boot_args", "")
|
||||||
|
for token in boot_args.split():
|
||||||
|
if token.startswith("ip="):
|
||||||
|
# ip=<client>::<gw>:<mask>::<dev>:off
|
||||||
|
return token[len("ip="):].split(":", 1)[0]
|
||||||
|
return ""
|
||||||
|
|
||||||
|
|
||||||
|
def _commit_via_ssh(private_key: Path, guest_ip: str, image_tag: str) -> None:
|
||||||
|
with tempfile.TemporaryDirectory(prefix="bot-bottle-fc-commit.") as tmp:
|
||||||
|
rootfs_tar = os.path.join(tmp, "rootfs.tar")
|
||||||
|
ssh = util.ssh_base_argv(private_key, guest_ip)
|
||||||
|
with open(rootfs_tar, "wb") as tar_out:
|
||||||
|
result = subprocess.run(
|
||||||
|
[*ssh, "--", "tar", "--create", "--one-file-system",
|
||||||
|
"--exclude=./proc", "--exclude=./sys", "--exclude=./dev",
|
||||||
|
"--exclude=./run", "--file=-", "--directory=/", "."],
|
||||||
|
stdout=tar_out, stderr=subprocess.PIPE, check=False,
|
||||||
|
)
|
||||||
|
if result.returncode != 0:
|
||||||
|
die(f"ssh tar for {guest_ip} failed: "
|
||||||
|
f"{(result.stderr or b'').decode().strip() or '<no stderr>'}")
|
||||||
|
with open(os.path.join(tmp, "Dockerfile"), "w", encoding="utf-8") as f:
|
||||||
|
f.write("FROM scratch\nADD rootfs.tar /\nUSER node\nWORKDIR /home/node\n")
|
||||||
|
build = subprocess.run(
|
||||||
|
["docker", "build", "-t", image_tag, tmp], check=False,
|
||||||
|
)
|
||||||
|
if build.returncode != 0:
|
||||||
|
die(f"docker build for {image_tag!r} failed")
|
||||||
@@ -0,0 +1,200 @@
|
|||||||
|
"""Docker-free agent-image builds for the Firecracker backend (PRD 0069 Stage 3).
|
||||||
|
|
||||||
|
Instead of `docker build` on the host, an agent's Dockerfile is built inside a
|
||||||
|
throwaway Firecracker *builder VM* running buildah (rootless, daemonless): no
|
||||||
|
host Docker daemon, no root-equivalent `docker` group, and the untrusted
|
||||||
|
Dockerfile executes in a confined microVM rather than on the host.
|
||||||
|
|
||||||
|
Flow (on a cache miss, keyed by Dockerfile content):
|
||||||
|
1. boot the builder VM (the orchestrator image, which carries buildah) on
|
||||||
|
the NAT'd orchestrator link (`netpool.orch_slot()`), so the Dockerfile's
|
||||||
|
`FROM` pulls + apt/npm reach the internet;
|
||||||
|
2. send the Dockerfile over SSH and `buildah build` it;
|
||||||
|
3. `buildah mount` the built image and stream its rootfs tar back to the
|
||||||
|
host, extracting it into the cache dir;
|
||||||
|
4. inject the guest boot bits + mark the cache ready — the same base-dir
|
||||||
|
shape `firecracker.util` turns into a bootable ext4 with `mke2fs -d`.
|
||||||
|
|
||||||
|
The builder shares the orchestrator's TAP; once the orchestrator is a
|
||||||
|
persistent VM (Stage B) these builds move onto its control plane instead of a
|
||||||
|
throwaway boot.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import hashlib
|
||||||
|
import shutil
|
||||||
|
import subprocess
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...log import die, info
|
||||||
|
from . import firecracker_vm, netpool, util
|
||||||
|
|
||||||
|
# The builder runs the orchestrator image — it is the component that carries
|
||||||
|
# buildah (see Dockerfile.orchestrator). Built from the host docker image via
|
||||||
|
# the bootstrap export path until we pull a pre-built image instead.
|
||||||
|
_ORCHESTRATOR_IMAGE = "bot-bottle-orchestrator:latest"
|
||||||
|
|
||||||
|
# The builder VM makes DIRECT registry/apt connections (not through the
|
||||||
|
# gateway proxy the way agents do), and the kernel `ip=` cmdline sets no
|
||||||
|
# resolver — so give it one. Public for now; build-time egress through the
|
||||||
|
# gateway will remove the need for it.
|
||||||
|
_BUILDER_RESOLVER = "1.1.1.1"
|
||||||
|
|
||||||
|
# vfs + chroot: buildah works as root in the bare microVM (no fuse-overlayfs /
|
||||||
|
# overlay module / subuid maps). Must match Dockerfile.orchestrator's env.
|
||||||
|
# `--isolation` is a build/run-only flag; `from`/`mount` take just the store.
|
||||||
|
_BUILD_FLAGS = "--isolation chroot --storage-driver vfs"
|
||||||
|
_STORE_FLAG = "--storage-driver vfs"
|
||||||
|
|
||||||
|
_SSH_READY_TIMEOUT = 40.0
|
||||||
|
_BUILD_TIMEOUT_SECONDS = 900.0
|
||||||
|
_LOCAL_TAG = "bot-bottle-agent-build"
|
||||||
|
|
||||||
|
|
||||||
|
def _dockerfile_hash(dockerfile: Path) -> str:
|
||||||
|
"""Cache key: the Dockerfile's content. The shipped agent Dockerfiles
|
||||||
|
COPY nothing from the build context (see .dockerignore), so their content
|
||||||
|
fully determines the image; a Dockerfile that adds COPY will want the
|
||||||
|
context folded in here too."""
|
||||||
|
return hashlib.sha256(dockerfile.read_bytes()).hexdigest()[:16]
|
||||||
|
|
||||||
|
|
||||||
|
def build_agent_rootfs_dir(
|
||||||
|
dockerfile: Path, *, image_tag: str, smoke_test: tuple[str, ...] = (),
|
||||||
|
) -> Path:
|
||||||
|
"""Build `dockerfile` in a Firecracker builder VM (buildah, no host
|
||||||
|
docker), export its rootfs, inject the guest boot bits, and return the
|
||||||
|
cached base dir — the same shape `util.build_rootfs_ext4` consumes.
|
||||||
|
Cached by Dockerfile content, so a repeat launch skips the rebuild.
|
||||||
|
|
||||||
|
`smoke_test` (the provider's declared argv, e.g. `("claude","--version")`)
|
||||||
|
is run in the freshly built image before export, catching an npm
|
||||||
|
silent-failure image at build time rather than at first agent use."""
|
||||||
|
digest = _dockerfile_hash(dockerfile)
|
||||||
|
base = util.cache_dir() / "rootfs" / f"agent-{digest}"
|
||||||
|
ready = base / ".bb-ready"
|
||||||
|
if ready.is_file():
|
||||||
|
info(f"using cached agent rootfs {base.name}")
|
||||||
|
return base
|
||||||
|
|
||||||
|
if base.exists():
|
||||||
|
shutil.rmtree(base, ignore_errors=True)
|
||||||
|
base.mkdir(parents=True)
|
||||||
|
|
||||||
|
info(f"building agent image {image_tag!r} in a firecracker builder VM")
|
||||||
|
_build_in_vm(dockerfile, base, smoke_test)
|
||||||
|
util.inject_guest_boot(base)
|
||||||
|
ready.write_text("ok\n")
|
||||||
|
return base
|
||||||
|
|
||||||
|
|
||||||
|
def _build_in_vm(dockerfile: Path, base: Path, smoke_test: tuple[str, ...]) -> None:
|
||||||
|
"""Boot the builder VM, build the Dockerfile with buildah, and stream the
|
||||||
|
resulting rootfs into `base`. Tears the VM down on every exit path."""
|
||||||
|
slot = netpool.orch_slot()
|
||||||
|
if not netpool.tap_present(slot.iface):
|
||||||
|
die(f"orchestrator/builder link {slot.iface} not present.\n"
|
||||||
|
f" ./cli.py backend setup --backend=firecracker")
|
||||||
|
|
||||||
|
# The builder runs the orchestrator rootfs (bootstrap: exported from the
|
||||||
|
# host docker image; a pulled image replaces this later).
|
||||||
|
orch_base = util.build_base_rootfs_dir(_ORCHESTRATOR_IMAGE)
|
||||||
|
run_dir = util.cache_dir() / "run" / "builder"
|
||||||
|
run_dir.mkdir(parents=True, exist_ok=True)
|
||||||
|
rootfs = run_dir / "rootfs.ext4"
|
||||||
|
# vfs copies every layer, so the builder disk needs generous headroom.
|
||||||
|
util.build_rootfs_ext4(orch_base, rootfs, slack_mib=8192)
|
||||||
|
private_key, pubkey = util.generate_keypair(run_dir)
|
||||||
|
|
||||||
|
vm = firecracker_vm.boot(
|
||||||
|
name="bot-bottle-builder", rootfs=rootfs, tap=slot.iface,
|
||||||
|
guest_ip=slot.guest_ip, host_ip=slot.host_ip, pubkey=pubkey,
|
||||||
|
run_dir=run_dir, mem_mib=4096,
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
firecracker_vm.wait_for_ssh(vm, private_key, timeout=_SSH_READY_TIMEOUT)
|
||||||
|
_ssh(private_key, slot.guest_ip,
|
||||||
|
f"printf 'nameserver {_BUILDER_RESOLVER}\\n' > /etc/resolv.conf "
|
||||||
|
f"&& mkdir -p /build/ctx")
|
||||||
|
_send_dockerfile(private_key, slot.guest_ip, dockerfile)
|
||||||
|
_buildah_build(private_key, slot.guest_ip)
|
||||||
|
_smoke_test(private_key, slot.guest_ip, smoke_test)
|
||||||
|
_stream_rootfs(private_key, slot.guest_ip, base)
|
||||||
|
finally:
|
||||||
|
vm.terminate()
|
||||||
|
|
||||||
|
|
||||||
|
def _ssh(private_key: Path, guest_ip: str, script: str,
|
||||||
|
*, timeout: float = 60.0) -> subprocess.CompletedProcess[str]:
|
||||||
|
return subprocess.run(
|
||||||
|
util.ssh_base_argv(private_key, guest_ip) + [script],
|
||||||
|
capture_output=True, text=True, timeout=timeout, check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _send_dockerfile(private_key: Path, guest_ip: str, dockerfile: Path) -> None:
|
||||||
|
proc = subprocess.run(
|
||||||
|
util.ssh_base_argv(private_key, guest_ip) + ["cat > /build/Dockerfile"],
|
||||||
|
input=dockerfile.read_bytes(), capture_output=True, timeout=30, check=False,
|
||||||
|
)
|
||||||
|
if proc.returncode != 0:
|
||||||
|
die(f"sending Dockerfile to the builder VM failed: "
|
||||||
|
f"{proc.stderr.decode(errors='replace').strip()}")
|
||||||
|
|
||||||
|
|
||||||
|
def _buildah_build(private_key: Path, guest_ip: str) -> None:
|
||||||
|
build = _ssh(
|
||||||
|
private_key, guest_ip,
|
||||||
|
f"buildah build {_BUILD_FLAGS} -t {_LOCAL_TAG} "
|
||||||
|
f"-f /build/Dockerfile /build/ctx",
|
||||||
|
timeout=_BUILD_TIMEOUT_SECONDS,
|
||||||
|
)
|
||||||
|
if build.returncode != 0:
|
||||||
|
tail = "\n".join((build.stdout + build.stderr).strip().splitlines()[-20:])
|
||||||
|
die(f"buildah build in the builder VM failed:\n{tail}")
|
||||||
|
|
||||||
|
|
||||||
|
def _smoke_test(private_key: Path, guest_ip: str, argv: tuple[str, ...]) -> None:
|
||||||
|
"""Run the provider's smoke argv inside the freshly built image
|
||||||
|
(`buildah run`, which uses the image's own PATH), failing the build
|
||||||
|
loudly if the CLI is a broken stub. No-op without a declared test."""
|
||||||
|
if not argv:
|
||||||
|
return
|
||||||
|
cmd = (
|
||||||
|
f"set -e; ctr=$(buildah from {_STORE_FLAG} {_LOCAL_TAG}); "
|
||||||
|
f"buildah run {_BUILD_FLAGS} \"$ctr\" -- {' '.join(argv)}; rc=$?; "
|
||||||
|
f"buildah rm \"$ctr\" >/dev/null 2>&1 || true; exit $rc"
|
||||||
|
)
|
||||||
|
result = _ssh(private_key, guest_ip, cmd, timeout=120)
|
||||||
|
if result.returncode != 0:
|
||||||
|
detail = (result.stdout + result.stderr).strip().splitlines()[-10:]
|
||||||
|
die(f"agent image failed its post-build smoke test "
|
||||||
|
f"({' '.join(argv)}):\n" + "\n".join(detail))
|
||||||
|
|
||||||
|
|
||||||
|
def _stream_rootfs(private_key: Path, guest_ip: str, base: Path) -> None:
|
||||||
|
"""`buildah mount` the built image in the VM and pipe its rootfs tar
|
||||||
|
straight into `base` on the host (extracted as the non-root host user, so
|
||||||
|
uid 0 isn't preserved — the guest init restores /root ownership, same as
|
||||||
|
the docker-export path)."""
|
||||||
|
export = (
|
||||||
|
f"set -e; ctr=$(buildah from {_STORE_FLAG} {_LOCAL_TAG}); "
|
||||||
|
f"mnt=$(buildah mount {_STORE_FLAG} \"$ctr\"); "
|
||||||
|
f"tar -C \"$mnt\" -cf - ."
|
||||||
|
)
|
||||||
|
ssh_proc = subprocess.Popen(
|
||||||
|
util.ssh_base_argv(private_key, guest_ip) + [export],
|
||||||
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE,
|
||||||
|
)
|
||||||
|
assert ssh_proc.stdout is not None
|
||||||
|
untar = subprocess.run(
|
||||||
|
["tar", "-x", "-C", str(base)], stdin=ssh_proc.stdout, check=False,
|
||||||
|
)
|
||||||
|
ssh_proc.stdout.close()
|
||||||
|
ssh_err = (ssh_proc.stderr.read().decode(errors="replace")
|
||||||
|
if ssh_proc.stderr else "")
|
||||||
|
rc = ssh_proc.wait()
|
||||||
|
if rc != 0 or untar.returncode != 0:
|
||||||
|
die(f"exporting the built rootfs from the builder VM failed: "
|
||||||
|
f"{ssh_err.strip() or '<no stderr>'}")
|
||||||
@@ -0,0 +1,116 @@
|
|||||||
|
"""Empirical, post-boot isolation probe — the authoritative fail-closed
|
||||||
|
egress-boundary check.
|
||||||
|
|
||||||
|
The pre-boot nft check can't be trusted on every host (listing an
|
||||||
|
nftables table typically needs root; the launcher runs unprivileged).
|
||||||
|
So before the agent ever runs, we prove the boundary directly: open a
|
||||||
|
canary TCP listener on a host IP the VM must NOT be able to reach (the
|
||||||
|
host's primary non-TAP address), then have the guest try to connect. If
|
||||||
|
the isolation rules are in force the connection is dropped and times
|
||||||
|
out; if it succeeds, the VM can reach host services it shouldn't — a
|
||||||
|
sandbox escape — and we refuse to continue.
|
||||||
|
|
||||||
|
The listener is load-bearing: without it a "blocked" result could just
|
||||||
|
be connection-refused. With it, a reachable canary means a real leak
|
||||||
|
and a timeout means a real drop.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import socket
|
||||||
|
import subprocess
|
||||||
|
import threading
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...log import die, info, warn
|
||||||
|
from . import util
|
||||||
|
|
||||||
|
|
||||||
|
def _host_primary_ip() -> str:
|
||||||
|
"""The source IP the host uses for off-box traffic (its LAN
|
||||||
|
address) — a canary the VM must not reach. Empty if the host has no
|
||||||
|
such route (isolated box)."""
|
||||||
|
result = subprocess.run(
|
||||||
|
["ip", "-o", "route", "get", "1.1.1.1"],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
if result.returncode != 0:
|
||||||
|
return ""
|
||||||
|
tokens = result.stdout.split()
|
||||||
|
# `... src <addr> ...` — the address the host would use as source.
|
||||||
|
if "src" in tokens:
|
||||||
|
idx = tokens.index("src")
|
||||||
|
if idx + 1 < len(tokens):
|
||||||
|
return tokens[idx + 1]
|
||||||
|
return ""
|
||||||
|
|
||||||
|
|
||||||
|
# Guest-side connect test: exit 0 = reached the canary (LEAK), 1 =
|
||||||
|
# blocked (good), 2 = no usable tool (inconclusive -> fail-closed).
|
||||||
|
_GUEST_PROBE = r"""
|
||||||
|
h="$1"; p="$2"
|
||||||
|
if command -v python3 >/dev/null 2>&1; then
|
||||||
|
python3 - "$h" "$p" <<'PY'
|
||||||
|
import socket, sys
|
||||||
|
s = socket.socket(); s.settimeout(3)
|
||||||
|
sys.exit(0 if s.connect_ex((sys.argv[1], int(sys.argv[2]))) == 0 else 1)
|
||||||
|
PY
|
||||||
|
elif command -v bash >/dev/null 2>&1; then
|
||||||
|
timeout 3 bash -c "exec 3<>/dev/tcp/$h/$p" >/dev/null 2>&1
|
||||||
|
elif command -v nc >/dev/null 2>&1; then
|
||||||
|
nc -w3 -z "$h" "$p" >/dev/null 2>&1
|
||||||
|
else
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
def verify_isolation(private_key: Path, guest_ip: str) -> None:
|
||||||
|
"""Prove the VM cannot reach the host's primary IP. Dies
|
||||||
|
(fail-closed) on a confirmed leak or if the guest has no tool to
|
||||||
|
run the test. Warns (does not fail) when the host has no canary
|
||||||
|
address to test against."""
|
||||||
|
canary_ip = _host_primary_ip()
|
||||||
|
if not canary_ip:
|
||||||
|
warn("isolation probe skipped: host has no non-TAP route to test "
|
||||||
|
"against (isolated box).")
|
||||||
|
return
|
||||||
|
|
||||||
|
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||||
|
listener.bind((canary_ip, 0))
|
||||||
|
listener.listen(1)
|
||||||
|
listener.settimeout(6)
|
||||||
|
canary_port = listener.getsockname()[1]
|
||||||
|
|
||||||
|
accepted: list[bool] = []
|
||||||
|
|
||||||
|
def _accept() -> None:
|
||||||
|
try:
|
||||||
|
conn, _ = listener.accept()
|
||||||
|
accepted.append(True)
|
||||||
|
conn.close()
|
||||||
|
except OSError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
thread = threading.Thread(target=_accept, daemon=True)
|
||||||
|
thread.start()
|
||||||
|
|
||||||
|
ssh = util.ssh_base_argv(private_key, guest_ip)
|
||||||
|
result = subprocess.run(
|
||||||
|
[*ssh, "--", "sh", "-s", "--", canary_ip, str(canary_port)],
|
||||||
|
input=_GUEST_PROBE, capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
thread.join(timeout=7)
|
||||||
|
listener.close()
|
||||||
|
|
||||||
|
if result.returncode == 0 or accepted:
|
||||||
|
die(f"ISOLATION FAILURE: the VM reached the host canary "
|
||||||
|
f"{canary_ip}:{canary_port}. The egress boundary is not in "
|
||||||
|
f"force — refusing to run the agent (fail-closed). Verify the "
|
||||||
|
f"nft table with: ./cli.py backend setup --backend=firecracker")
|
||||||
|
if result.returncode == 2:
|
||||||
|
die("isolation probe inconclusive: the guest has no python3/bash/nc "
|
||||||
|
"to run the connectivity test. Refusing to continue "
|
||||||
|
"(fail-closed).")
|
||||||
|
info(f"isolation verified: VM cannot reach host {canary_ip}")
|
||||||
@@ -0,0 +1,253 @@
|
|||||||
|
"""Launch flow for the Firecracker backend (PRD 0070, consolidated).
|
||||||
|
|
||||||
|
Per bottle:
|
||||||
|
1. build the agent image (docker), export it to a cached ext4 rootfs;
|
||||||
|
2. ensure the per-host orchestrator + shared gateway are up;
|
||||||
|
3. claim a free TAP pool slot (rootless flock);
|
||||||
|
4. register the bottle on the orchestrator by the VM's guest IP (the
|
||||||
|
attribution key) and provision its git-gate state into the gateway;
|
||||||
|
5. boot the microVM on that TAP; wait for SSH;
|
||||||
|
6. provision (shared gateway CA, prompt, skills, workspace, git, supervise)
|
||||||
|
over SSH.
|
||||||
|
|
||||||
|
The per-bottle Docker sidecar bundle is gone. The shared gateway handles
|
||||||
|
egress / git-gate / supervise for every VM; Docker's PREROUTING DNAT routes
|
||||||
|
the VMs' traffic to it, and the nft table's `ct status dnat accept` rule
|
||||||
|
in the forward chain lets it pass. The VM still sends to `host_tap_ip:PORT`
|
||||||
|
— the address its world is, by nft design, limited to.
|
||||||
|
|
||||||
|
Isolation is enforced by the operator-provisioned nft table (checked
|
||||||
|
fail-closed in preflight): a VM reaches only the sidecar (DNAT'd from
|
||||||
|
the host TAP IP) and nothing else.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import dataclasses
|
||||||
|
import os
|
||||||
|
from contextlib import ExitStack, contextmanager
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import Callable, Generator
|
||||||
|
|
||||||
|
from ...agent_provider import runtime_for
|
||||||
|
from ...bottle_state import (
|
||||||
|
egress_state_dir,
|
||||||
|
git_gate_state_dir,
|
||||||
|
read_committed_image,
|
||||||
|
)
|
||||||
|
from ...egress import (
|
||||||
|
egress_agent_env_entries,
|
||||||
|
egress_resolve_token_values,
|
||||||
|
)
|
||||||
|
from ...git_gate import (
|
||||||
|
provision_git_gate_dynamic_keys,
|
||||||
|
revoke_git_gate_provisioned_keys,
|
||||||
|
)
|
||||||
|
from ...log import info, warn
|
||||||
|
from ...supervise import SUPERVISE_PORT
|
||||||
|
from ..docker import util as docker_mod
|
||||||
|
from ..docker.egress import EGRESS_PORT
|
||||||
|
from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH
|
||||||
|
from . import firecracker_vm, image_builder, isolation_probe, netpool, util
|
||||||
|
from .bottle import FirecrackerBottle
|
||||||
|
from .bottle_plan import FirecrackerBottlePlan
|
||||||
|
from .consolidated_launch import (
|
||||||
|
launch_consolidated,
|
||||||
|
teardown_consolidated,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
_GIT_HTTP_PORT = 9420
|
||||||
|
|
||||||
|
|
||||||
|
@contextmanager
|
||||||
|
def launch(
|
||||||
|
plan: FirecrackerBottlePlan,
|
||||||
|
*,
|
||||||
|
provision: Callable[[FirecrackerBottlePlan, "FirecrackerBottle"], str | None],
|
||||||
|
) -> Generator[FirecrackerBottle, None, None]:
|
||||||
|
"""Build, launch, and provision a Firecracker bottle via the consolidated
|
||||||
|
orchestrator. Teardown on exit."""
|
||||||
|
stack = ExitStack()
|
||||||
|
bottle_for_revoke = plan.manifest.bottle
|
||||||
|
git_gate_dir_for_revoke = git_gate_state_dir(plan.slug)
|
||||||
|
|
||||||
|
def teardown() -> None:
|
||||||
|
teardown_exc: BaseException | None = None
|
||||||
|
try:
|
||||||
|
stack.close()
|
||||||
|
except BaseException as exc: # noqa: W0718 - teardown must continue
|
||||||
|
teardown_exc = exc
|
||||||
|
warn(f"firecracker teardown failed: {exc!r}")
|
||||||
|
revoke_git_gate_provisioned_keys(bottle_for_revoke, git_gate_dir_for_revoke)
|
||||||
|
if teardown_exc is not None:
|
||||||
|
raise teardown_exc
|
||||||
|
|
||||||
|
try:
|
||||||
|
# Step 1: agent rootfs. Built from the Dockerfile inside a Firecracker
|
||||||
|
# builder VM (buildah, no host docker); a committed snapshot is reused
|
||||||
|
# when present. Returns the base dir the per-bottle ext4 is made from.
|
||||||
|
plan, agent_base = _build_agent_base(plan)
|
||||||
|
|
||||||
|
# Step 2: mint the git-gate dynamic (gitea) deploy keys, if any.
|
||||||
|
git_gate_plan = plan.git_gate_plan
|
||||||
|
if git_gate_plan.upstreams:
|
||||||
|
git_gate_plan = provision_git_gate_dynamic_keys(
|
||||||
|
plan.manifest.bottle, git_gate_plan, git_gate_state_dir(plan.slug),
|
||||||
|
)
|
||||||
|
|
||||||
|
# Step 3: claim a TAP slot; the flock is held until teardown.
|
||||||
|
slot, lock = netpool.allocate(plan.slug)
|
||||||
|
stack.callback(lock.close)
|
||||||
|
info(f"firecracker slot {slot.iface}: host={slot.host_ip} "
|
||||||
|
f"guest={slot.guest_ip}")
|
||||||
|
|
||||||
|
# Step 4: register on the orchestrator + provision this bottle's
|
||||||
|
# git-gate state into the shared gateway. The per-bottle egress tokens
|
||||||
|
# are resolved from the host env now and handed to the orchestrator
|
||||||
|
# (in memory) for the gateway to inject — the agent never sees them.
|
||||||
|
# Attribution is by the VM's guest IP (unspoofable via /31 TAP + nft).
|
||||||
|
effective_env = {**os.environ, **plan.agent_provision.provisioned_env}
|
||||||
|
token_values = egress_resolve_token_values(
|
||||||
|
plan.egress_plan.token_env_map, effective_env,
|
||||||
|
)
|
||||||
|
ctx = launch_consolidated(
|
||||||
|
plan.egress_plan, git_gate_plan,
|
||||||
|
guest_ip=slot.guest_ip,
|
||||||
|
image_ref=plan.image,
|
||||||
|
tokens=token_values,
|
||||||
|
)
|
||||||
|
stack.callback(
|
||||||
|
teardown_consolidated, ctx.bottle_id,
|
||||||
|
orchestrator_url=ctx.orchestrator_url,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Step 5: install the SHARED gateway CA (replaces the per-bottle CA).
|
||||||
|
# Write it to a stable host path so the provisioner can copy it over SSH.
|
||||||
|
ca_dir = egress_state_dir(plan.slug) / "gateway-ca"
|
||||||
|
ca_dir.mkdir(parents=True, exist_ok=True)
|
||||||
|
ca_file = ca_dir / "gateway-ca.pem"
|
||||||
|
ca_file.write_text(ctx.gateway_ca_pem)
|
||||||
|
egress_plan = dataclasses.replace(
|
||||||
|
plan.egress_plan,
|
||||||
|
mitmproxy_ca_host_path=ca_file,
|
||||||
|
mitmproxy_ca_cert_only_host_path=ca_file,
|
||||||
|
)
|
||||||
|
# Point the agent's git-gate insteadOf rewrites and supervise MCP URL
|
||||||
|
# at the shared gateway (reached at the slot's host TAP IP — the VM
|
||||||
|
# sends there and Docker DNAT routes to the gateway container).
|
||||||
|
git_gate_url = (
|
||||||
|
f"http://{slot.host_ip}:{_GIT_HTTP_PORT}" if git_gate_plan.upstreams else ""
|
||||||
|
)
|
||||||
|
supervise_url = (
|
||||||
|
f"http://{slot.host_ip}:{SUPERVISE_PORT}/"
|
||||||
|
if plan.supervise_plan is not None else ""
|
||||||
|
)
|
||||||
|
plan = dataclasses.replace(
|
||||||
|
plan,
|
||||||
|
git_gate_plan=git_gate_plan,
|
||||||
|
egress_plan=egress_plan,
|
||||||
|
agent_proxy_url=f"http://{slot.host_ip}:{EGRESS_PORT}",
|
||||||
|
agent_git_gate_url=git_gate_url,
|
||||||
|
agent_supervise_url=supervise_url,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Step 6: build the per-bottle rootfs + SSH key, then boot.
|
||||||
|
run_dir = util.cache_dir() / "run" / plan.slug
|
||||||
|
run_dir.mkdir(parents=True, exist_ok=True)
|
||||||
|
rootfs = run_dir / "rootfs.ext4"
|
||||||
|
util.build_rootfs_ext4(agent_base, rootfs)
|
||||||
|
private_key, pubkey = util.generate_keypair(run_dir)
|
||||||
|
|
||||||
|
vm = firecracker_vm.boot(
|
||||||
|
name=plan.container_name,
|
||||||
|
rootfs=rootfs,
|
||||||
|
tap=slot.iface,
|
||||||
|
guest_ip=slot.guest_ip,
|
||||||
|
host_ip=slot.host_ip,
|
||||||
|
pubkey=pubkey,
|
||||||
|
run_dir=run_dir,
|
||||||
|
)
|
||||||
|
stack.callback(vm.terminate)
|
||||||
|
firecracker_vm.wait_for_ssh(vm, private_key)
|
||||||
|
|
||||||
|
# Authoritative fail-closed egress-boundary check, before the agent
|
||||||
|
# runs: prove the VM cannot reach the host directly.
|
||||||
|
isolation_probe.verify_isolation(private_key, slot.guest_ip)
|
||||||
|
|
||||||
|
bottle = FirecrackerBottle(
|
||||||
|
plan.container_name,
|
||||||
|
private_key=private_key,
|
||||||
|
guest_ip=slot.guest_ip,
|
||||||
|
guest_env=_agent_guest_env(plan, slot.host_ip),
|
||||||
|
agent_command=plan.agent_command,
|
||||||
|
agent_prompt_mode=plan.agent_prompt_mode,
|
||||||
|
agent_provider_template=plan.agent_provider_template,
|
||||||
|
terminal_title=(
|
||||||
|
f"{plan.spec.label} ({plan.spec.agent_name})"
|
||||||
|
if plan.spec.label else plan.spec.agent_name
|
||||||
|
),
|
||||||
|
terminal_color=plan.spec.color,
|
||||||
|
agent_workdir=plan.workspace_plan.workdir,
|
||||||
|
)
|
||||||
|
bottle.prompt_path = provision(plan, bottle)
|
||||||
|
|
||||||
|
yield bottle
|
||||||
|
finally:
|
||||||
|
teardown()
|
||||||
|
|
||||||
|
|
||||||
|
def _build_agent_base(
|
||||||
|
plan: FirecrackerBottlePlan,
|
||||||
|
) -> tuple[FirecrackerBottlePlan, Path]:
|
||||||
|
"""Produce the agent's base rootfs dir. Primary path: build the Dockerfile
|
||||||
|
inside a Firecracker builder VM (buildah, no host docker), smoke-testing
|
||||||
|
the image before export. A committed snapshot (freeze/migrate) is still
|
||||||
|
exported via the host docker path until that is ported too."""
|
||||||
|
committed = read_committed_image(plan.slug)
|
||||||
|
if committed and docker_mod.image_exists(committed):
|
||||||
|
info(f"using committed image {committed!r}")
|
||||||
|
plan = dataclasses.replace(
|
||||||
|
plan,
|
||||||
|
agent_provision=dataclasses.replace(plan.agent_provision, image=committed),
|
||||||
|
)
|
||||||
|
return plan, util.build_base_rootfs_dir(committed)
|
||||||
|
base = image_builder.build_agent_rootfs_dir(
|
||||||
|
Path(plan.dockerfile_path),
|
||||||
|
image_tag=plan.image,
|
||||||
|
smoke_test=runtime_for(plan.agent_provider_template).smoke_test,
|
||||||
|
)
|
||||||
|
return plan, base
|
||||||
|
|
||||||
|
|
||||||
|
# --- agent guest env -------------------------------------------------
|
||||||
|
|
||||||
|
def _agent_guest_env(plan: FirecrackerBottlePlan, host_ip: str) -> dict[str, str]:
|
||||||
|
"""Env injected into every agent/exec call over SSH. The VM has no
|
||||||
|
baked process env (it just runs init), so the proxy/CA/git/supervise
|
||||||
|
wiring is applied per-invocation."""
|
||||||
|
proxy_url = f"http://{host_ip}:{EGRESS_PORT}"
|
||||||
|
no_proxy = f"localhost,127.0.0.1,{host_ip}"
|
||||||
|
env: dict[str, str] = {
|
||||||
|
"HTTPS_PROXY": proxy_url, "HTTP_PROXY": proxy_url,
|
||||||
|
"https_proxy": proxy_url, "http_proxy": proxy_url,
|
||||||
|
"NO_PROXY": no_proxy, "no_proxy": no_proxy,
|
||||||
|
"NODE_EXTRA_CA_CERTS": AGENT_CA_PATH,
|
||||||
|
"SSL_CERT_FILE": AGENT_CA_BUNDLE,
|
||||||
|
"REQUESTS_CA_BUNDLE": AGENT_CA_BUNDLE,
|
||||||
|
}
|
||||||
|
if plan.agent_git_gate_url:
|
||||||
|
env["GIT_GATE_URL"] = plan.agent_git_gate_url
|
||||||
|
if plan.agent_supervise_url:
|
||||||
|
env["MCP_SUPERVISE_URL"] = plan.agent_supervise_url
|
||||||
|
for entry in egress_agent_env_entries(plan.egress_plan):
|
||||||
|
key, _, value = entry.partition("=")
|
||||||
|
env[key] = value
|
||||||
|
env.update(plan.agent_provision.guest_env)
|
||||||
|
# Forwarded (bare-name) env: resolve host values now, since the VM
|
||||||
|
# can't inherit them from a `docker run --env NAME`.
|
||||||
|
for name in plan.forwarded_env:
|
||||||
|
value = os.environ.get(name)
|
||||||
|
if value is not None:
|
||||||
|
env[name] = value
|
||||||
|
return env
|
||||||
@@ -0,0 +1,25 @@
|
|||||||
|
# Firecracker network-pool defaults — the SINGLE source of these values.
|
||||||
|
#
|
||||||
|
# Read by every consumer so they can't drift:
|
||||||
|
# * netpool.py — parses this for the Python defaults (below).
|
||||||
|
# * scripts/firecracker-netpool.sh — falls back to these when the
|
||||||
|
# matching BOT_BOTTLE_FC_* env var is unset.
|
||||||
|
# * nix/firecracker-netpool.nix — readFile-parses this for its option
|
||||||
|
# defaults, then passes the resolved values back as Environment=.
|
||||||
|
#
|
||||||
|
# Plain KEY=VALUE (no quoting, no inline comments, no spaces around `=`)
|
||||||
|
# so it is bash-sourceable, systemd EnvironmentFile-compatible, and
|
||||||
|
# trivially parseable from Python and Nix. A real BOT_BOTTLE_FC_* env
|
||||||
|
# var of the same name always overrides the value here.
|
||||||
|
BOT_BOTTLE_FC_POOL_SIZE=8
|
||||||
|
BOT_BOTTLE_FC_IP_BASE=10.243.0.0
|
||||||
|
BOT_BOTTLE_FC_IFACE_PREFIX=bbfc
|
||||||
|
BOT_BOTTLE_FC_NFT_TABLE=bot_bottle_fc
|
||||||
|
# The orchestrator/gateway VM's own TAP — a dedicated link OUTSIDE the
|
||||||
|
# bbfc* agent pool. Unlike agent VMs (which reach only their gateway),
|
||||||
|
# the orchestrator is trusted infra that needs real NAT'd internet
|
||||||
|
# egress: to FROM-pull + apt/npm during in-VM agent-image builds
|
||||||
|
# (buildah) and to forward agent egress upstream (Stage B gateway). Its
|
||||||
|
# /31 is the top of the IP_BASE /16 (host x.y.255.0, guest x.y.255.1),
|
||||||
|
# clear of the pool near the bottom of the block.
|
||||||
|
BOT_BOTTLE_FC_ORCH_IFACE=bborch0
|
||||||
@@ -0,0 +1,346 @@
|
|||||||
|
"""Firecracker network pool: constants, IP math, allocation, and the
|
||||||
|
config renderers (shell command + NixOS module) shown to operators.
|
||||||
|
|
||||||
|
The Firecracker backend needs a privileged one-time network setup:
|
||||||
|
a pool of point-to-point TAP devices (owned by the invoking user, so
|
||||||
|
`./cli.py start` never needs root) and a dedicated nftables table that
|
||||||
|
isolates every VM. The pool parameters live in exactly one place —
|
||||||
|
`netpool.defaults.env`, a plain KEY=VALUE file next to this module —
|
||||||
|
and every consumer reads *that*: this module (below), the shell script
|
||||||
|
(`scripts/firecracker-netpool.sh`), and the NixOS module
|
||||||
|
(`nix/firecracker-netpool.nix`). A `BOT_BOTTLE_FC_*` env var of the
|
||||||
|
same name always overrides the file, and the backend's fail-closed
|
||||||
|
preflight derives from these accessors, so nothing can drift.
|
||||||
|
|
||||||
|
Topology (per slot i):
|
||||||
|
* TAP ``bbfc{i}`` — no shared bridge, so no docker0 / virbr0 / cni0
|
||||||
|
/ br-* collisions.
|
||||||
|
* a /31 host<->guest link: host = base + 2i (the gateway the VM
|
||||||
|
routes through), guest = base + 2i + 1 (the VM's address).
|
||||||
|
* isolation via ``table inet bot_bottle_fc``: a VM reaches only its
|
||||||
|
own gateway (DNAT'd from the host TAP IP) and nothing else.
|
||||||
|
|
||||||
|
The default IP block is ``10.243.0.0/16`` — an intentionally obscure
|
||||||
|
corner of RFC-1918 private space. RFC-1918 is the range *designated*
|
||||||
|
for private links; we pick a high, unusual /16 to steer clear of the
|
||||||
|
common occupants (Docker's 172.17-31, libvirt's 192.168.122, k8s
|
||||||
|
10.42/10.244, and typical home LANs on 192.168.0/1.x or 10.0.0.x).
|
||||||
|
We deliberately avoid ``100.64.0.0/10`` (RFC-6598 CGNAT) because
|
||||||
|
Tailscale hands out node addresses from exactly that range. No default
|
||||||
|
is collision-proof, so `overlapping_routes()` is the real guard —
|
||||||
|
`backend setup`/`status` and the launch preflight call it to catch
|
||||||
|
a base that clashes with something already on the host.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import fcntl
|
||||||
|
import ipaddress
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
from dataclasses import dataclass
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import IO
|
||||||
|
|
||||||
|
from ...log import die
|
||||||
|
|
||||||
|
|
||||||
|
# The pool defaults live in one shared file (see module docstring); the
|
||||||
|
# shell script and NixOS module read the same file, so the values can't
|
||||||
|
# drift. This is a packaged data file — a missing/broken install is a
|
||||||
|
# hard error, surfaced here rather than as confusing empty defaults.
|
||||||
|
DEFAULTS_FILE = Path(__file__).with_name("netpool.defaults.env")
|
||||||
|
|
||||||
|
|
||||||
|
def _load_defaults() -> dict[str, str]:
|
||||||
|
out: dict[str, str] = {}
|
||||||
|
for raw in DEFAULTS_FILE.read_text().splitlines():
|
||||||
|
line = raw.strip()
|
||||||
|
if not line or line.startswith("#") or "=" not in line:
|
||||||
|
continue
|
||||||
|
key, _, value = line.partition("=")
|
||||||
|
out[key.strip()] = value.strip()
|
||||||
|
return out
|
||||||
|
|
||||||
|
|
||||||
|
_DEFAULTS = _load_defaults()
|
||||||
|
|
||||||
|
|
||||||
|
def _cfg(key: str) -> str:
|
||||||
|
"""A `BOT_BOTTLE_FC_*` env var overrides the shared-file default."""
|
||||||
|
try:
|
||||||
|
return os.environ.get(key) or _DEFAULTS[key]
|
||||||
|
except KeyError:
|
||||||
|
die(f"{key} is missing from {DEFAULTS_FILE.name} (broken install)")
|
||||||
|
|
||||||
|
|
||||||
|
# Interface names are capped at 15 chars (IFNAMSIZ-1); "bbfc" + a small
|
||||||
|
# index stays well under that and is distinctive enough to grep for.
|
||||||
|
IFACE_PREFIX = _cfg("BOT_BOTTLE_FC_IFACE_PREFIX")
|
||||||
|
NFT_TABLE = _cfg("BOT_BOTTLE_FC_NFT_TABLE")
|
||||||
|
|
||||||
|
# The orchestrator/gateway VM's dedicated TAP — outside the bbfc* agent
|
||||||
|
# pool and, unlike it, NAT'd to the internet (see `orch_slot`). The
|
||||||
|
# orchestrator is trusted infra: it builds agent images in-VM (buildah
|
||||||
|
# needs to FROM-pull + apt/npm) and forwards agent egress upstream.
|
||||||
|
ORCH_IFACE = _cfg("BOT_BOTTLE_FC_ORCH_IFACE")
|
||||||
|
|
||||||
|
|
||||||
|
def pool_size() -> int:
|
||||||
|
return int(_cfg("BOT_BOTTLE_FC_POOL_SIZE"))
|
||||||
|
|
||||||
|
|
||||||
|
def ip_base() -> str:
|
||||||
|
return _cfg("BOT_BOTTLE_FC_IP_BASE")
|
||||||
|
|
||||||
|
|
||||||
|
# Gateway ports the VM reaches at its host-side TAP IP. Kept in sync
|
||||||
|
# with the backend constants (egress 9099, supervise 9100, git-http
|
||||||
|
# 9420); rendered into the setup output for operator visibility.
|
||||||
|
GATEWAY_PORTS = (9099, 9100, 9420)
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class Slot:
|
||||||
|
"""One pool slot: a TAP device and its host/guest /31 addresses."""
|
||||||
|
|
||||||
|
index: int
|
||||||
|
iface: str
|
||||||
|
host_ip: str
|
||||||
|
guest_ip: str
|
||||||
|
|
||||||
|
@property
|
||||||
|
def guest_cidr(self) -> str:
|
||||||
|
"""Guest address with the /31 prefix, for the kernel `ip=` arg."""
|
||||||
|
return f"{self.guest_ip}/31"
|
||||||
|
|
||||||
|
|
||||||
|
def slot(index: int) -> Slot:
|
||||||
|
base = int(ipaddress.IPv4Address(ip_base()))
|
||||||
|
return Slot(
|
||||||
|
index=index,
|
||||||
|
iface=f"{IFACE_PREFIX}{index}",
|
||||||
|
host_ip=str(ipaddress.IPv4Address(base + 2 * index)),
|
||||||
|
guest_ip=str(ipaddress.IPv4Address(base + 2 * index + 1)),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def all_slots() -> list[Slot]:
|
||||||
|
return [slot(i) for i in range(pool_size())]
|
||||||
|
|
||||||
|
|
||||||
|
def orch_slot() -> Slot:
|
||||||
|
"""The orchestrator/gateway VM's dedicated link — its own TAP
|
||||||
|
(`ORCH_IFACE`) on a /31 at the TOP of the IP_BASE /16 (host
|
||||||
|
x.y.255.0, guest x.y.255.1), well clear of the agent pool near the
|
||||||
|
bottom of the block. Unlike a pool `Slot`, this link is NAT'd out to
|
||||||
|
the internet by the setup (the orchestrator is trusted infra), so it
|
||||||
|
is deliberately *not* one of the isolated `bbfc*` slots.
|
||||||
|
|
||||||
|
`index` is -1 (sentinel: not a pool index)."""
|
||||||
|
base16 = int(ipaddress.IPv4Address(ip_base())) & 0xFFFF0000
|
||||||
|
host = base16 + 0xFF00
|
||||||
|
return Slot(
|
||||||
|
index=-1,
|
||||||
|
iface=ORCH_IFACE,
|
||||||
|
host_ip=str(ipaddress.IPv4Address(host)),
|
||||||
|
guest_ip=str(ipaddress.IPv4Address(host + 1)),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# --- fail-closed verification ---------------------------------------
|
||||||
|
|
||||||
|
def _run_ok(argv: list[str]) -> bool:
|
||||||
|
"""Run a probe command, treating a missing binary as failure
|
||||||
|
(rather than crashing) so callers can stay fail-closed."""
|
||||||
|
try:
|
||||||
|
return subprocess.run(
|
||||||
|
argv, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
|
||||||
|
check=False,
|
||||||
|
).returncode == 0
|
||||||
|
except FileNotFoundError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def nft_table_present() -> bool:
|
||||||
|
"""True iff the isolation table exists in the active nftables
|
||||||
|
backend. The backend's preflight treats absence as fatal — the VM
|
||||||
|
must not boot without its egress boundary in place.
|
||||||
|
|
||||||
|
Listing may require root; when it can't be confirmed here the
|
||||||
|
launch path falls back to an empirical post-boot isolation probe.
|
||||||
|
Returns False (fail-closed) if `nft` is unavailable."""
|
||||||
|
return _run_ok(["nft", "list", "table", "inet", NFT_TABLE])
|
||||||
|
|
||||||
|
|
||||||
|
def tap_present(iface: str) -> bool:
|
||||||
|
# `ip link show` is unprivileged, so the TAP-pool check is reliable
|
||||||
|
# for the non-root launcher.
|
||||||
|
return _run_ok(["ip", "link", "show", iface])
|
||||||
|
|
||||||
|
|
||||||
|
def missing_taps() -> list[str]:
|
||||||
|
"""Pool TAPs that the one-time setup has not created yet."""
|
||||||
|
return [s.iface for s in all_slots() if not tap_present(s.iface)]
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class RouteConflict:
|
||||||
|
"""An existing host route whose destination overlaps the pool range
|
||||||
|
but isn't one of our own bbfc TAPs — i.e. the chosen IP base clashes
|
||||||
|
with something already on the host (a Tailscale CGNAT peer, a
|
||||||
|
docker/libvirt bridge, the LAN…)."""
|
||||||
|
|
||||||
|
dst: str
|
||||||
|
dev: str
|
||||||
|
|
||||||
|
|
||||||
|
def _pool_span() -> tuple[int, int]:
|
||||||
|
"""Inclusive [first, last] integer bounds of every address the pool
|
||||||
|
occupies: base .. base + 2*pool_size - 1."""
|
||||||
|
base = int(ipaddress.IPv4Address(ip_base()))
|
||||||
|
return base, base + 2 * pool_size() - 1
|
||||||
|
|
||||||
|
|
||||||
|
def overlapping_routes() -> list[RouteConflict]:
|
||||||
|
"""Existing routes whose destination overlaps the pool's address
|
||||||
|
range, excluding our own `bbfc*` TAP routes and the default route.
|
||||||
|
|
||||||
|
A non-empty result means `BOT_BOTTLE_FC_IP_BASE` collides with
|
||||||
|
something already configured on this host, so the pool would shadow
|
||||||
|
(or be shadowed by) it. Empty on success — or when `ip` is missing
|
||||||
|
or unparseable, since this is an advisory guard, not the fail-closed
|
||||||
|
isolation check (that's the nft table + post-boot probe)."""
|
||||||
|
import json
|
||||||
|
|
||||||
|
try:
|
||||||
|
proc = subprocess.run(
|
||||||
|
["ip", "-json", "route", "show", "table", "all"],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
except FileNotFoundError:
|
||||||
|
return []
|
||||||
|
if proc.returncode != 0 or not proc.stdout.strip():
|
||||||
|
return []
|
||||||
|
try:
|
||||||
|
routes = json.loads(proc.stdout)
|
||||||
|
except json.JSONDecodeError:
|
||||||
|
return []
|
||||||
|
|
||||||
|
lo, hi = _pool_span()
|
||||||
|
conflicts: list[RouteConflict] = []
|
||||||
|
for r in routes:
|
||||||
|
if not isinstance(r, dict):
|
||||||
|
continue
|
||||||
|
dst = r.get("dst")
|
||||||
|
dev = r.get("dev", "")
|
||||||
|
if not isinstance(dst, str) or dst in ("", "default"):
|
||||||
|
continue
|
||||||
|
if isinstance(dev, str) and dev.startswith(IFACE_PREFIX):
|
||||||
|
continue # our own pool link
|
||||||
|
try:
|
||||||
|
net = ipaddress.ip_network(dst, strict=False)
|
||||||
|
except ValueError:
|
||||||
|
continue
|
||||||
|
if net.version != 4:
|
||||||
|
continue
|
||||||
|
r_lo = int(net.network_address)
|
||||||
|
r_hi = int(net.broadcast_address)
|
||||||
|
if r_lo <= hi and lo <= r_hi: # ranges intersect
|
||||||
|
conflicts.append(RouteConflict(dst=dst, dev=str(dev)))
|
||||||
|
return conflicts
|
||||||
|
|
||||||
|
|
||||||
|
# --- allocation ------------------------------------------------------
|
||||||
|
|
||||||
|
def _lock_dir() -> Path:
|
||||||
|
d = Path.home() / ".cache" / "bot-bottle" / "firecracker" / "pool"
|
||||||
|
d.mkdir(parents=True, exist_ok=True)
|
||||||
|
return d
|
||||||
|
|
||||||
|
|
||||||
|
def allocate(slug: str) -> tuple[Slot, IO[str]]:
|
||||||
|
"""Claim a free pool slot for one bottle. Returns the slot and the
|
||||||
|
held lock file — the caller keeps it open for the VM's lifetime and
|
||||||
|
closes it on teardown; the flock auto-releases if the launcher
|
||||||
|
crashes, so a slot is never leaked. Dies when the pool is
|
||||||
|
exhausted.
|
||||||
|
|
||||||
|
A per-slot `flock` (rather than inspecting running processes) makes
|
||||||
|
allocation race-free across concurrent launches without a central
|
||||||
|
registry: the first launcher to grab the lock owns the slot."""
|
||||||
|
del slug # logged by the caller; allocation is purely lock-driven
|
||||||
|
for s in all_slots():
|
||||||
|
lock_path = _lock_dir() / f"{s.iface}.lock"
|
||||||
|
handle = open(lock_path, "w", encoding="utf-8")
|
||||||
|
try:
|
||||||
|
fcntl.flock(handle, fcntl.LOCK_EX | fcntl.LOCK_NB)
|
||||||
|
except OSError:
|
||||||
|
handle.close()
|
||||||
|
continue
|
||||||
|
return s, handle
|
||||||
|
die(f"Firecracker TAP pool exhausted ({pool_size()} slots, all in "
|
||||||
|
f"use). Stop a running bottle or raise BOT_BOTTLE_FC_POOL_SIZE "
|
||||||
|
f"and re-run `./cli.py backend setup --backend=firecracker`.")
|
||||||
|
raise AssertionError("unreachable")
|
||||||
|
|
||||||
|
|
||||||
|
# --- config renderers (shown by `./cli.py backend setup`) -----------
|
||||||
|
|
||||||
|
# The persistent unit is the portable install: the same systemd oneshot
|
||||||
|
# on every systemd distro (Debian/Ubuntu/Fedora/RHEL/Arch/…).
|
||||||
|
SYSTEMD_UNIT = "bot-bottle-firecracker-netpool.service"
|
||||||
|
|
||||||
|
|
||||||
|
def render_shell_setup() -> str:
|
||||||
|
"""The imperative one-shot command — non-persistent fallback for
|
||||||
|
hosts without systemd (OpenRC/runit/manual)."""
|
||||||
|
env = _nondefault_env()
|
||||||
|
prefix = f"{env} " if env else ""
|
||||||
|
return f"sudo {prefix}./scripts/firecracker-netpool.sh up"
|
||||||
|
|
||||||
|
|
||||||
|
def render_systemd_unit(owner: str, script_path: str) -> str:
|
||||||
|
"""A portable systemd oneshot unit for the pool — identical across
|
||||||
|
every systemd distro. ExecStart/ExecStop delegate to the bundled
|
||||||
|
shell script (the single source of bring-up logic); pool params are
|
||||||
|
pinned via Environment= so the unit matches the CLI's current
|
||||||
|
settings and doesn't depend on $SUDO_USER at boot (systemd runs it
|
||||||
|
as root with no SUDO_USER, which would otherwise own the TAPs as
|
||||||
|
root and break the rootless launch)."""
|
||||||
|
return f"""[Unit]
|
||||||
|
Description=bot-bottle Firecracker TAP pool + nft isolation table
|
||||||
|
After=network-pre.target
|
||||||
|
Wants=network-pre.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
Environment=BOT_BOTTLE_FC_POOL_SIZE={pool_size()}
|
||||||
|
Environment=BOT_BOTTLE_FC_IP_BASE={ip_base()}
|
||||||
|
Environment=BOT_BOTTLE_FC_IFACE_PREFIX={IFACE_PREFIX}
|
||||||
|
Environment=BOT_BOTTLE_FC_OWNER={owner}
|
||||||
|
ExecStart={script_path} up
|
||||||
|
ExecStop={script_path} down
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
# The NixOS setup is a real, importable module (nix/firecracker-netpool.nix,
|
||||||
|
# exposed as the flake output nixosModules.firecracker-netpool) rather than a
|
||||||
|
# generated paste — see `backend setup` output.
|
||||||
|
|
||||||
|
|
||||||
|
def _nondefault_env() -> str:
|
||||||
|
"""Render any non-default pool env overrides so the printed shell
|
||||||
|
command reproduces the operator's current settings."""
|
||||||
|
pairs = []
|
||||||
|
if os.environ.get("BOT_BOTTLE_FC_POOL_SIZE"):
|
||||||
|
pairs.append(f"BOT_BOTTLE_FC_POOL_SIZE={pool_size()}")
|
||||||
|
if os.environ.get("BOT_BOTTLE_FC_IP_BASE"):
|
||||||
|
pairs.append(f"BOT_BOTTLE_FC_IP_BASE={ip_base()}")
|
||||||
|
if os.environ.get("BOT_BOTTLE_FC_IFACE_PREFIX"):
|
||||||
|
pairs.append(f"BOT_BOTTLE_FC_IFACE_PREFIX={IFACE_PREFIX}")
|
||||||
|
return " ".join(pairs)
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
"""Prepare step for the Firecracker backend."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...agent_provider import AgentProvisionPlan
|
||||||
|
from ...egress import EgressPlan
|
||||||
|
from ...env import ResolvedEnv
|
||||||
|
from ...git_gate import GitGatePlan
|
||||||
|
from ...manifest import Manifest
|
||||||
|
from ...supervise import SupervisePlan
|
||||||
|
from .. import BottleSpec
|
||||||
|
from . import util
|
||||||
|
from .bottle_plan import FirecrackerBottlePlan
|
||||||
|
|
||||||
|
|
||||||
|
def preflight() -> None:
|
||||||
|
util.require_firecracker()
|
||||||
|
|
||||||
|
|
||||||
|
def build_guest_env(resolved_env: ResolvedEnv) -> dict[str, str]:
|
||||||
|
return dict(resolved_env.literals)
|
||||||
|
|
||||||
|
|
||||||
|
def resolve_plan(
|
||||||
|
spec: BottleSpec,
|
||||||
|
manifest: Manifest,
|
||||||
|
slug: str,
|
||||||
|
resolved_env: ResolvedEnv,
|
||||||
|
agent_provision_plan: AgentProvisionPlan,
|
||||||
|
egress_plan: EgressPlan,
|
||||||
|
supervise_plan: SupervisePlan | None,
|
||||||
|
git_gate_plan: GitGatePlan,
|
||||||
|
stage_dir: Path,
|
||||||
|
) -> FirecrackerBottlePlan:
|
||||||
|
return FirecrackerBottlePlan(
|
||||||
|
spec=spec,
|
||||||
|
manifest=manifest,
|
||||||
|
stage_dir=stage_dir,
|
||||||
|
slug=slug,
|
||||||
|
forwarded_env=dict(resolved_env.forwarded),
|
||||||
|
git_gate_plan=git_gate_plan,
|
||||||
|
egress_plan=egress_plan,
|
||||||
|
supervise_plan=supervise_plan,
|
||||||
|
agent_provision=agent_provision_plan,
|
||||||
|
)
|
||||||
@@ -0,0 +1,276 @@
|
|||||||
|
"""Host setup + status for the Firecracker backend.
|
||||||
|
|
||||||
|
`setup()` prints the host-appropriate config for the privileged,
|
||||||
|
one-time network pool (TAP devices + isolation nftables table) the
|
||||||
|
backend needs. On NixOS it points at the flake module (and prints a
|
||||||
|
paste-able fallback); elsewhere it prints the sudo command for the
|
||||||
|
bundled setup script. `status()` reports what's present, including
|
||||||
|
whether the pool range collides with an existing route.
|
||||||
|
|
||||||
|
Called through `FirecrackerBottleBackend.setup` / `.status`, which the
|
||||||
|
generic `./cli.py backend {setup,status}` command dispatches to.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import os
|
||||||
|
import shutil
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from . import netpool
|
||||||
|
from . import util
|
||||||
|
|
||||||
|
|
||||||
|
_FC_RELEASES = "https://github.com/firecracker-microvm/firecracker/releases"
|
||||||
|
_UNIT_PATH = Path("/etc/systemd/system") / netpool.SYSTEMD_UNIT
|
||||||
|
|
||||||
|
|
||||||
|
def _owner() -> str:
|
||||||
|
# Under `sudo`, USER is root but SUDO_USER is the real invoker — the
|
||||||
|
# TAPs must be owned by them so `./cli.py start` stays rootless.
|
||||||
|
return os.environ.get("SUDO_USER") or os.environ.get("USER") or "youruser"
|
||||||
|
|
||||||
|
|
||||||
|
def _has_systemd() -> bool:
|
||||||
|
return Path("/run/systemd/system").is_dir()
|
||||||
|
|
||||||
|
|
||||||
|
def _module_path() -> str:
|
||||||
|
"""Absolute path to the importable NixOS module in this checkout."""
|
||||||
|
return str(Path(__file__).resolve().parents[3] / "nix" / "firecracker-netpool.nix")
|
||||||
|
|
||||||
|
|
||||||
|
def _script_path() -> str:
|
||||||
|
"""Absolute path to the bundled bring-up script in this checkout."""
|
||||||
|
return str(Path(__file__).resolve().parents[3] / "scripts" / "firecracker-netpool.sh")
|
||||||
|
|
||||||
|
|
||||||
|
def _print_prereqs() -> None:
|
||||||
|
"""The firecracker binary + KVM + guest artifacts, shown before the
|
||||||
|
privileged network-pool step so operators see the full picture."""
|
||||||
|
fc = shutil.which("firecracker")
|
||||||
|
if fc:
|
||||||
|
sys.stderr.write(f"1) firecracker binary: found ({fc}).\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write(
|
||||||
|
"1) firecracker binary: NOT found on PATH. Install a release binary "
|
||||||
|
"and put it on PATH:\n"
|
||||||
|
f" {_FC_RELEASES}\n"
|
||||||
|
" e.g.: download firecracker-vX.Y.Z-$(uname -m).tgz, extract, and\n"
|
||||||
|
" install -m755 release-*/firecracker-* ~/.local/bin/firecracker\n"
|
||||||
|
" (NixOS: not packaged as a user binary — fetch the release, pin\n"
|
||||||
|
" the version, and add it to PATH.)\n"
|
||||||
|
)
|
||||||
|
if util.is_host_capable():
|
||||||
|
sys.stderr.write(" KVM: /dev/kvm present.\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write(
|
||||||
|
" KVM: /dev/kvm missing/unusable — load kvm-intel/kvm-amd, enable\n"
|
||||||
|
" virtualization in firmware, and add your user to the `kvm` group.\n"
|
||||||
|
)
|
||||||
|
sys.stderr.write(
|
||||||
|
" Guest artifacts: a kernel (BOT_BOTTLE_FC_KERNEL) and static dropbear\n"
|
||||||
|
" (BOT_BOTTLE_FC_DROPBEAR) must be cached, and `mke2fs` (e2fsprogs) is\n"
|
||||||
|
" needed to build the rootfs.\n\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _is_nixos() -> bool:
|
||||||
|
if Path("/etc/NIXOS").exists():
|
||||||
|
return True
|
||||||
|
try:
|
||||||
|
return "ID=nixos" in Path("/etc/os-release").read_text()
|
||||||
|
except OSError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def _warn_overlaps() -> None:
|
||||||
|
"""Warn if the chosen pool range collides with an existing host route
|
||||||
|
(Tailscale CGNAT peer, a docker/libvirt bridge, the LAN…)."""
|
||||||
|
conflicts = netpool.overlapping_routes()
|
||||||
|
if not conflicts:
|
||||||
|
return
|
||||||
|
detail = "\n".join(f" {c.dst} dev {c.dev}" for c in conflicts)
|
||||||
|
sys.stderr.write(
|
||||||
|
f"WARNING: pool range (base {netpool.ip_base()}, "
|
||||||
|
f"{netpool.pool_size()} slots) overlaps existing routes:\n"
|
||||||
|
f"{detail}\n"
|
||||||
|
"Set BOT_BOTTLE_FC_IP_BASE to a free range before setup, or the "
|
||||||
|
"pool may shadow / be shadowed by the above.\n\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def setup() -> int:
|
||||||
|
sys.stderr.write("Firecracker backend — one-time host setup.\n\n")
|
||||||
|
_print_prereqs()
|
||||||
|
slots = netpool.all_slots()
|
||||||
|
sys.stderr.write(
|
||||||
|
f"2) network pool: {len(slots)} slots "
|
||||||
|
f"({slots[0].iface}..{slots[-1].iface}), base {netpool.ip_base()} — "
|
||||||
|
f"TAP devices + nft isolation table, privileged (needs root once).\n\n"
|
||||||
|
)
|
||||||
|
_warn_overlaps()
|
||||||
|
if _is_nixos():
|
||||||
|
sys.stderr.write(
|
||||||
|
"Detected NixOS. Import the module — it is NON-INVASIVE: it does "
|
||||||
|
"not flip networking.nftables.enable or systemd.network.enable, so "
|
||||||
|
"your existing (iptables) firewall and Docker are untouched. A "
|
||||||
|
"systemd oneshot brings the pool up alongside them.\n\n"
|
||||||
|
" # flake users:\n"
|
||||||
|
" inputs.bot-bottle.url = \"git+ssh://<your-bot-bottle-remote>\";\n"
|
||||||
|
" imports = [ inputs.bot-bottle.nixosModules.firecracker-netpool ];\n"
|
||||||
|
" # channel (non-flake) users — import the file directly:\n"
|
||||||
|
f" imports = [ {_module_path()} ];\n\n"
|
||||||
|
f" services.bot-bottle-firecracker = {{ enable = true; owner = \"{_owner()}\"; }};\n\n"
|
||||||
|
"Then `nixos-rebuild switch`.\n"
|
||||||
|
)
|
||||||
|
elif _has_systemd():
|
||||||
|
_setup_systemd()
|
||||||
|
else:
|
||||||
|
sys.stderr.write(
|
||||||
|
"No systemd detected. Run the one-time bring-up as root (and add "
|
||||||
|
"your own boot persistence — e.g. an OpenRC/runit service):\n\n"
|
||||||
|
)
|
||||||
|
sys.stdout.write(netpool.render_shell_setup() + "\n")
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def _setup_systemd() -> None:
|
||||||
|
"""Install the pool as a persistent systemd unit — the portable path,
|
||||||
|
identical on every systemd distro. Performs the install directly when
|
||||||
|
run as root; otherwise prints a self-contained copy-paste block."""
|
||||||
|
unit = netpool.render_systemd_unit(_owner(), _script_path())
|
||||||
|
sys.stderr.write(
|
||||||
|
f"Persistent install (systemd — same on every systemd distro). Needs "
|
||||||
|
f"`nft` (nftables) and `ip` (iproute2); install via your package "
|
||||||
|
f"manager if `backend status` reports them missing.\n\n"
|
||||||
|
)
|
||||||
|
if os.geteuid() == 0:
|
||||||
|
_UNIT_PATH.write_text(unit)
|
||||||
|
subprocess.run(["systemctl", "daemon-reload"], check=False)
|
||||||
|
rc = subprocess.run(
|
||||||
|
["systemctl", "enable", "--now", netpool.SYSTEMD_UNIT], check=False,
|
||||||
|
).returncode
|
||||||
|
if rc == 0:
|
||||||
|
sys.stderr.write(
|
||||||
|
f"Installed and started {netpool.SYSTEMD_UNIT}. Verify with "
|
||||||
|
f"`./cli.py backend status --backend=firecracker`.\n"
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
sys.stderr.write(
|
||||||
|
f"Wrote {_UNIT_PATH} but `systemctl enable --now` failed — "
|
||||||
|
f"check `systemctl status {netpool.SYSTEMD_UNIT}`.\n"
|
||||||
|
)
|
||||||
|
return
|
||||||
|
sys.stderr.write(
|
||||||
|
"Install the unit (one copy-paste; enables it on boot too):\n\n"
|
||||||
|
)
|
||||||
|
sys.stdout.write(
|
||||||
|
f"sudo tee {_UNIT_PATH} >/dev/null <<'UNIT'\n"
|
||||||
|
f"{unit}"
|
||||||
|
f"UNIT\n"
|
||||||
|
f"sudo systemctl daemon-reload\n"
|
||||||
|
f"sudo systemctl enable --now {netpool.SYSTEMD_UNIT}\n"
|
||||||
|
)
|
||||||
|
sys.stderr.write(
|
||||||
|
f"\n(Or re-run this as root to install it directly: "
|
||||||
|
f"sudo ./cli.py backend setup --backend=firecracker)\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def teardown() -> int:
|
||||||
|
slots = netpool.all_slots()
|
||||||
|
sys.stderr.write(
|
||||||
|
f"Undo the Firecracker network pool ({len(slots)} slots, base "
|
||||||
|
f"{netpool.ip_base()}) — a privileged operation.\n\n"
|
||||||
|
)
|
||||||
|
if _is_nixos():
|
||||||
|
sys.stderr.write(
|
||||||
|
"On NixOS: set `services.bot-bottle-firecracker.enable = false;` "
|
||||||
|
"(or drop the module import) and `nixos-rebuild switch`. The TAP "
|
||||||
|
"netdevs and nft table are removed declaratively.\n\n"
|
||||||
|
"To tear down imperatively before a rebuild (does not persist):\n\n"
|
||||||
|
)
|
||||||
|
sys.stdout.write("sudo ./scripts/firecracker-netpool.sh down\n")
|
||||||
|
return 0
|
||||||
|
if _has_systemd():
|
||||||
|
if os.geteuid() == 0:
|
||||||
|
subprocess.run(
|
||||||
|
["systemctl", "disable", "--now", netpool.SYSTEMD_UNIT],
|
||||||
|
check=False,
|
||||||
|
)
|
||||||
|
_UNIT_PATH.unlink(missing_ok=True)
|
||||||
|
subprocess.run(["systemctl", "daemon-reload"], check=False)
|
||||||
|
sys.stderr.write(
|
||||||
|
f"Stopped, disabled, and removed {netpool.SYSTEMD_UNIT}.\n"
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
sys.stderr.write("Remove the persistent unit (one copy-paste):\n\n")
|
||||||
|
sys.stdout.write(
|
||||||
|
f"sudo systemctl disable --now {netpool.SYSTEMD_UNIT}\n"
|
||||||
|
f"sudo rm -f {_UNIT_PATH}\n"
|
||||||
|
f"sudo systemctl daemon-reload\n"
|
||||||
|
)
|
||||||
|
return 0
|
||||||
|
sys.stderr.write("Run the teardown as root:\n\n")
|
||||||
|
sys.stdout.write("sudo ./scripts/firecracker-netpool.sh down\n")
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def status() -> int:
|
||||||
|
# Readiness == what the launch preflight hard-requires: the TAP pool
|
||||||
|
# present (unprivileged, authoritative) and no range overlap. Listing
|
||||||
|
# the nft table usually needs root, so — like the preflight — an
|
||||||
|
# unconfirmable table is reported but NOT treated as not-ready; the
|
||||||
|
# post-boot isolation probe is the authoritative check. This keeps an
|
||||||
|
# unprivileged `backend status` usable as a launch gate.
|
||||||
|
ok = True
|
||||||
|
missing = netpool.missing_taps()
|
||||||
|
total = netpool.pool_size()
|
||||||
|
if missing:
|
||||||
|
sys.stderr.write(f"TAP pool: {total - len(missing)}/{total} present "
|
||||||
|
f"(missing: {', '.join(missing)})\n")
|
||||||
|
ok = False
|
||||||
|
else:
|
||||||
|
sys.stderr.write(f"TAP pool: {total}/{total} present\n")
|
||||||
|
if shutil.which("nft") is None:
|
||||||
|
sys.stderr.write(f"nft table inet {netpool.NFT_TABLE}: unverified "
|
||||||
|
f"(nft not on PATH; enforced + checked post-boot)\n")
|
||||||
|
elif netpool.nft_table_present():
|
||||||
|
sys.stderr.write(f"nft table inet {netpool.NFT_TABLE}: present\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write(f"nft table inet {netpool.NFT_TABLE}: not confirmable "
|
||||||
|
f"unprivileged (listing needs root; verified post-boot)\n")
|
||||||
|
conflicts = netpool.overlapping_routes()
|
||||||
|
if conflicts:
|
||||||
|
detail = ", ".join(f"{c.dst} dev {c.dev}" for c in conflicts)
|
||||||
|
sys.stderr.write(f"range overlap: base {netpool.ip_base()} CLASHES "
|
||||||
|
f"with {detail}\n")
|
||||||
|
ok = False
|
||||||
|
else:
|
||||||
|
sys.stderr.write(f"range overlap: none (base {netpool.ip_base()})\n")
|
||||||
|
_report_persistence()
|
||||||
|
if not ok:
|
||||||
|
sys.stderr.write("\nRun: ./cli.py backend setup --backend=firecracker\n")
|
||||||
|
return 0 if ok else 1
|
||||||
|
|
||||||
|
|
||||||
|
def _report_persistence() -> None:
|
||||||
|
"""Report whether the pool is installed as the persistent systemd
|
||||||
|
unit (so it survives reboot) vs brought up imperatively. Advisory —
|
||||||
|
doesn't affect launch readiness."""
|
||||||
|
if not _has_systemd():
|
||||||
|
return
|
||||||
|
state = subprocess.run(
|
||||||
|
["systemctl", "is-active", netpool.SYSTEMD_UNIT],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
).stdout.strip() or "unknown"
|
||||||
|
if state == "active":
|
||||||
|
sys.stderr.write(f"persistence: {netpool.SYSTEMD_UNIT} active "
|
||||||
|
f"(survives reboot)\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write(f"persistence: {netpool.SYSTEMD_UNIT} {state} — pool "
|
||||||
|
f"is not installed as a persistent unit (install with "
|
||||||
|
f"`backend setup` so it survives reboot)\n")
|
||||||
@@ -0,0 +1,323 @@
|
|||||||
|
"""Host-side primitives for the Firecracker backend.
|
||||||
|
|
||||||
|
Covers the pieces that don't need root at launch time: locating the
|
||||||
|
firecracker binary / guest kernel / injected dropbear, the fail-closed
|
||||||
|
preflight (KVM + kernel + isolation table + TAP pool must all be
|
||||||
|
present before a VM boots), the rootless rootfs pipeline
|
||||||
|
(`docker export` -> `mke2fs -d`, no mount), and per-bottle SSH key
|
||||||
|
generation.
|
||||||
|
|
||||||
|
The privileged network setup (TAP pool + nft table) is a one-time
|
||||||
|
operator step — see `netpool.py`, `scripts/firecracker-netpool.sh`,
|
||||||
|
and `./cli.py backend setup --backend=firecracker`.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import os
|
||||||
|
import platform
|
||||||
|
import shutil
|
||||||
|
import subprocess
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ...log import die, info, warn
|
||||||
|
from . import netpool
|
||||||
|
|
||||||
|
|
||||||
|
# Guest agent images are Debian-family with USER node; the VM is
|
||||||
|
# reached over SSH as root (init drops the pubkey into both root's and
|
||||||
|
# node's authorized_keys) and commands `runuser` down to node.
|
||||||
|
GUEST_SSH_USER = "root"
|
||||||
|
|
||||||
|
# `/dev/kvm` must exist and be openable by the invoking user.
|
||||||
|
_KVM_DEVICE = "/dev/kvm"
|
||||||
|
|
||||||
|
|
||||||
|
def cache_dir() -> Path:
|
||||||
|
d = Path(
|
||||||
|
os.environ.get(
|
||||||
|
"BOT_BOTTLE_FC_CACHE",
|
||||||
|
str(Path.home() / ".cache" / "bot-bottle" / "firecracker"),
|
||||||
|
)
|
||||||
|
)
|
||||||
|
d.mkdir(parents=True, exist_ok=True)
|
||||||
|
return d
|
||||||
|
|
||||||
|
|
||||||
|
def kernel_path() -> Path:
|
||||||
|
return Path(os.environ.get("BOT_BOTTLE_FC_KERNEL", str(cache_dir() / "vmlinux")))
|
||||||
|
|
||||||
|
|
||||||
|
def dropbear_path() -> Path:
|
||||||
|
"""The static dropbear injected into every guest rootfs as its SSH
|
||||||
|
server. Must be statically linked — the guest has none of the
|
||||||
|
host's shared libraries."""
|
||||||
|
return Path(
|
||||||
|
os.environ.get("BOT_BOTTLE_FC_DROPBEAR", str(cache_dir() / "dropbear"))
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# --- availability + preflight ---------------------------------------
|
||||||
|
|
||||||
|
def is_linux() -> bool:
|
||||||
|
return platform.system() == "Linux"
|
||||||
|
|
||||||
|
|
||||||
|
def is_host_capable() -> bool:
|
||||||
|
"""Whether this host *could* run firecracker — Linux with KVM —
|
||||||
|
regardless of whether the `firecracker` binary is installed. Used
|
||||||
|
for default-backend selection so a KVM Linux host that hasn't
|
||||||
|
installed firecracker yet still selects it and gets an install
|
||||||
|
pointer at launch (see `require_firecracker`), rather than silently
|
||||||
|
falling back to docker."""
|
||||||
|
return is_linux() and os.path.exists(_KVM_DEVICE)
|
||||||
|
|
||||||
|
|
||||||
|
def is_available() -> bool:
|
||||||
|
"""Cheap capability probe used by cross-backend enumeration —
|
||||||
|
firecracker on PATH, on Linux, with KVM. Does not check the
|
||||||
|
(operator-provisioned) kernel / pool, so an available-but-unset
|
||||||
|
host still shows up and gets an actionable error at launch."""
|
||||||
|
return is_host_capable() and shutil.which("firecracker") is not None
|
||||||
|
|
||||||
|
|
||||||
|
def require_firecracker() -> None:
|
||||||
|
"""Fail-closed preflight. Every check that gates the security
|
||||||
|
boundary (the isolation table, the TAP pool) errors rather than
|
||||||
|
booting a VM without it."""
|
||||||
|
if not is_linux():
|
||||||
|
die("firecracker backend is only supported on Linux (KVM). "
|
||||||
|
"On macOS use --backend=macos-container.")
|
||||||
|
if shutil.which("firecracker") is None:
|
||||||
|
info("Firecracker is required but was not found on PATH.")
|
||||||
|
info("Install: https://github.com/firecracker-microvm/firecracker/releases")
|
||||||
|
die("firecracker not found on PATH")
|
||||||
|
_require_kvm()
|
||||||
|
if not kernel_path().is_file():
|
||||||
|
die(f"guest kernel not found at {kernel_path()}. Set "
|
||||||
|
"BOT_BOTTLE_FC_KERNEL or place a vmlinux there.")
|
||||||
|
if not dropbear_path().is_file():
|
||||||
|
die(f"static dropbear not found at {dropbear_path()}. Set "
|
||||||
|
"BOT_BOTTLE_FC_DROPBEAR or cache one there.")
|
||||||
|
if shutil.which("mke2fs") is None:
|
||||||
|
die("mke2fs (e2fsprogs) not found — required to build guest rootfs")
|
||||||
|
_require_network_pool()
|
||||||
|
|
||||||
|
|
||||||
|
def _require_kvm() -> None:
|
||||||
|
if not os.path.exists(_KVM_DEVICE):
|
||||||
|
die(f"{_KVM_DEVICE} is missing. Enable KVM (load kvm-intel/kvm-amd; "
|
||||||
|
"confirm virtualization is on in firmware).")
|
||||||
|
if not os.access(_KVM_DEVICE, os.R_OK | os.W_OK):
|
||||||
|
die(f"{_KVM_DEVICE} exists but is not accessible. Add your user to "
|
||||||
|
"the `kvm` group and re-login.")
|
||||||
|
|
||||||
|
|
||||||
|
def _require_network_pool() -> None:
|
||||||
|
"""Fail-closed on the parts we can check unprivileged; defer the
|
||||||
|
rest to the post-boot isolation probe.
|
||||||
|
|
||||||
|
The TAP pool is verified here (`ip link show` is unprivileged). The
|
||||||
|
nft table can only be *confirmed present* here when `nft` is
|
||||||
|
queryable — which usually needs root — so a missing/absent nft is
|
||||||
|
not treated as fatal at this stage: the authoritative check is the
|
||||||
|
empirical isolation probe run after boot, before the agent starts
|
||||||
|
(see isolation_probe.verify_isolation). What we must never do is
|
||||||
|
boot without the TAP pool."""
|
||||||
|
conflicts = netpool.overlapping_routes()
|
||||||
|
if conflicts:
|
||||||
|
detail = "; ".join(f"{c.dst} dev {c.dev}" for c in conflicts)
|
||||||
|
warn(f"Firecracker pool range ({netpool.ip_base()}, "
|
||||||
|
f"{netpool.pool_size()} slots) overlaps existing routes: "
|
||||||
|
f"{detail}. This can shadow or be shadowed by that route; "
|
||||||
|
f"set BOT_BOTTLE_FC_IP_BASE to a free range and re-run "
|
||||||
|
f"./cli.py backend setup --backend=firecracker.")
|
||||||
|
missing = netpool.missing_taps()
|
||||||
|
if missing:
|
||||||
|
die(f"network pool incomplete — missing TAP devices: "
|
||||||
|
f"{', '.join(missing)}.\n ./cli.py backend setup --backend=firecracker")
|
||||||
|
if shutil.which("nft") is not None and not netpool.nft_table_present():
|
||||||
|
# nft is queryable and says the table is absent — that's a
|
||||||
|
# definite, catchable misconfiguration; fail early.
|
||||||
|
warn(f"isolation table `inet {netpool.NFT_TABLE}` not found via nft. "
|
||||||
|
"If this is a permissions issue it will be re-checked "
|
||||||
|
"empirically after boot; otherwise run: "
|
||||||
|
"./cli.py backend setup --backend=firecracker")
|
||||||
|
|
||||||
|
|
||||||
|
# --- rootfs pipeline (rootless) -------------------------------------
|
||||||
|
|
||||||
|
def docker_image_id(ref: str) -> str:
|
||||||
|
"""The image's content digest, used as the rootfs cache key."""
|
||||||
|
result = subprocess.run(
|
||||||
|
["docker", "image", "inspect", "--format", "{{.Id}}", ref],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
if result.returncode != 0 or not result.stdout.strip():
|
||||||
|
die(f"docker image inspect for {ref!r} failed: "
|
||||||
|
f"{(result.stderr or '').strip() or '<no output>'}")
|
||||||
|
return result.stdout.strip().replace("sha256:", "")[:16]
|
||||||
|
|
||||||
|
|
||||||
|
def build_base_rootfs_dir(image_ref: str) -> Path:
|
||||||
|
"""Export the agent image's filesystem and inject the guest init +
|
||||||
|
static dropbear. Cached by image digest — the per-bottle bits
|
||||||
|
(authorized_keys, IP) are passed at boot via the kernel cmdline, so
|
||||||
|
this tree carries nothing bottle-specific and is safely shared.
|
||||||
|
|
||||||
|
Returns the prepared directory (read as the `mke2fs -d` source)."""
|
||||||
|
digest = docker_image_id(image_ref)
|
||||||
|
base = cache_dir() / "rootfs" / digest
|
||||||
|
ready = base / ".bb-ready"
|
||||||
|
if ready.is_file():
|
||||||
|
return base
|
||||||
|
|
||||||
|
if base.exists():
|
||||||
|
shutil.rmtree(base, ignore_errors=True)
|
||||||
|
base.mkdir(parents=True)
|
||||||
|
|
||||||
|
info(f"exporting {image_ref} rootfs -> {base}")
|
||||||
|
cid = subprocess.run(
|
||||||
|
["docker", "create", image_ref, "sleep", "infinity"],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
if cid.returncode != 0 or not cid.stdout.strip():
|
||||||
|
die(f"docker create {image_ref!r} failed: {cid.stderr.strip()}")
|
||||||
|
container = cid.stdout.strip()
|
||||||
|
try:
|
||||||
|
export = subprocess.Popen(
|
||||||
|
["docker", "export", container], stdout=subprocess.PIPE,
|
||||||
|
)
|
||||||
|
untar = subprocess.run(
|
||||||
|
["tar", "-x", "-C", str(base)], stdin=export.stdout, check=False,
|
||||||
|
)
|
||||||
|
export.wait()
|
||||||
|
if export.returncode != 0 or untar.returncode != 0:
|
||||||
|
die(f"exporting rootfs for {image_ref!r} failed")
|
||||||
|
finally:
|
||||||
|
subprocess.run(
|
||||||
|
["docker", "rm", "-f", container],
|
||||||
|
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
inject_guest_boot(base)
|
||||||
|
ready.write_text("ok\n")
|
||||||
|
return base
|
||||||
|
|
||||||
|
|
||||||
|
def inject_guest_boot(rootfs: Path) -> None:
|
||||||
|
"""Drop the static dropbear and the PID-1 init into the rootfs."""
|
||||||
|
shutil.copy2(dropbear_path(), rootfs / "bb-dropbear")
|
||||||
|
os.chmod(rootfs / "bb-dropbear", 0o755)
|
||||||
|
init = rootfs / "bb-init"
|
||||||
|
init.write_text(_GUEST_INIT)
|
||||||
|
os.chmod(init, 0o755)
|
||||||
|
|
||||||
|
|
||||||
|
def build_rootfs_ext4(base_dir: Path, out_path: Path, *, slack_mib: int = 1024) -> None:
|
||||||
|
"""Build a fresh, writable ext4 for one bottle from the cached base
|
||||||
|
dir. Rootless: `mke2fs -d` populates the image from a directory
|
||||||
|
without mounting. Each call produces an independent disk, so the
|
||||||
|
shared base dir stays untouched and concurrent bottles don't race."""
|
||||||
|
used_mib = _dir_size_mib(base_dir)
|
||||||
|
size_mib = used_mib + slack_mib
|
||||||
|
out_path.parent.mkdir(parents=True, exist_ok=True)
|
||||||
|
result = subprocess.run(
|
||||||
|
["mke2fs", "-q", "-t", "ext4", "-d", str(base_dir), "-F",
|
||||||
|
str(out_path), f"{size_mib}M"],
|
||||||
|
capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
if result.returncode != 0:
|
||||||
|
die(f"mke2fs for {out_path} failed: {result.stderr.strip()}")
|
||||||
|
|
||||||
|
|
||||||
|
def _dir_size_mib(path: Path) -> int:
|
||||||
|
result = subprocess.run(
|
||||||
|
["du", "-sm", str(path)], capture_output=True, text=True, check=False,
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
return int(result.stdout.split()[0])
|
||||||
|
except (ValueError, IndexError):
|
||||||
|
return 2048
|
||||||
|
|
||||||
|
|
||||||
|
# --- per-bottle SSH keys --------------------------------------------
|
||||||
|
|
||||||
|
def generate_keypair(dest_dir: Path) -> tuple[Path, str]:
|
||||||
|
"""Mint a per-bottle ed25519 keypair. Returns (private_key_path,
|
||||||
|
public_key_line). The public line is injected into the guest via
|
||||||
|
the boot cmdline; the private key authenticates host->guest SSH."""
|
||||||
|
dest_dir.mkdir(parents=True, exist_ok=True)
|
||||||
|
key = dest_dir / "bottle_id_ed25519"
|
||||||
|
if key.exists():
|
||||||
|
key.unlink()
|
||||||
|
(dest_dir / "bottle_id_ed25519.pub").unlink(missing_ok=True)
|
||||||
|
subprocess.run(
|
||||||
|
["ssh-keygen", "-t", "ed25519", "-N", "", "-q", "-f", str(key),
|
||||||
|
"-C", "bot-bottle-firecracker"],
|
||||||
|
check=True,
|
||||||
|
)
|
||||||
|
pub = (dest_dir / "bottle_id_ed25519.pub").read_text().strip()
|
||||||
|
return key, pub
|
||||||
|
|
||||||
|
|
||||||
|
def ssh_base_argv(private_key: Path, guest_ip: str) -> list[str]:
|
||||||
|
"""Common SSH options for host->guest control. The VM is ephemeral
|
||||||
|
and per-bottle, so host-key TOFU is meaningless — pin no known_hosts
|
||||||
|
and skip the check rather than accumulate churn."""
|
||||||
|
return [
|
||||||
|
"ssh",
|
||||||
|
"-i", str(private_key),
|
||||||
|
# Only offer the per-bottle key — don't let an agent or the
|
||||||
|
# operator's ~/.ssh/config inject other identities (newer
|
||||||
|
# OpenSSH otherwise may not reliably present the -i key).
|
||||||
|
"-o", "IdentitiesOnly=yes",
|
||||||
|
"-o", "StrictHostKeyChecking=no",
|
||||||
|
"-o", "UserKnownHostsFile=/dev/null",
|
||||||
|
"-o", "LogLevel=ERROR",
|
||||||
|
"-o", "ConnectTimeout=5",
|
||||||
|
f"{GUEST_SSH_USER}@{guest_ip}",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
# PID-1 init injected into every guest. Kept dependency-light: relies
|
||||||
|
# only on coreutils + a POSIX shell (present in the Debian-family agent
|
||||||
|
# images). The kernel `ip=` cmdline configures eth0 before init runs,
|
||||||
|
# so no iproute2 is needed. The per-bottle SSH pubkey arrives base64 on
|
||||||
|
# the cmdline; dropbear generates ephemeral host keys with -R.
|
||||||
|
_GUEST_INIT = r"""#!/bin/sh
|
||||||
|
# bot-bottle Firecracker guest init (PID 1).
|
||||||
|
mount -t proc proc /proc 2>/dev/null
|
||||||
|
mount -t sysfs sys /sys 2>/dev/null
|
||||||
|
mount -t devtmpfs dev /dev 2>/dev/null
|
||||||
|
mkdir -p /dev/pts && mount -t devpts devpts /dev/pts 2>/dev/null
|
||||||
|
mount -o remount,rw / 2>/dev/null
|
||||||
|
|
||||||
|
# Install the per-bottle SSH pubkey from the kernel cmdline.
|
||||||
|
KEY=$(sed -n 's/.*bb_pubkey=\([^ ]*\).*/\1/p' /proc/cmdline | base64 -d 2>/dev/null)
|
||||||
|
if [ -n "$KEY" ]; then
|
||||||
|
for home in /root /home/node; do
|
||||||
|
mkdir -p "$home/.ssh"
|
||||||
|
printf '%s\n' "$KEY" > "$home/.ssh/authorized_keys"
|
||||||
|
chmod 700 "$home/.ssh"
|
||||||
|
chmod 600 "$home/.ssh/authorized_keys"
|
||||||
|
done
|
||||||
|
chown -R node:node /home/node/.ssh 2>/dev/null || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
# The rootless rootfs build (`docker export | tar` as a non-root user)
|
||||||
|
# can't preserve uid 0, so every path lands owned by the build uid,
|
||||||
|
# which maps to `node` (uid 1000) in-guest — including /root. dropbear
|
||||||
|
# (like OpenSSH) refuses root's authorized_keys unless the home dir is
|
||||||
|
# owned by root, so restore root's ownership of its own home.
|
||||||
|
chown -R 0:0 /root 2>/dev/null || true
|
||||||
|
|
||||||
|
mkdir -p /etc/dropbear /run
|
||||||
|
# -R: generate host keys on demand. -E: log auth failures to stderr,
|
||||||
|
# captured in the host-side console.log for debugging.
|
||||||
|
/bb-dropbear -R -E -p 22 &
|
||||||
|
|
||||||
|
# Reap zombies as PID 1. dropbear is always a child, so `wait` blocks
|
||||||
|
# rather than busy-looping.
|
||||||
|
while : ; do wait ; done
|
||||||
|
"""
|
||||||
@@ -90,11 +90,11 @@ def get_freezer(backend_name: str) -> Freezer:
|
|||||||
if resolved == "macos-container":
|
if resolved == "macos-container":
|
||||||
from .macos_container.freezer import MacosContainerFreezer
|
from .macos_container.freezer import MacosContainerFreezer
|
||||||
return MacosContainerFreezer()
|
return MacosContainerFreezer()
|
||||||
if resolved == "smolmachines":
|
if resolved == "firecracker":
|
||||||
from .smolmachines.freezer import SmolmachinesFreezer
|
from .firecracker.freezer import FirecrackerFreezer
|
||||||
return SmolmachinesFreezer()
|
return FirecrackerFreezer()
|
||||||
die(
|
die(
|
||||||
f"commit is only supported for docker, macos-container, and "
|
f"commit is only supported for docker, macos-container, and "
|
||||||
f"smolmachines; backend {backend_name!r} has no freezer"
|
f"firecracker; backend {backend_name!r} has no freezer"
|
||||||
)
|
)
|
||||||
raise AssertionError("unreachable")
|
raise AssertionError("unreachable")
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Selectable via `BOT_BOTTLE_BACKEND=macos-container`. This package owns
|
Selectable via `BOT_BOTTLE_BACKEND=macos-container`. This package owns
|
||||||
the Apple `container` CLI integration; launch remains gated until the
|
the Apple `container` CLI integration; launch remains gated until the
|
||||||
sidecar network enforcement shape is implemented.
|
gateway network enforcement shape is implemented.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from .backend import MacosContainerBottleBackend
|
from .backend import MacosContainerBottleBackend
|
||||||
|
|||||||
@@ -36,6 +36,21 @@ class MacosContainerBottleBackend(
|
|||||||
def is_available(cls) -> bool:
|
def is_available(cls) -> bool:
|
||||||
return _container.is_available()
|
return _container.is_available()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def setup(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.setup()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def status(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.status()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def teardown(cls) -> int:
|
||||||
|
from . import setup as _setup
|
||||||
|
return _setup.teardown()
|
||||||
|
|
||||||
def _preflight(self) -> None:
|
def _preflight(self) -> None:
|
||||||
_resolve_plan.preflight()
|
_resolve_plan.preflight()
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,6 @@ from . import util as container_mod
|
|||||||
from .bottle_cleanup_plan import MacosContainerBottleCleanupPlan
|
from .bottle_cleanup_plan import MacosContainerBottleCleanupPlan
|
||||||
|
|
||||||
_PREFIX = "bot-bottle-"
|
_PREFIX = "bot-bottle-"
|
||||||
_BUNDLE_PREFIX = "bot-bottle-sidecars-"
|
|
||||||
|
|
||||||
|
|
||||||
def _list_prefixed_containers() -> list[str]:
|
def _list_prefixed_containers() -> list[str]:
|
||||||
@@ -24,7 +23,7 @@ def _list_prefixed_containers() -> list[str]:
|
|||||||
return []
|
return []
|
||||||
return sorted(
|
return sorted(
|
||||||
name for name in (line.strip() for line in result.stdout.splitlines())
|
name for name in (line.strip() for line in result.stdout.splitlines())
|
||||||
if name.startswith(_PREFIX) or name.startswith(_BUNDLE_PREFIX)
|
if name.startswith(_PREFIX)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,36 +1,24 @@
|
|||||||
"""Host-side egress apply for the macos-container backend.
|
"""Host-side egress route-apply for the macos-container backend.
|
||||||
|
|
||||||
Uses `container kill --signal HUP` (Apple Container framework) instead
|
The per-bottle companion container this used to signal (`container kill
|
||||||
of `docker kill` to signal the sidecar bundle.
|
--signal HUP <container>`) was removed in the companion-container removal (#385),
|
||||||
|
along with the disabled macOS launch path. Fails closed until the macOS
|
||||||
|
backend grows the consolidated gateway.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import os
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
from ...log import warn
|
|
||||||
from ..egress_apply import EgressApplicator, EgressApplyError
|
from ..egress_apply import EgressApplicator, EgressApplyError
|
||||||
from .launch import sidecar_container_name
|
|
||||||
|
|
||||||
|
|
||||||
class MacOSContainerEgressApplicator(EgressApplicator):
|
class MacOSContainerEgressApplicator(EgressApplicator):
|
||||||
def _signal_bundle_reload(self, slug: str) -> None:
|
def _signal_bundle_reload(self, slug: str) -> None:
|
||||||
container = sidecar_container_name(slug)
|
del slug
|
||||||
result = subprocess.run(
|
raise EgressApplyError(
|
||||||
["container", "kill", "--signal", "HUP", container],
|
"live egress route-apply was removed with the per-bottle "
|
||||||
capture_output=True, text=True, check=False, env=os.environ,
|
"companion container (#385); the macos-container backend is "
|
||||||
|
"disabled until it uses the consolidated gateway."
|
||||||
)
|
)
|
||||||
if result.returncode != 0:
|
|
||||||
last_error = (result.stderr or "").strip() or (result.stdout or "").strip()
|
|
||||||
warn(
|
|
||||||
f"egress: routes updated on disk for {slug}, but bundle reload failed: "
|
|
||||||
f"{last_error or 'container kill failed'}"
|
|
||||||
)
|
|
||||||
raise EgressApplyError(
|
|
||||||
f"could not reload egress bundle {container}: "
|
|
||||||
f"{last_error or 'container kill failed'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
applicator = MacOSContainerEgressApplicator()
|
applicator = MacOSContainerEgressApplicator()
|
||||||
|
|||||||
@@ -1,40 +1,14 @@
|
|||||||
"""Active-agent enumeration for the macOS Apple Container backend."""
|
"""Active-agent enumeration for the macOS Apple Container backend.
|
||||||
|
|
||||||
|
The backend is disabled during the companion-container removal (#385) — it can't
|
||||||
|
launch bottles, so there are none to enumerate. Enumeration returns when
|
||||||
|
the backend grows the consolidated gateway.
|
||||||
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
from ...bottle_state import read_metadata
|
|
||||||
from .. import ActiveAgent
|
from .. import ActiveAgent
|
||||||
|
|
||||||
_PREFIX = "bot-bottle-"
|
|
||||||
_SIDECAR_PREFIX = "bot-bottle-sidecars-"
|
|
||||||
|
|
||||||
|
|
||||||
def enumerate_active() -> list[ActiveAgent]:
|
def enumerate_active() -> list[ActiveAgent]:
|
||||||
result = subprocess.run(
|
return []
|
||||||
["container", "list", "--quiet"],
|
|
||||||
capture_output=True,
|
|
||||||
text=True,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
return []
|
|
||||||
out: list[ActiveAgent] = []
|
|
||||||
for name in sorted(line.strip() for line in result.stdout.splitlines()):
|
|
||||||
if not name.startswith(_PREFIX):
|
|
||||||
continue
|
|
||||||
if name.startswith(_SIDECAR_PREFIX):
|
|
||||||
continue
|
|
||||||
slug = name[len(_PREFIX):]
|
|
||||||
metadata = read_metadata(slug)
|
|
||||||
out.append(ActiveAgent(
|
|
||||||
backend_name="macos-container",
|
|
||||||
slug=slug,
|
|
||||||
agent_name=metadata.agent_name if metadata else "?",
|
|
||||||
started_at=metadata.started_at if metadata else "",
|
|
||||||
services=(),
|
|
||||||
label=metadata.label if metadata else "",
|
|
||||||
color=metadata.color if metadata else "",
|
|
||||||
))
|
|
||||||
return out
|
|
||||||
|
|||||||
@@ -1,432 +1,39 @@
|
|||||||
"""Launch flow for the macOS Apple Container backend.
|
"""Launch flow for the macOS Apple Container backend — disabled (#385).
|
||||||
|
|
||||||
This backend keeps the explicit proxy-env enforcement model for v1:
|
This backend launched a per-bottle companion container (the egress /
|
||||||
the agent container is attached only to a host-only Apple Container
|
git-gate / supervise data plane) alongside the agent container, with the
|
||||||
network, while the sidecar bundle is attached to a NAT network first
|
agent's proxy env pointed at the companion's host-only IP. That
|
||||||
and the host-only network second. The sidecar's host-only IP is
|
per-bottle-companion architecture was removed in the companion-container removal;
|
||||||
discovered from `container inspect` and stamped into the agent's
|
the macOS backend will be re-enabled once it grows the consolidated
|
||||||
HTTP_PROXY / HTTPS_PROXY env vars.
|
per-host gateway the docker backend already uses.
|
||||||
|
|
||||||
|
Until then, launching a macOS bottle fails closed. `prepare` / `status`
|
||||||
|
/ cleanup still work.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import dataclasses
|
from contextlib import contextmanager
|
||||||
import os
|
|
||||||
import subprocess
|
|
||||||
from contextlib import ExitStack, contextmanager
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Callable, Generator
|
from typing import Callable, Generator
|
||||||
|
|
||||||
from ...bottle_state import (
|
from ...log import die
|
||||||
egress_state_dir,
|
|
||||||
git_gate_state_dir,
|
|
||||||
read_committed_image,
|
|
||||||
)
|
|
||||||
from ...egress import (
|
|
||||||
EGRESS_ROUTES_IN_CONTAINER,
|
|
||||||
egress_agent_env_entries,
|
|
||||||
egress_resolve_token_values,
|
|
||||||
egress_sidecar_env_entries,
|
|
||||||
)
|
|
||||||
from ...git_gate import revoke_git_gate_provisioned_keys
|
|
||||||
from ...log import die, info, warn
|
|
||||||
from ...supervise import QUEUE_DIR_IN_CONTAINER, SUPERVISE_PORT
|
|
||||||
from ...util import expand_tilde
|
|
||||||
from ..docker.egress import EGRESS_CA_IN_CONTAINER, EGRESS_PORT
|
|
||||||
from ..docker.git_gate import (
|
|
||||||
GIT_GATE_ACCESS_HOOK_IN_CONTAINER,
|
|
||||||
GIT_GATE_CREDS_DIR_IN_CONTAINER,
|
|
||||||
GIT_GATE_ENTRYPOINT_IN_CONTAINER,
|
|
||||||
GIT_GATE_HOOK_IN_CONTAINER,
|
|
||||||
)
|
|
||||||
from ..docker.sidecar_bundle import (
|
|
||||||
SIDECAR_BUNDLE_DOCKERFILE,
|
|
||||||
SIDECAR_BUNDLE_IMAGE,
|
|
||||||
)
|
|
||||||
from ..docker.egress import egress_tls_init
|
|
||||||
from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH
|
|
||||||
from . import util as container_mod
|
|
||||||
from .bottle import MacosContainerBottle
|
from .bottle import MacosContainerBottle
|
||||||
from .bottle_plan import MacosContainerBottlePlan
|
from .bottle_plan import MacosContainerBottlePlan
|
||||||
|
|
||||||
|
|
||||||
_REPO_DIR = str(Path(__file__).resolve().parent.parent.parent.parent)
|
|
||||||
_AGENT_SLEEP_SECONDS = "2147483647"
|
|
||||||
_GIT_HTTP_PORT = 9420
|
|
||||||
_GIT_GATE_READY_FILE = "/run/git-gate/ready"
|
|
||||||
|
|
||||||
|
|
||||||
def internal_network_name(slug: str) -> str:
|
|
||||||
return f"bot-bottle-net-{slug}"
|
|
||||||
|
|
||||||
|
|
||||||
def egress_network_name(slug: str) -> str:
|
|
||||||
return f"bot-bottle-egress-{slug}"
|
|
||||||
|
|
||||||
|
|
||||||
def sidecar_container_name(slug: str) -> str:
|
|
||||||
return f"bot-bottle-sidecars-{slug}"
|
|
||||||
|
|
||||||
|
|
||||||
@contextmanager
|
@contextmanager
|
||||||
def launch(
|
def launch(
|
||||||
plan: MacosContainerBottlePlan,
|
plan: MacosContainerBottlePlan,
|
||||||
*,
|
*,
|
||||||
provision: Callable[[MacosContainerBottlePlan, "MacosContainerBottle"], str | None],
|
provision: Callable[[MacosContainerBottlePlan, "MacosContainerBottle"], str | None],
|
||||||
) -> Generator[MacosContainerBottle, None, None]:
|
) -> Generator[MacosContainerBottle, None, None]:
|
||||||
"""Build, run, provision, and yield an Apple Container bottle."""
|
"""Fail closed: the macOS backend is disabled until it grows the
|
||||||
stack = ExitStack()
|
consolidated per-host gateway (the companion-container path it used
|
||||||
bottle_for_revoke = plan.manifest.bottle
|
was removed in #385)."""
|
||||||
git_gate_dir_for_revoke = git_gate_state_dir(plan.slug)
|
del plan, provision
|
||||||
|
die(
|
||||||
def teardown() -> None:
|
"the macos-container backend is temporarily disabled during the "
|
||||||
teardown_exc: BaseException | None = None
|
"companion-container removal (#385); it will return once it uses "
|
||||||
try:
|
"the consolidated gateway. Use --backend=docker for now."
|
||||||
stack.close()
|
|
||||||
except BaseException as exc: # noqa: W0718 - teardown must continue
|
|
||||||
teardown_exc = exc
|
|
||||||
warn(f"macos-container teardown failed: {exc!r}")
|
|
||||||
revoke_git_gate_provisioned_keys(bottle_for_revoke, git_gate_dir_for_revoke)
|
|
||||||
if teardown_exc is not None:
|
|
||||||
raise teardown_exc
|
|
||||||
|
|
||||||
try:
|
|
||||||
plan = _mint_certs(plan)
|
|
||||||
plan = _build_images(plan)
|
|
||||||
|
|
||||||
internal_network = internal_network_name(plan.slug)
|
|
||||||
egress_network = egress_network_name(plan.slug)
|
|
||||||
_create_networks(internal_network, egress_network, stack)
|
|
||||||
|
|
||||||
sidecar_name = sidecar_container_name(plan.slug)
|
|
||||||
container_mod.force_remove_container(sidecar_name)
|
|
||||||
_start_sidecar_bundle(plan, sidecar_name, internal_network, egress_network)
|
|
||||||
stack.callback(container_mod.force_remove_container, sidecar_name)
|
|
||||||
_stage_git_gate(plan, sidecar_name)
|
|
||||||
|
|
||||||
sidecar_ip = container_mod.container_ipv4_on_network(
|
|
||||||
sidecar_name, internal_network,
|
|
||||||
)
|
|
||||||
plan = _stamp_agent_urls(plan, sidecar_ip)
|
|
||||||
|
|
||||||
container_mod.force_remove_container(plan.container_name)
|
|
||||||
_start_agent(plan, internal_network, sidecar_ip)
|
|
||||||
stack.callback(container_mod.force_remove_container, plan.container_name)
|
|
||||||
|
|
||||||
bottle = MacosContainerBottle(
|
|
||||||
plan.container_name,
|
|
||||||
teardown,
|
|
||||||
None,
|
|
||||||
agent_command=plan.agent_command,
|
|
||||||
agent_prompt_mode=plan.agent_prompt_mode,
|
|
||||||
agent_provider_template=plan.agent_provider_template,
|
|
||||||
terminal_title=f"{plan.spec.label} ({plan.spec.agent_name})" if plan.spec.label else plan.spec.agent_name,
|
|
||||||
terminal_color=plan.spec.color,
|
|
||||||
agent_workdir=plan.workspace_plan.workdir,
|
|
||||||
)
|
|
||||||
bottle.prompt_path = provision(plan, bottle)
|
|
||||||
|
|
||||||
yield bottle
|
|
||||||
finally:
|
|
||||||
teardown()
|
|
||||||
|
|
||||||
|
|
||||||
def _mint_certs(plan: MacosContainerBottlePlan) -> MacosContainerBottlePlan:
|
|
||||||
egress_ca_host, egress_ca_cert_only = egress_tls_init(
|
|
||||||
egress_state_dir(plan.slug),
|
|
||||||
)
|
)
|
||||||
egress_plan = dataclasses.replace(
|
yield # unreachable — `die` raises; keeps this a generator/contextmanager
|
||||||
plan.egress_plan,
|
|
||||||
mitmproxy_ca_host_path=egress_ca_host,
|
|
||||||
mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
|
|
||||||
)
|
|
||||||
return dataclasses.replace(plan, egress_plan=egress_plan)
|
|
||||||
|
|
||||||
|
|
||||||
def _build_images(plan: MacosContainerBottlePlan) -> MacosContainerBottlePlan:
|
|
||||||
container_mod.build_image(
|
|
||||||
SIDECAR_BUNDLE_IMAGE,
|
|
||||||
_REPO_DIR,
|
|
||||||
dockerfile=SIDECAR_BUNDLE_DOCKERFILE,
|
|
||||||
)
|
|
||||||
committed = read_committed_image(plan.slug)
|
|
||||||
if committed and container_mod.image_exists(committed):
|
|
||||||
info(f"using committed image {committed!r}")
|
|
||||||
return dataclasses.replace(
|
|
||||||
plan,
|
|
||||||
agent_provision=dataclasses.replace(
|
|
||||||
plan.agent_provision,
|
|
||||||
image=committed,
|
|
||||||
),
|
|
||||||
)
|
|
||||||
container_mod.build_image(
|
|
||||||
plan.image,
|
|
||||||
_REPO_DIR,
|
|
||||||
dockerfile=plan.dockerfile_path,
|
|
||||||
)
|
|
||||||
return plan
|
|
||||||
|
|
||||||
|
|
||||||
def _create_networks(
|
|
||||||
internal_network: str,
|
|
||||||
egress_network: str,
|
|
||||||
stack: ExitStack,
|
|
||||||
) -> None:
|
|
||||||
container_mod.create_network(internal_network, internal=True)
|
|
||||||
stack.callback(container_mod.remove_network, internal_network)
|
|
||||||
container_mod.create_network(egress_network)
|
|
||||||
stack.callback(container_mod.remove_network, egress_network)
|
|
||||||
|
|
||||||
|
|
||||||
def _start_sidecar_bundle(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
sidecar_name: str,
|
|
||||||
internal_network: str,
|
|
||||||
egress_network: str,
|
|
||||||
) -> None:
|
|
||||||
argv = _sidecar_run_argv(plan, sidecar_name, internal_network, egress_network)
|
|
||||||
effective_env = {**dict(os.environ), **plan.agent_provision.provisioned_env}
|
|
||||||
token_values = egress_resolve_token_values(
|
|
||||||
plan.egress_plan.token_env_map, effective_env,
|
|
||||||
)
|
|
||||||
env = {**os.environ, **token_values}
|
|
||||||
info(f"container run sidecar bundle {sidecar_name}")
|
|
||||||
result = subprocess.run(
|
|
||||||
argv, capture_output=True, text=True, env=env, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"container run for sidecar bundle {sidecar_name} failed: "
|
|
||||||
f"{(result.stderr or '').strip() or '<no stderr>'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _start_agent(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
internal_network: str,
|
|
||||||
sidecar_ip: str,
|
|
||||||
) -> None:
|
|
||||||
argv = _agent_run_argv(plan, internal_network, sidecar_ip)
|
|
||||||
env = {
|
|
||||||
**os.environ,
|
|
||||||
**plan.forwarded_env,
|
|
||||||
}
|
|
||||||
info(f"container run agent {plan.container_name}")
|
|
||||||
result = subprocess.run(
|
|
||||||
argv, capture_output=True, text=True, env=env, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"container run for agent {plan.container_name} failed: "
|
|
||||||
f"{(result.stderr or '').strip() or '<no stderr>'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _stamp_agent_urls(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
sidecar_ip: str,
|
|
||||||
) -> MacosContainerBottlePlan:
|
|
||||||
proxy_url = f"http://{sidecar_ip}:{EGRESS_PORT}"
|
|
||||||
supervise_url = ""
|
|
||||||
if plan.supervise_plan is not None:
|
|
||||||
supervise_url = f"http://{sidecar_ip}:{SUPERVISE_PORT}/"
|
|
||||||
git_gate_url = ""
|
|
||||||
if plan.git_gate_plan.upstreams:
|
|
||||||
git_gate_url = f"http://{sidecar_ip}:{_GIT_HTTP_PORT}"
|
|
||||||
return dataclasses.replace(
|
|
||||||
plan,
|
|
||||||
agent_proxy_url=proxy_url,
|
|
||||||
agent_git_gate_url=git_gate_url,
|
|
||||||
agent_supervise_url=supervise_url,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _stage_git_gate(plan: MacosContainerBottlePlan, sidecar_name: str) -> None:
|
|
||||||
gp = plan.git_gate_plan
|
|
||||||
if not gp.upstreams:
|
|
||||||
return
|
|
||||||
|
|
||||||
container_mod.exec_container(
|
|
||||||
sidecar_name,
|
|
||||||
[
|
|
||||||
"mkdir",
|
|
||||||
"-p",
|
|
||||||
str(Path(GIT_GATE_HOOK_IN_CONTAINER).parent),
|
|
||||||
GIT_GATE_CREDS_DIR_IN_CONTAINER,
|
|
||||||
"/git",
|
|
||||||
str(Path(_GIT_GATE_READY_FILE).parent),
|
|
||||||
],
|
|
||||||
)
|
|
||||||
|
|
||||||
for host_path, container_path in _git_gate_files(plan):
|
|
||||||
container_mod.copy_into_container(
|
|
||||||
sidecar_name, host_path, container_path,
|
|
||||||
)
|
|
||||||
|
|
||||||
container_mod.exec_container(
|
|
||||||
sidecar_name,
|
|
||||||
[
|
|
||||||
"sh",
|
|
||||||
"-c",
|
|
||||||
"chmod 755 "
|
|
||||||
f"{GIT_GATE_ENTRYPOINT_IN_CONTAINER} "
|
|
||||||
f"{GIT_GATE_HOOK_IN_CONTAINER} "
|
|
||||||
f"{GIT_GATE_ACCESS_HOOK_IN_CONTAINER} && "
|
|
||||||
f"chmod 600 {GIT_GATE_CREDS_DIR_IN_CONTAINER}/* && "
|
|
||||||
f"touch {_GIT_GATE_READY_FILE}",
|
|
||||||
],
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _git_gate_files(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
) -> tuple[tuple[str, str], ...]:
|
|
||||||
gp = plan.git_gate_plan
|
|
||||||
files: list[tuple[str, str]] = [
|
|
||||||
(str(gp.entrypoint_script), GIT_GATE_ENTRYPOINT_IN_CONTAINER),
|
|
||||||
(str(gp.hook_script), GIT_GATE_HOOK_IN_CONTAINER),
|
|
||||||
(str(gp.access_hook_script), GIT_GATE_ACCESS_HOOK_IN_CONTAINER),
|
|
||||||
]
|
|
||||||
for upstream in gp.upstreams:
|
|
||||||
files.append((
|
|
||||||
expand_tilde(upstream.identity_file),
|
|
||||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{upstream.name}-key",
|
|
||||||
))
|
|
||||||
if upstream.known_hosts_file:
|
|
||||||
files.append((
|
|
||||||
str(upstream.known_hosts_file),
|
|
||||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{upstream.name}-known_hosts",
|
|
||||||
))
|
|
||||||
return tuple(files)
|
|
||||||
|
|
||||||
|
|
||||||
def _sidecar_run_argv(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
sidecar_name: str,
|
|
||||||
internal_network: str,
|
|
||||||
egress_network: str,
|
|
||||||
) -> list[str]:
|
|
||||||
argv = [
|
|
||||||
"container", "run",
|
|
||||||
"--name", sidecar_name,
|
|
||||||
"--detach",
|
|
||||||
"--rm",
|
|
||||||
"--network", egress_network,
|
|
||||||
"--network", internal_network,
|
|
||||||
"--dns", _sidecar_dns(),
|
|
||||||
"--env", f"BOT_BOTTLE_SIDECAR_DAEMONS={','.join(_sidecar_daemons(plan))}",
|
|
||||||
]
|
|
||||||
for entry in _sidecar_env_entries(plan):
|
|
||||||
argv += ["--env", entry]
|
|
||||||
for host_path, container_path, read_only in _sidecar_mounts(plan):
|
|
||||||
argv += ["--mount", _mount_spec(host_path, container_path, read_only)]
|
|
||||||
argv.append(SIDECAR_BUNDLE_IMAGE)
|
|
||||||
return argv
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_run_argv(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
internal_network: str,
|
|
||||||
sidecar_ip: str,
|
|
||||||
) -> list[str]:
|
|
||||||
argv = [
|
|
||||||
"container", "run",
|
|
||||||
"--name", plan.container_name,
|
|
||||||
"--detach",
|
|
||||||
"--network", internal_network,
|
|
||||||
]
|
|
||||||
for entry in _agent_env_entries(plan, sidecar_ip):
|
|
||||||
argv += ["--env", entry]
|
|
||||||
argv += [plan.image, "sleep", _AGENT_SLEEP_SECONDS]
|
|
||||||
return argv
|
|
||||||
|
|
||||||
|
|
||||||
def _sidecar_dns() -> str:
|
|
||||||
return container_mod.dns_server()
|
|
||||||
|
|
||||||
|
|
||||||
def _sidecar_daemons(plan: MacosContainerBottlePlan) -> tuple[str, ...]:
|
|
||||||
daemons = ["egress"]
|
|
||||||
if plan.git_gate_plan.upstreams:
|
|
||||||
daemons += ["git-gate", "git-http"]
|
|
||||||
if plan.supervise_plan is not None:
|
|
||||||
daemons.append("supervise")
|
|
||||||
return tuple(daemons)
|
|
||||||
|
|
||||||
|
|
||||||
def _sidecar_env_entries(plan: MacosContainerBottlePlan) -> tuple[str, ...]:
|
|
||||||
env: list[str] = list(egress_sidecar_env_entries(plan.egress_plan))
|
|
||||||
if plan.git_gate_plan.upstreams:
|
|
||||||
env.append(f"BOT_BOTTLE_GIT_GATE_READY_FILE={_GIT_GATE_READY_FILE}")
|
|
||||||
if plan.supervise_plan is not None:
|
|
||||||
env += [
|
|
||||||
f"SUPERVISE_BOTTLE_SLUG={plan.slug}",
|
|
||||||
f"SUPERVISE_QUEUE_DIR={QUEUE_DIR_IN_CONTAINER}",
|
|
||||||
f"SUPERVISE_PORT={SUPERVISE_PORT}",
|
|
||||||
]
|
|
||||||
return tuple(env)
|
|
||||||
|
|
||||||
|
|
||||||
def _sidecar_mounts(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
) -> tuple[tuple[str, str, bool], ...]:
|
|
||||||
mounts: list[tuple[str, str, bool]] = []
|
|
||||||
|
|
||||||
ep = plan.egress_plan
|
|
||||||
mounts.append((
|
|
||||||
str(ep.mitmproxy_ca_host_path.parent),
|
|
||||||
str(Path(EGRESS_CA_IN_CONTAINER).parent),
|
|
||||||
False,
|
|
||||||
))
|
|
||||||
if ep.routes:
|
|
||||||
mounts.append((
|
|
||||||
str(ep.routes_path.parent),
|
|
||||||
str(Path(EGRESS_ROUTES_IN_CONTAINER).parent),
|
|
||||||
True,
|
|
||||||
))
|
|
||||||
|
|
||||||
sp = plan.supervise_plan
|
|
||||||
if sp is not None:
|
|
||||||
mounts.append((str(sp.queue_dir), QUEUE_DIR_IN_CONTAINER, False))
|
|
||||||
|
|
||||||
return tuple(mounts)
|
|
||||||
|
|
||||||
def _mount_spec(host_path: str, container_path: str, read_only: bool) -> str:
|
|
||||||
spec = f"type=bind,source={host_path},target={container_path}"
|
|
||||||
if read_only:
|
|
||||||
spec += ",readonly"
|
|
||||||
return spec
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_env_entries(
|
|
||||||
plan: MacosContainerBottlePlan,
|
|
||||||
sidecar_ip: str,
|
|
||||||
) -> tuple[str, ...]:
|
|
||||||
proxy_url = f"http://{sidecar_ip}:{EGRESS_PORT}"
|
|
||||||
no_proxy = _agent_no_proxy(plan, sidecar_ip)
|
|
||||||
env = [
|
|
||||||
f"HTTPS_PROXY={proxy_url}",
|
|
||||||
f"HTTP_PROXY={proxy_url}",
|
|
||||||
f"https_proxy={proxy_url}",
|
|
||||||
f"http_proxy={proxy_url}",
|
|
||||||
f"NO_PROXY={no_proxy}",
|
|
||||||
f"no_proxy={no_proxy}",
|
|
||||||
f"NODE_EXTRA_CA_CERTS={AGENT_CA_PATH}",
|
|
||||||
f"SSL_CERT_FILE={AGENT_CA_BUNDLE}",
|
|
||||||
f"REQUESTS_CA_BUNDLE={AGENT_CA_BUNDLE}",
|
|
||||||
]
|
|
||||||
if plan.agent_git_gate_url:
|
|
||||||
env.append(f"GIT_GATE_URL={plan.agent_git_gate_url}")
|
|
||||||
if plan.agent_supervise_url:
|
|
||||||
env.append(f"MCP_SUPERVISE_URL={plan.agent_supervise_url}")
|
|
||||||
for name, value in sorted(plan.agent_provision.guest_env.items()):
|
|
||||||
env.append(f"{name}={value}")
|
|
||||||
for name in sorted(plan.forwarded_env.keys()):
|
|
||||||
env.append(name)
|
|
||||||
env.extend(egress_agent_env_entries(plan.egress_plan))
|
|
||||||
return tuple(env)
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_no_proxy(plan: MacosContainerBottlePlan, sidecar_ip: str) -> str:
|
|
||||||
hosts = ["localhost", "127.0.0.1", sidecar_ip]
|
|
||||||
return ",".join(hosts)
|
|
||||||
|
|||||||
@@ -0,0 +1,79 @@
|
|||||||
|
"""Host setup + status for the macOS Apple Container backend.
|
||||||
|
|
||||||
|
Like Docker, this backend needs no privileged network-pool provisioning
|
||||||
|
— it wants Apple's `container` CLI installed and its system service
|
||||||
|
running. `setup()` points at the install/`container system start` steps;
|
||||||
|
`status()` reports readiness. Reached via
|
||||||
|
`MacosContainerBottleBackend.setup` / `.status`, dispatched from the
|
||||||
|
generic `./cli.py backend {setup,status}`.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import shutil
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from . import util as _container
|
||||||
|
|
||||||
|
|
||||||
|
def _service_running() -> bool:
|
||||||
|
if shutil.which("container") is None:
|
||||||
|
return False
|
||||||
|
return subprocess.run(
|
||||||
|
["container", "system", "status"],
|
||||||
|
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False,
|
||||||
|
).returncode == 0
|
||||||
|
|
||||||
|
|
||||||
|
def setup() -> int:
|
||||||
|
if not _container.is_macos():
|
||||||
|
sys.stderr.write("macos-container backend requires macOS.\n")
|
||||||
|
return 1
|
||||||
|
if shutil.which("container") is None:
|
||||||
|
sys.stderr.write("Apple Container is required but was not found on PATH.\n")
|
||||||
|
sys.stderr.write("Install: https://github.com/apple/container/releases\n")
|
||||||
|
return 1
|
||||||
|
if not _service_running():
|
||||||
|
sys.stderr.write(
|
||||||
|
"Apple Container is installed but its system service isn't "
|
||||||
|
"running. Start it with: container system start\n"
|
||||||
|
)
|
||||||
|
return 1
|
||||||
|
sys.stderr.write(
|
||||||
|
"macos-container backend: ready — no privileged host setup required.\n"
|
||||||
|
)
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def teardown() -> int:
|
||||||
|
sys.stderr.write(
|
||||||
|
"macos-container backend: nothing to undo — it provisions no "
|
||||||
|
"privileged host state. The Apple Container CLI and its system "
|
||||||
|
"service are left as-is (stop the service yourself with "
|
||||||
|
"`container system stop` if you want).\n"
|
||||||
|
)
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def status() -> int:
|
||||||
|
ok = True
|
||||||
|
if _container.is_macos():
|
||||||
|
sys.stderr.write("host: macOS\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write("host: NOT macOS (backend unsupported here)\n")
|
||||||
|
ok = False
|
||||||
|
if shutil.which("container") is not None:
|
||||||
|
sys.stderr.write("container CLI on PATH: yes\n")
|
||||||
|
else:
|
||||||
|
sys.stderr.write("container CLI on PATH: NO\n")
|
||||||
|
ok = False
|
||||||
|
if ok:
|
||||||
|
sys.stderr.write(
|
||||||
|
f"container system service: {'running' if _service_running() else 'NOT running'}\n"
|
||||||
|
)
|
||||||
|
if not _service_running():
|
||||||
|
ok = False
|
||||||
|
if not ok:
|
||||||
|
sys.stderr.write("\nRun: ./cli.py backend setup --backend=macos-container\n")
|
||||||
|
return 0 if ok else 1
|
||||||
@@ -60,13 +60,21 @@ def dns_server() -> str:
|
|||||||
|
|
||||||
|
|
||||||
def build_image(ref: str, context: str, *, dockerfile: str = "") -> None:
|
def build_image(ref: str, context: str, *, dockerfile: str = "") -> None:
|
||||||
"""Build an OCI image with Apple's BuildKit-backed `container build`."""
|
"""Build an OCI image with Apple's BuildKit-backed `container build`.
|
||||||
|
|
||||||
|
Set `BOT_BOTTLE_NO_CACHE=1` (the `start --no-cache` flag) to force
|
||||||
|
`--no-cache`. The npm/curl installers some provider Dockerfiles
|
||||||
|
shell out to can silently no-op on a transient network failure —
|
||||||
|
e.g. an `optionalDependencies` fetch for a platform-native binary —
|
||||||
|
and the builder will then cache that broken layer indefinitely."""
|
||||||
info(
|
info(
|
||||||
f"building image {ref} from {context} with Apple Container "
|
f"building image {ref} from {context} with Apple Container "
|
||||||
"(layer cache keeps repeat builds fast)"
|
"(layer cache keeps repeat builds fast)"
|
||||||
)
|
)
|
||||||
_ensure_builder_dns()
|
_ensure_builder_dns()
|
||||||
args = [_CONTAINER, "build", "-t", ref, "--dns", dns_server()]
|
args = [_CONTAINER, "build", "-t", ref, "--dns", dns_server()]
|
||||||
|
if os.environ.get("BOT_BOTTLE_NO_CACHE") == "1":
|
||||||
|
args.append("--no-cache")
|
||||||
if dockerfile:
|
if dockerfile:
|
||||||
# `container build` resolves -f relative to the current working
|
# `container build` resolves -f relative to the current working
|
||||||
# directory, not the build context. Anchor a relative Dockerfile to
|
# directory, not the build context. Anchor a relative Dockerfile to
|
||||||
@@ -78,6 +86,28 @@ def build_image(ref: str, context: str, *, dockerfile: str = "") -> None:
|
|||||||
subprocess.run(args, check=True)
|
subprocess.run(args, check=True)
|
||||||
|
|
||||||
|
|
||||||
|
def verify_agent_image(image: str, argv: tuple[str, ...]) -> None:
|
||||||
|
"""Run `argv` inside a throwaway container of a freshly built agent
|
||||||
|
image and die loudly if it fails, instead of shipping an image
|
||||||
|
whose CLI only breaks at first real use. No-op when the provider
|
||||||
|
hasn't declared a smoke test (`AgentProviderRuntime.smoke_test`)."""
|
||||||
|
if not argv:
|
||||||
|
return
|
||||||
|
result = subprocess.run(
|
||||||
|
[_CONTAINER, "run", "--rm", "--entrypoint", argv[0], image, *argv[1:]],
|
||||||
|
capture_output=True,
|
||||||
|
text=True,
|
||||||
|
check=False,
|
||||||
|
)
|
||||||
|
if result.returncode != 0:
|
||||||
|
detail = (result.stderr or result.stdout or "").strip()
|
||||||
|
die(
|
||||||
|
f"agent image {image!r} failed its post-build smoke test "
|
||||||
|
f"({' '.join(argv)}): {detail}\n"
|
||||||
|
f"Try rebuilding from scratch: bot-bottle start --no-cache"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def commit_container(container_name: str, image_tag: str) -> None:
|
def commit_container(container_name: str, image_tag: str) -> None:
|
||||||
"""Snapshot a running Apple Container as a local image.
|
"""Snapshot a running Apple Container as a local image.
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,8 @@
|
|||||||
"""Shared print helpers for BottlePlan.print implementations.
|
"""Shared print helpers for BottlePlan.print implementations.
|
||||||
|
|
||||||
Lifts the multi-value label printer out of DockerBottlePlan so the
|
Lifts the multi-value label printer out of DockerBottlePlan so every
|
||||||
smolmachines backend (and any future backend) renders the same
|
backend (and any future backend) renders the same two-column
|
||||||
two-column scannable preflight without duplicating the indent
|
scannable preflight without duplicating the indent math."""
|
||||||
math."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
"""Shared helpers used by both backends' resolve_plan steps.
|
"""Shared helpers used across backends' resolve_plan steps.
|
||||||
|
|
||||||
Each helper owns one well-defined step of the per-bottle plan
|
Each helper owns one well-defined step of the per-bottle plan
|
||||||
resolution so docker and smolmachines don't repeat the same logic.
|
resolution so the backends don't repeat the same logic.
|
||||||
Backend-specific steps (container names, env-file, per-bottle
|
Backend-specific steps (container names, env-file, per-bottle
|
||||||
Dockerfile overrides, subnet allocation) stay in the backend's own
|
Dockerfile overrides, subnet allocation) stay in the backend's own
|
||||||
resolve_plan.py.
|
resolve_plan.py.
|
||||||
@@ -94,7 +94,7 @@ def prepare_egress(
|
|||||||
|
|
||||||
|
|
||||||
def prepare_supervise(bottle: ManifestBottle, slug: str) -> SupervisePlan | None:
|
def prepare_supervise(bottle: ManifestBottle, slug: str) -> SupervisePlan | None:
|
||||||
"""Prepare the supervise sidecar state dir. Returns None when
|
"""Prepare the supervise daemon state dir. Returns None when
|
||||||
bottle.supervise is falsy."""
|
bottle.supervise is falsy."""
|
||||||
if not bottle.supervise:
|
if not bottle.supervise:
|
||||||
return None
|
return None
|
||||||
|
|||||||
@@ -1,15 +0,0 @@
|
|||||||
"""smolmachines bottle backend (PRD 0023).
|
|
||||||
|
|
||||||
Selectable via `BOT_BOTTLE_BACKEND=smolmachines`. Runs each
|
|
||||||
bottle inside a per-agent microVM (libkrun / Hypervisor.framework
|
|
||||||
on macOS) with a userspace gvproxy gateway as the egress
|
|
||||||
primitive. The sidecar bundle (PRD 0024) runs as a host-side
|
|
||||||
docker container reached only through gvproxy's port-forward list.
|
|
||||||
|
|
||||||
Chunk 1 (this commit) ships the backend skeleton + Smolfile +
|
|
||||||
gvproxy renderers + preflight check. VM lifecycle, sidecar
|
|
||||||
bringup, and provisioning land in later chunks."""
|
|
||||||
|
|
||||||
from .backend import SmolmachinesBottleBackend # noqa: F401
|
|
||||||
|
|
||||||
__all__ = ["SmolmachinesBottleBackend"]
|
|
||||||
@@ -1,203 +0,0 @@
|
|||||||
"""SmolmachinesBottle — running-instance handle (PRD 0023 chunk 2d).
|
|
||||||
|
|
||||||
Routes `exec_agent` / `exec` / `cp_in` through `smolvm machine
|
|
||||||
exec` / `smolvm machine cp`. The handle is yielded by `launch`
|
|
||||||
and torn down via the surrounding ExitStack on context exit;
|
|
||||||
`close` is a no-op idempotent alias so the BottleBackend ABC's
|
|
||||||
context-manager contract is satisfied.
|
|
||||||
|
|
||||||
User context: `smolvm machine exec` runs commands as root in the
|
|
||||||
VM, but the agent image's USER is `node` and agent CLIs may refuse
|
|
||||||
to run as root in bypass modes. Both
|
|
||||||
`exec_agent` and `exec` switch to the requested user (default
|
|
||||||
`node`) via `runuser -u <user> --` and set `HOME` / `USER`
|
|
||||||
through `smolvm -e` — avoiding `runuser -l`'s login-shell wiring
|
|
||||||
(PAM session setup, /etc/profile sourcing) which can hang on a
|
|
||||||
minimal Debian VM with no PAM session config."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import subprocess
|
|
||||||
import sys
|
|
||||||
import time
|
|
||||||
import shlex
|
|
||||||
from typing import Mapping, cast
|
|
||||||
|
|
||||||
from ...agent_provider import PromptMode, prompt_args
|
|
||||||
from .. import Bottle, ExecResult
|
|
||||||
from ..terminal import exec_shell_script
|
|
||||||
from . import pty_resize as _pty_resize
|
|
||||||
from . import smolvm as _smolvm
|
|
||||||
|
|
||||||
|
|
||||||
# Absolute path to the pty_resize wrapper. Invoke as
|
|
||||||
# `python <path>` rather than `python -m <dotted-path>` so the
|
|
||||||
# wrapper runs regardless of cwd / sys.path — it has no
|
|
||||||
# bot_bottle.* imports, so it's self-contained.
|
|
||||||
_PTY_RESIZE_SCRIPT = _pty_resize.__file__
|
|
||||||
|
|
||||||
|
|
||||||
# Per-user env the agent image's USER (node) expects. Some providers
|
|
||||||
# write session state under the user's home directory;
|
|
||||||
# bare `runuser -u` inherits root's HOME=/root, which claude
|
|
||||||
# can't write to. Set HOME / USER explicitly through smolvm -e
|
|
||||||
# so the child process sees them.
|
|
||||||
_HOME_FOR = {
|
|
||||||
"node": "/home/node",
|
|
||||||
"root": "/root",
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def _env_assignments_for(user: str, env: Mapping[str, str]) -> list[str]:
|
|
||||||
home = _HOME_FOR.get(user, f"/home/{user}")
|
|
||||||
out = [f"HOME={home}", f"USER={user}"]
|
|
||||||
for k, v in env.items():
|
|
||||||
out.append(f"{k}={v}")
|
|
||||||
return out
|
|
||||||
|
|
||||||
|
|
||||||
class SmolmachinesBottle(Bottle):
|
|
||||||
"""Handle returned by `SmolmachinesBottleBackend.launch`. The
|
|
||||||
underlying VM lifecycle (create / start / stop / delete) lives
|
|
||||||
on the launch ExitStack — this class only routes runtime
|
|
||||||
operations to the right `smolvm machine ...` subcommand."""
|
|
||||||
|
|
||||||
def __init__(
|
|
||||||
self,
|
|
||||||
machine_name: str,
|
|
||||||
*,
|
|
||||||
prompt_path: str | None = None,
|
|
||||||
guest_env: Mapping[str, str] | None = None,
|
|
||||||
agent_command: str = "claude",
|
|
||||||
agent_prompt_mode: PromptMode = "append_file",
|
|
||||||
agent_provider_template: str = "claude",
|
|
||||||
terminal_title: str = "",
|
|
||||||
terminal_color: str = "",
|
|
||||||
agent_workdir: str = "/home/node",
|
|
||||||
) -> None:
|
|
||||||
self.name = machine_name
|
|
||||||
# In-VM path to the agent's prompt file. None when the
|
|
||||||
# agent declared no prompt (file still exists; we just
|
|
||||||
# don't pass --append-system-prompt-file).
|
|
||||||
self.prompt_path = prompt_path
|
|
||||||
# Env vars the agent process needs (HTTPS_PROXY,
|
|
||||||
# CLAUDE_CODE_OAUTH_TOKEN, manifest-declared bottle env, …).
|
|
||||||
# Forwarded on every `smolvm machine exec` via `-e K=V`
|
|
||||||
# because exec doesn't inherit from machine_create's env.
|
|
||||||
self._guest_env = dict(guest_env or {})
|
|
||||||
self._agent_prompt_mode = agent_prompt_mode
|
|
||||||
self.agent_command = agent_command
|
|
||||||
self.terminal_title = terminal_title
|
|
||||||
self.terminal_color = terminal_color
|
|
||||||
self.agent_provider_template = agent_provider_template
|
|
||||||
self.agent_workdir = agent_workdir
|
|
||||||
|
|
||||||
def agent_argv(
|
|
||||||
self, argv: list[str], *, tty: bool = True,
|
|
||||||
) -> list[str]:
|
|
||||||
flags = ["smolvm", "machine", "exec", "--name", self.name]
|
|
||||||
if tty:
|
|
||||||
flags += ["-i", "-t"]
|
|
||||||
agent_tail = ["env", *_env_assignments_for("node", self._guest_env)]
|
|
||||||
if self.agent_workdir and self.agent_workdir != _HOME_FOR["node"]:
|
|
||||||
agent_tail += [
|
|
||||||
"sh", "-lc",
|
|
||||||
f"cd {shlex.quote(self.agent_workdir)} && exec \"$@\"",
|
|
||||||
"bot-bottle-agent",
|
|
||||||
]
|
|
||||||
agent_tail.append(self.agent_command)
|
|
||||||
provider_prompt_args = prompt_args(
|
|
||||||
cast(PromptMode, self._agent_prompt_mode), self.prompt_path, argv=argv,
|
|
||||||
)
|
|
||||||
if cast(PromptMode, self._agent_prompt_mode) == "read_prompt_file":
|
|
||||||
agent_tail += argv
|
|
||||||
agent_tail += provider_prompt_args
|
|
||||||
else:
|
|
||||||
agent_tail += provider_prompt_args
|
|
||||||
agent_tail += argv
|
|
||||||
flags += ["--", "runuser", "-u", "node", "--", *agent_tail]
|
|
||||||
if not tty:
|
|
||||||
# No PTY allocated — no SIGWINCH to forward, no resize
|
|
||||||
# bridge needed. Skip the wrapper so non-interactive
|
|
||||||
# exec paths (e.g., provisioning shell-outs that
|
|
||||||
# happen to go through this method) stay light.
|
|
||||||
return flags
|
|
||||||
return [
|
|
||||||
sys.executable, _PTY_RESIZE_SCRIPT,
|
|
||||||
self.name, "--", *flags,
|
|
||||||
]
|
|
||||||
|
|
||||||
def exec_agent(self, argv: list[str], *, tty: bool = True) -> int:
|
|
||||||
"""Run the selected agent interactively inside the VM as the `node`
|
|
||||||
user. Inherits the operator's terminal (stdin / stdout /
|
|
||||||
stderr) so the session feels native. Blocks until the agent
|
|
||||||
exits; returns the in-VM exit code.
|
|
||||||
|
|
||||||
We bypass the captured-output `machine_exec` helper here
|
|
||||||
because that one wraps stdout/stderr in pipes — fine for
|
|
||||||
scripted exec, wrong for an interactive shell. Drop down
|
|
||||||
to `subprocess.run` with the TTY inherited.
|
|
||||||
|
|
||||||
UID switches via `runuser -u node --` (not `-l`) so we
|
|
||||||
avoid login-shell wiring. HOME / USER come from `smolvm
|
|
||||||
-e` instead, which sets them on the process env."""
|
|
||||||
agent_argv = self.agent_argv(argv, tty=tty)
|
|
||||||
script = exec_shell_script(agent_argv, self.terminal_title, self.terminal_color) if tty else None
|
|
||||||
if script is None:
|
|
||||||
return subprocess.run(agent_argv, check=False).returncode
|
|
||||||
# Use sh -c (not -lc) so the script inherits PATH from the calling
|
|
||||||
# process. sh -l sources login-shell init files (e.g. /etc/profile)
|
|
||||||
# which may NOT include smolvm's location when it was installed via
|
|
||||||
# homebrew. The calling process (./cli.py) already has smolvm on PATH
|
|
||||||
# (provision steps succeed), so -c is sufficient.
|
|
||||||
return subprocess.run(["sh", "-c", script], check=False).returncode
|
|
||||||
|
|
||||||
# smolvm/libkrun can SIGKILL an otherwise-normal exec during
|
|
||||||
# early-VM provisioning. Retry once after a short settle so
|
|
||||||
# callers (provision_ca, etc.) don't have to handle it themselves.
|
|
||||||
_SIGKILL_EXIT = 128 + 9
|
|
||||||
|
|
||||||
def exec(self, script: str, *, user: str = "node") -> ExecResult:
|
|
||||||
"""Run a POSIX shell script as `user` (default `node`) and
|
|
||||||
capture the result. Matches the docker backend's `exec`,
|
|
||||||
which defaults to the image's USER (also node) — so test
|
|
||||||
helpers / provision shell-outs run with the same identity
|
|
||||||
on both backends. Pass `user="root"` for tests that need
|
|
||||||
root.
|
|
||||||
|
|
||||||
`runuser -u <user> -- env ... /bin/sh -c <script>` switches UID
|
|
||||||
without invoking a login shell, then sets HOME / USER and the
|
|
||||||
bottle env in the child process.
|
|
||||||
|
|
||||||
Retries once on SIGKILL (exit 137) — libkrun occasionally
|
|
||||||
kills short-lived execs during VM bring-up."""
|
|
||||||
r = self._exec_raw(script, user=user)
|
|
||||||
if r.returncode == self._SIGKILL_EXIT:
|
|
||||||
time.sleep(1.0)
|
|
||||||
r = self._exec_raw(script, user=user)
|
|
||||||
return r
|
|
||||||
|
|
||||||
def _exec_raw(self, script: str, *, user: str = "node") -> ExecResult:
|
|
||||||
argv = [
|
|
||||||
"--", "runuser", "-u", user, "--",
|
|
||||||
"env", *_env_assignments_for(user, self._guest_env),
|
|
||||||
"/bin/sh", "-c", script,
|
|
||||||
]
|
|
||||||
r = subprocess.run(
|
|
||||||
["smolvm", "machine", "exec", "--name", self.name] + argv,
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
return ExecResult(
|
|
||||||
returncode=r.returncode,
|
|
||||||
stdout=r.stdout or "",
|
|
||||||
stderr=r.stderr or "",
|
|
||||||
)
|
|
||||||
|
|
||||||
def cp_in(self, host_path: str, container_path: str) -> None:
|
|
||||||
"""Copy a host path into the guest at `container_path`."""
|
|
||||||
_smolvm.machine_cp(host_path, f"{self.name}:{container_path}")
|
|
||||||
|
|
||||||
def close(self) -> None:
|
|
||||||
# Real teardown lives on the launch ExitStack; this is just
|
|
||||||
# the idempotent alias the BottleBackend ABC expects.
|
|
||||||
pass
|
|
||||||
@@ -1,55 +0,0 @@
|
|||||||
"""SmolmachinesBottleCleanupPlan — concrete BottleCleanupPlan (issue #77).
|
|
||||||
|
|
||||||
Tracks the resources `SmolmachinesBottleBackend.cleanup` will
|
|
||||||
remove:
|
|
||||||
|
|
||||||
- machines: smolvm machines whose name starts with
|
|
||||||
`bot-bottle-` (running or stopped). Stopped +
|
|
||||||
deleted via `smolvm machine stop` + `machine delete -f`.
|
|
||||||
- bundles: docker containers `bot-bottle-sidecars-<slug>`
|
|
||||||
left over from a smolmachines bottle (the bundle's
|
|
||||||
port-forwards stay published on lo0 aliases until
|
|
||||||
the container is gone). Removed via `docker rm -f`.
|
|
||||||
- networks: docker networks `bot-bottle-bundle-<slug>`
|
|
||||||
attached to the bundles. Removed via
|
|
||||||
`docker network rm`.
|
|
||||||
|
|
||||||
Smolmachines state dirs live under the same `~/.bot-bottle/state/`
|
|
||||||
path the docker backend uses; the docker backend's
|
|
||||||
`prepare_cleanup` already enumerates orphan state dirs and is the
|
|
||||||
single source of truth for that bucket (consults
|
|
||||||
`enumerate_active_bottles()` so it doesn't reap a live
|
|
||||||
smolmachines bottle's dir)."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import sys
|
|
||||||
from dataclasses import dataclass
|
|
||||||
|
|
||||||
from ...log import info
|
|
||||||
from .. import BottleCleanupPlan
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
|
||||||
class SmolmachinesBottleCleanupPlan(BottleCleanupPlan):
|
|
||||||
"""Resources SmolmachinesBottleBackend.cleanup will remove.
|
|
||||||
Produced by `prepare_cleanup`; sorted so the y/N output is
|
|
||||||
stable."""
|
|
||||||
|
|
||||||
machines: tuple[str, ...] = ()
|
|
||||||
bundles: tuple[str, ...] = ()
|
|
||||||
networks: tuple[str, ...] = ()
|
|
||||||
|
|
||||||
@property
|
|
||||||
def empty(self) -> bool:
|
|
||||||
return not self.machines and not self.bundles and not self.networks
|
|
||||||
|
|
||||||
def print(self) -> None:
|
|
||||||
print(file=sys.stderr)
|
|
||||||
for name in self.machines:
|
|
||||||
info(f"smolvm machine: {name}")
|
|
||||||
for name in self.bundles:
|
|
||||||
info(f"bundle container:{name}")
|
|
||||||
for name in self.networks:
|
|
||||||
info(f"bundle network: {name}")
|
|
||||||
print(file=sys.stderr)
|
|
||||||
@@ -1,109 +0,0 @@
|
|||||||
"""SmolmachinesBottlePlan — concrete BottlePlan for the smolmachines
|
|
||||||
backend (PRD 0023).
|
|
||||||
|
|
||||||
Slug + bundle docker subnet / gateway / pinned IP + smolvm
|
|
||||||
machine name + agent `.smolmachine` artifact + per-bottle guest
|
|
||||||
env. Provisioning fields (CA cert path, prompt path, etc.) land
|
|
||||||
in chunk 4."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
from dataclasses import dataclass
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
from ...agent_provider import PromptMode
|
|
||||||
from .. import BottlePlan
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
|
||||||
class SmolmachinesBottlePlan(BottlePlan):
|
|
||||||
"""Resolved fields the launch step needs to bring up the bottle.
|
|
||||||
|
|
||||||
Inherits `spec`, `stage_dir`, `git_gate_plan`, `egress_plan`,
|
|
||||||
`supervise_plan`, and `agent_provision` from BottlePlan."""
|
|
||||||
|
|
||||||
slug: str
|
|
||||||
# Per-bottle docker subnet for the sidecar bundle container.
|
|
||||||
# The bundle runs at `bundle_ip` (always `.2`); the gateway is
|
|
||||||
# at `.1`. smolvm's TSI allowlist is set to `bundle_ip/32`.
|
|
||||||
bundle_subnet: str
|
|
||||||
bundle_gateway: str
|
|
||||||
bundle_ip: str
|
|
||||||
# In-guest env vars (HTTPS_PROXY etc) — IP-literal URLs since
|
|
||||||
# the guest has no DNS resolver inside the TSI allowlist.
|
|
||||||
# Passed to `smolvm machine create` as `-e K=V` flags.
|
|
||||||
# Smolfile-rendering is gone (smolvm 0.8.0's
|
|
||||||
# `--smolfile` is mutually exclusive with `--from`, and
|
|
||||||
# `--from` is the path that avoids the registry-pull race).
|
|
||||||
guest_env: dict[str, str]
|
|
||||||
# Inner Plans for the sidecar bundle daemons. The same shape the
|
|
||||||
# docker backend uses — same `.prepare()` calls produced
|
|
||||||
# them — but our launch step doesn't populate the
|
|
||||||
# docker-specific network fields (internal_network,
|
|
||||||
# egress_network) because the smolmachines bundle isn't on
|
|
||||||
# docker's `--internal` + egress bridge topology; it's on a
|
|
||||||
# per-bottle bridge with a pinned IP. The unused fields stay
|
|
||||||
# at their dataclass defaults.
|
|
||||||
# Agent-side endpoints. On Docker Desktop the docker bridge
|
|
||||||
# IPs aren't reachable from the smolvm guest (TSI uses macOS
|
|
||||||
# networking; docker container IPs live in the daemon's VM),
|
|
||||||
# so the agent dials the bundle via host loopback +
|
|
||||||
# docker-published random ports. Empty at prepare time;
|
|
||||||
# launch populates these after bundle bringup via
|
|
||||||
# `dataclasses.replace`. Format: a `host:port` for git-gate
|
|
||||||
# (insteadOf URL prefix) + full URLs for proxy / supervise.
|
|
||||||
agent_proxy_url: str = ""
|
|
||||||
agent_git_gate_host: str = ""
|
|
||||||
agent_supervise_url: str = ""
|
|
||||||
|
|
||||||
@property
|
|
||||||
def machine_name(self) -> str:
|
|
||||||
"""smolvm machine name. `machine_create` boots from a packed
|
|
||||||
`.smolmachine` artifact (pre-baked at prepare time via
|
|
||||||
`smolvm pack create`); using `--from` instead of `--image`
|
|
||||||
avoids the registry-pull race we hit when machine_start tried
|
|
||||||
to fetch on-demand and the libkrun agent's network attempt
|
|
||||||
got refused by macOS."""
|
|
||||||
return self.agent_provision.instance_name
|
|
||||||
|
|
||||||
@property
|
|
||||||
def agent_image(self) -> str:
|
|
||||||
"""Agent image ref (docker tag). `launch` runs the
|
|
||||||
build → save → registry push → smolvm pack pipeline against
|
|
||||||
this and feeds the resulting `.smolmachine` artifact to
|
|
||||||
`machine_create --from`. The pipeline runs at launch time
|
|
||||||
(not prepare time) so the docker build output doesn't garble
|
|
||||||
the dashboard's preflight modal."""
|
|
||||||
return self.agent_provision.image
|
|
||||||
|
|
||||||
@property
|
|
||||||
def prompt_file(self) -> Path:
|
|
||||||
"""Path to the agent's prompt file on the host. Always written
|
|
||||||
(mode 0o600) so the in-VM path always exists; the file is
|
|
||||||
empty when the agent has no prompt — claude-code reads it
|
|
||||||
via --append-system-prompt-file only when non-empty."""
|
|
||||||
return self.agent_provision.prompt_file
|
|
||||||
|
|
||||||
@property
|
|
||||||
def git_gate_insteadof_host(self) -> str:
|
|
||||||
return self.agent_git_gate_host
|
|
||||||
|
|
||||||
@property
|
|
||||||
def git_gate_insteadof_scheme(self) -> str:
|
|
||||||
return "http"
|
|
||||||
|
|
||||||
@property
|
|
||||||
def agent_command(self) -> str:
|
|
||||||
return self.agent_provision.command
|
|
||||||
|
|
||||||
@property
|
|
||||||
def agent_prompt_mode(self) -> PromptMode:
|
|
||||||
return self.agent_provision.prompt_mode
|
|
||||||
|
|
||||||
@property
|
|
||||||
def agent_provider_template(self) -> str:
|
|
||||||
return self.agent_provision.template
|
|
||||||
|
|
||||||
@property
|
|
||||||
def agent_dockerfile_path(self) -> str:
|
|
||||||
return self.agent_provision.dockerfile
|
|
||||||
@@ -1,159 +0,0 @@
|
|||||||
"""Cleanup + active-listing for the smolmachines backend (issue #77).
|
|
||||||
|
|
||||||
`prepare_cleanup` enumerates leftover smolmachines resources:
|
|
||||||
|
|
||||||
- smolvm machines (`smolvm machine ls --json`) whose name starts
|
|
||||||
with `bot-bottle-`.
|
|
||||||
- bundle docker containers (`bot-bottle-sidecars-<slug>`).
|
|
||||||
- bundle docker networks (`bot-bottle-bundle-<slug>`).
|
|
||||||
|
|
||||||
State dirs live under `~/.bot-bottle/state/<identity>/` —
|
|
||||||
shared layout with the docker backend, which has the single
|
|
||||||
orphan-state-dir enumerator (it already consults
|
|
||||||
`enumerate_active_agents()` so a live smolmachines bottle's dir
|
|
||||||
is preserved).
|
|
||||||
|
|
||||||
`cleanup` removes everything in the plan: stop + delete each VM,
|
|
||||||
force-rm each container, rm each network. Each step is
|
|
||||||
best-effort — a failure on one resource doesn't block the others."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import json
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
from ...log import info, warn
|
|
||||||
from . import sidecar_bundle as _bundle
|
|
||||||
from . import smolvm as _smolvm
|
|
||||||
from .bottle_cleanup_plan import SmolmachinesBottleCleanupPlan
|
|
||||||
|
|
||||||
|
|
||||||
# Both names start with the same prefix the launcher uses.
|
|
||||||
_VM_PREFIX = "bot-bottle-"
|
|
||||||
_BUNDLE_PREFIX = _bundle.bundle_container_name("") # `bot-bottle-sidecars-`
|
|
||||||
_NETWORK_PREFIX = _bundle.bundle_network_name("") # `bot-bottle-bundle-`
|
|
||||||
|
|
||||||
|
|
||||||
def prepare_cleanup() -> SmolmachinesBottleCleanupPlan:
|
|
||||||
"""Enumerate every smolmachines-owned resource on the host.
|
|
||||||
No side effects. Returns an empty plan when smolvm isn't on
|
|
||||||
PATH (no machines to reap) — `cleanup` is a no-op in that
|
|
||||||
case too."""
|
|
||||||
machines = _list_bot_bottle_machines()
|
|
||||||
bundles = _list_bundle_containers()
|
|
||||||
networks = _list_bundle_networks()
|
|
||||||
return SmolmachinesBottleCleanupPlan(
|
|
||||||
machines=tuple(sorted(machines)),
|
|
||||||
bundles=tuple(sorted(bundles)),
|
|
||||||
networks=tuple(sorted(networks)),
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def cleanup(plan: SmolmachinesBottleCleanupPlan) -> None:
|
|
||||||
"""Remove everything in the plan. Order matters: stop VMs
|
|
||||||
first (they hold ports on lo0 aliases via libkrun), then the
|
|
||||||
bundle containers (which hold the host port-forwards), then
|
|
||||||
the networks (which docker won't reap until the containers
|
|
||||||
are gone)."""
|
|
||||||
for name in plan.machines:
|
|
||||||
info(f"stopping smolvm machine {name}")
|
|
||||||
subprocess.run(
|
|
||||||
["smolvm", "machine", "stop", "--name", name],
|
|
||||||
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
info(f"deleting smolvm machine {name}")
|
|
||||||
r = subprocess.run(
|
|
||||||
["smolvm", "machine", "delete", "-f", name],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
warn(
|
|
||||||
f"smolvm machine delete -f {name} failed: "
|
|
||||||
f"{(r.stderr or '').strip()}"
|
|
||||||
)
|
|
||||||
|
|
||||||
for name in plan.bundles:
|
|
||||||
info(f"removing bundle container {name}")
|
|
||||||
subprocess.run(
|
|
||||||
["docker", "rm", "-f", name],
|
|
||||||
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
|
|
||||||
for name in plan.networks:
|
|
||||||
info(f"removing bundle network {name}")
|
|
||||||
r = subprocess.run(
|
|
||||||
["docker", "network", "rm", name],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0 and "no such network" not in (r.stderr or "").lower():
|
|
||||||
warn(
|
|
||||||
f"docker network rm {name} failed: "
|
|
||||||
f"{(r.stderr or '').strip()}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _list_bot_bottle_machines() -> list[str]:
|
|
||||||
"""All smolvm machines named `bot-bottle-*`, regardless of
|
|
||||||
state (running / stopped / created). Empty when smolvm isn't
|
|
||||||
installed."""
|
|
||||||
if not _smolvm.is_available():
|
|
||||||
return []
|
|
||||||
r = subprocess.run(
|
|
||||||
["smolvm", "machine", "ls", "--json"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
return []
|
|
||||||
try:
|
|
||||||
machines = json.loads(r.stdout or "[]")
|
|
||||||
except json.JSONDecodeError:
|
|
||||||
return []
|
|
||||||
return [
|
|
||||||
m["name"] for m in machines
|
|
||||||
if isinstance(m, dict)
|
|
||||||
and m.get("name", "").startswith(_VM_PREFIX)
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
def _list_bundle_containers() -> list[str]:
|
|
||||||
"""All docker containers named `bot-bottle-sidecars-*`,
|
|
||||||
running or stopped. Empty when docker isn't installed."""
|
|
||||||
# Late import: `backend/__init__` imports this module
|
|
||||||
# transitively via the smolmachines backend.
|
|
||||||
from .. import has_backend
|
|
||||||
if not has_backend("docker"):
|
|
||||||
return []
|
|
||||||
r = subprocess.run(
|
|
||||||
["docker", "ps", "-a",
|
|
||||||
"--filter", f"name=^{_BUNDLE_PREFIX}",
|
|
||||||
"--format", "{{.Names}}"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
return []
|
|
||||||
return [
|
|
||||||
line for line in (r.stdout or "").splitlines()
|
|
||||||
if line and line.startswith(_BUNDLE_PREFIX)
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
def _list_bundle_networks() -> list[str]:
|
|
||||||
"""All docker networks named `bot-bottle-bundle-*`. Empty
|
|
||||||
when docker isn't installed."""
|
|
||||||
from .. import has_backend
|
|
||||||
if not has_backend("docker"):
|
|
||||||
return []
|
|
||||||
r = subprocess.run(
|
|
||||||
["docker", "network", "ls",
|
|
||||||
"--filter", f"name={_NETWORK_PREFIX}",
|
|
||||||
"--format", "{{.Name}}"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
return []
|
|
||||||
return [
|
|
||||||
line for line in (r.stdout or "").splitlines()
|
|
||||||
if line and line.startswith(_NETWORK_PREFIX)
|
|
||||||
]
|
|
||||||
@@ -1,21 +0,0 @@
|
|||||||
"""Egress apply for the smolmachines backend.
|
|
||||||
|
|
||||||
The smolmachines sidecar bundle runs as a host-side Docker container,
|
|
||||||
so egress signalling is identical to the docker backend.
|
|
||||||
"""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
from ..docker.egress_apply import ( # noqa: F401
|
|
||||||
DockerEgressApplicator,
|
|
||||||
EgressApplyError,
|
|
||||||
applicator,
|
|
||||||
fetch_current_routes,
|
|
||||||
)
|
|
||||||
|
|
||||||
__all__ = [
|
|
||||||
"DockerEgressApplicator",
|
|
||||||
"EgressApplyError",
|
|
||||||
"applicator",
|
|
||||||
"fetch_current_routes",
|
|
||||||
]
|
|
||||||
@@ -1,123 +0,0 @@
|
|||||||
"""Active-agent enumeration for the smolmachines backend (PRD
|
|
||||||
0023 chunk 4 follow-up + issue #77).
|
|
||||||
|
|
||||||
Returns a list of `ActiveAgent` records — same shape the docker
|
|
||||||
backend produces — so CLI `list active` and the dashboard agents
|
|
||||||
pane render both backends through one code path.
|
|
||||||
|
|
||||||
A smolmachines agent is "active" when its smolvm guest is
|
|
||||||
running. We cross-reference against the per-bottle sidecar
|
|
||||||
bundle container to populate the `services` field (which daemons
|
|
||||||
are up in the bundle); without a bundle we still surface the VM
|
|
||||||
so the operator can see + clean it up.
|
|
||||||
|
|
||||||
The cross-backend caller gates on `has_backend("smolmachines")`
|
|
||||||
and `has_backend("docker")`, so this module assumes both are
|
|
||||||
available when called. Both subprocess calls below still
|
|
||||||
tolerate "command not on PATH" defensively, but the gate is the
|
|
||||||
intended access pattern."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import json
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
from .. import ActiveAgent
|
|
||||||
from ...bottle_state import read_metadata
|
|
||||||
from . import sidecar_bundle as _bundle
|
|
||||||
|
|
||||||
|
|
||||||
# Smolvm VM names produced by prepare are `bot-bottle-<slug>`,
|
|
||||||
# matching the bundle container name pattern. We use the prefix
|
|
||||||
# both as a filter and to strip back to the slug.
|
|
||||||
_VM_NAME_PREFIX = "bot-bottle-"
|
|
||||||
|
|
||||||
|
|
||||||
def enumerate_active() -> list[ActiveAgent]:
|
|
||||||
"""All currently-running smolmachines-backed agents. Empty
|
|
||||||
list when no matching VMs are running. Caller is responsible
|
|
||||||
for gating on `has_backend('smolmachines')` if needed; if
|
|
||||||
smolvm is missing the `smolvm machine ls` call below returns
|
|
||||||
nothing silently."""
|
|
||||||
result = subprocess.run(
|
|
||||||
["smolvm", "machine", "ls", "--json"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
return []
|
|
||||||
try:
|
|
||||||
machines = json.loads(result.stdout or "[]")
|
|
||||||
except json.JSONDecodeError:
|
|
||||||
return []
|
|
||||||
services_by_slug = _query_bundle_services()
|
|
||||||
out: list[ActiveAgent] = []
|
|
||||||
for m in machines:
|
|
||||||
name = m.get("name") or ""
|
|
||||||
state = m.get("state") or ""
|
|
||||||
if state != "running" or not name.startswith(_VM_NAME_PREFIX):
|
|
||||||
continue
|
|
||||||
slug = name[len(_VM_NAME_PREFIX):]
|
|
||||||
metadata = read_metadata(slug)
|
|
||||||
out.append(ActiveAgent(
|
|
||||||
backend_name="smolmachines",
|
|
||||||
slug=slug,
|
|
||||||
agent_name=metadata.agent_name if metadata else "?",
|
|
||||||
started_at=metadata.started_at if metadata else "",
|
|
||||||
services=services_by_slug.get(slug, ()),
|
|
||||||
label=metadata.label if metadata else "",
|
|
||||||
color=metadata.color if metadata else "",
|
|
||||||
))
|
|
||||||
return out
|
|
||||||
|
|
||||||
|
|
||||||
def _query_bundle_services() -> dict[str, tuple[str, ...]]:
|
|
||||||
"""`{slug: ('egress', ...)}` from each running bundle container's
|
|
||||||
`BOT_BOTTLE_SIDECAR_DAEMONS` env var.
|
|
||||||
Smolmachines bundles all run the PRD-0024 image with the
|
|
||||||
same daemon set declared via env, so one inspect per bundle
|
|
||||||
gets us the picture without exec'ing into the container.
|
|
||||||
|
|
||||||
Returns an empty mapping when the docker backend isn't
|
|
||||||
available — the bundle services field on each ActiveAgent
|
|
||||||
just shows up empty, matching the docker backend's "starting"
|
|
||||||
state."""
|
|
||||||
# Late import: `has_backend` lives on the backend package's
|
|
||||||
# __init__, which imports this module transitively. Pulling
|
|
||||||
# the name in at call time sidesteps the cycle.
|
|
||||||
from .. import has_backend
|
|
||||||
if not has_backend("docker"):
|
|
||||||
return {}
|
|
||||||
ps = subprocess.run(
|
|
||||||
["docker", "ps",
|
|
||||||
"--filter", "name=" + _bundle.bundle_container_name(""),
|
|
||||||
"--format", "{{.Names}}"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if ps.returncode != 0:
|
|
||||||
return {}
|
|
||||||
out: dict[str, tuple[str, ...]] = {}
|
|
||||||
for line in (ps.stdout or "").splitlines():
|
|
||||||
name = line.strip()
|
|
||||||
if not name:
|
|
||||||
continue
|
|
||||||
slug = name.removeprefix(_bundle.bundle_container_name(""))
|
|
||||||
if not slug:
|
|
||||||
continue
|
|
||||||
inspect = subprocess.run(
|
|
||||||
["docker", "inspect", name, "--format", "{{json .Config.Env}}"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if inspect.returncode != 0:
|
|
||||||
continue
|
|
||||||
try:
|
|
||||||
env_list = json.loads(inspect.stdout or "[]")
|
|
||||||
except json.JSONDecodeError:
|
|
||||||
continue
|
|
||||||
for entry in env_list:
|
|
||||||
key, _, value = entry.partition("=")
|
|
||||||
if key == "BOT_BOTTLE_SIDECAR_DAEMONS":
|
|
||||||
out[slug] = tuple(sorted(
|
|
||||||
d for d in value.split(",") if d
|
|
||||||
))
|
|
||||||
break
|
|
||||||
return out
|
|
||||||
@@ -1,145 +0,0 @@
|
|||||||
"""SmolmachinesFreezer — snapshot a smolmachines bottle.
|
|
||||||
|
|
||||||
`smolvm pack create --from-vm` requires the VM to be stopped, and smolvm
|
|
||||||
removes VMs when stopped (same issue as Apple Container). Instead, exec
|
|
||||||
into the running VM as root to write a gzip-compressed tar of the root
|
|
||||||
filesystem to /var/tmp, then copy it to the host with `smolvm machine cp`,
|
|
||||||
build a Docker image from the archive, convert it to a smolmachine artifact
|
|
||||||
via the existing registry pipeline, and record the sidecar path. The VM
|
|
||||||
stays running throughout."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import tempfile
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
from .. import ActiveAgent
|
|
||||||
from ..freeze import Freezer
|
|
||||||
from ..docker import util as docker_mod
|
|
||||||
from .local_registry import crane_push_tarball, ephemeral_registry
|
|
||||||
from .smolvm import machine_cp, machine_exec, pack_create
|
|
||||||
from ...bottle_state import bottle_state_dir
|
|
||||||
from ...log import die, info
|
|
||||||
|
|
||||||
|
|
||||||
# Temp file written inside the VM during commit. Lives in /var/tmp
|
|
||||||
# (on-disk, unlike tmpfs /tmp) to survive for machine_cp.
|
|
||||||
_VM_COMMIT_TAR = "/var/tmp/.bot-bottle-commit.tar.gz"
|
|
||||||
|
|
||||||
|
|
||||||
class SmolmachinesFreezer(Freezer):
|
|
||||||
"""Freezes a smolmachines bottle via exec-tar + Docker image + smolmachine pack.
|
|
||||||
|
|
||||||
The VM is NOT stopped. We exec into the running VM to write a compressed
|
|
||||||
tar of the root filesystem to /var/tmp, copy it to the host with
|
|
||||||
machine_cp, build a Docker image (Docker's ADD decompresses .tar.gz
|
|
||||||
automatically), then run the same image→registry→pack_create pipeline
|
|
||||||
that _ensure_smolmachine uses for fresh builds."""
|
|
||||||
|
|
||||||
backend_name = "smolmachines"
|
|
||||||
|
|
||||||
def _freeze(self, agent: ActiveAgent) -> str:
|
|
||||||
machine = f"bot-bottle-{agent.slug}"
|
|
||||||
image_ref = f"bot-bottle-committed-{agent.slug}:latest"
|
|
||||||
output_dir = bottle_state_dir(agent.slug)
|
|
||||||
output_dir.mkdir(parents=True, exist_ok=True)
|
|
||||||
binary = output_dir / "committed-smolmachine"
|
|
||||||
sidecar = output_dir / "committed-smolmachine.smolmachine"
|
|
||||||
_snapshot_running_vm(machine, image_ref, binary)
|
|
||||||
return str(sidecar)
|
|
||||||
|
|
||||||
def _export_hint(self, slug: str, image_ref: str) -> None:
|
|
||||||
info(f"to export for migration: cp {image_ref} {slug}.smolmachine")
|
|
||||||
|
|
||||||
|
|
||||||
def _snapshot_running_vm(machine: str, image_ref: str, binary: Path) -> None:
|
|
||||||
"""Exec-tar the running VM, build a Docker image, and pack to a smolmachine.
|
|
||||||
|
|
||||||
binary: destination for the launcher (sibling .smolmachine is the artifact
|
|
||||||
that machine_create --from consumes, same convention as pack_create).
|
|
||||||
"""
|
|
||||||
with tempfile.TemporaryDirectory(prefix="bot-bottle-vm-commit.") as tmp:
|
|
||||||
tmp_path = Path(tmp)
|
|
||||||
# Use .tar.gz — Docker ADD decompresses automatically and the
|
|
||||||
# compressed archive fits in the VM's /var/tmp more easily.
|
|
||||||
rootfs_tar_gz = tmp_path / "rootfs.tar.gz"
|
|
||||||
dockerfile = tmp_path / "Dockerfile"
|
|
||||||
|
|
||||||
_exec_tar_to_file(machine, rootfs_tar_gz)
|
|
||||||
|
|
||||||
dockerfile.write_text(
|
|
||||||
"FROM scratch\n"
|
|
||||||
"ADD rootfs.tar.gz /\n"
|
|
||||||
"USER node\n"
|
|
||||||
"WORKDIR /home/node\n"
|
|
||||||
)
|
|
||||||
docker_mod.build_image(image_ref, str(tmp_path), dockerfile=str(dockerfile))
|
|
||||||
|
|
||||||
image_tarball = binary.parent / "committed.image.tar"
|
|
||||||
docker_mod.save(image_ref, str(image_tarball))
|
|
||||||
try:
|
|
||||||
with ephemeral_registry() as handle:
|
|
||||||
digest = docker_mod.image_id(image_ref).split(":", 1)[-1][:16]
|
|
||||||
push_ref = f"{handle.push_endpoint}/bot-bottle-committed:{digest}"
|
|
||||||
pack_ref = f"{handle.pull_endpoint}/bot-bottle-committed:{digest}"
|
|
||||||
crane_push_tarball(handle, str(image_tarball), push_ref)
|
|
||||||
pack_create(pack_ref, binary)
|
|
||||||
finally:
|
|
||||||
image_tarball.unlink(missing_ok=True)
|
|
||||||
|
|
||||||
|
|
||||||
def _exec_tar_to_file(machine: str, dest: Path) -> None:
|
|
||||||
"""Snapshot the running VM's root filesystem to dest (.tar.gz).
|
|
||||||
|
|
||||||
Writes a gzip-compressed tar to _VM_COMMIT_TAR inside the VM via
|
|
||||||
machine_exec (same mechanism as provisioning), then copies it to the
|
|
||||||
host with machine_cp. This avoids binary-stdout piping through the
|
|
||||||
smolvm exec channel, which does not reliably handle large binary output.
|
|
||||||
|
|
||||||
A connectivity probe (machine_exec true) runs first so a concurrent-exec
|
|
||||||
limitation (smolvm may reject a second exec while -i -t is active) is
|
|
||||||
reported clearly rather than as a silent failure."""
|
|
||||||
# Connectivity probe — if smolvm rejects concurrent exec while an
|
|
||||||
# interactive session is running, fail clearly here.
|
|
||||||
probe = machine_exec(machine, ["true"])
|
|
||||||
if probe.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"smolvm exec is not available for {machine!r} "
|
|
||||||
f"(exit {probe.returncode}: {probe.stderr.strip() or probe.stdout.strip() or '<no output>'}). "
|
|
||||||
f"If an interactive session is active, smolvm may not support concurrent exec."
|
|
||||||
)
|
|
||||||
|
|
||||||
# Create the compressed tar inside the VM.
|
|
||||||
# tar exits 1 when files change during archiving (normal for a live
|
|
||||||
# filesystem); only treat exit > 1 as fatal.
|
|
||||||
tar_result = machine_exec(
|
|
||||||
machine,
|
|
||||||
[
|
|
||||||
"tar", "--create", "--gzip",
|
|
||||||
"--exclude=./proc",
|
|
||||||
"--exclude=./sys",
|
|
||||||
"--exclude=./dev",
|
|
||||||
"--exclude=./run",
|
|
||||||
# /tmp and /var/tmp are ephemeral. Their stale contents
|
|
||||||
# (e.g. /tmp/claude-<uid>) have uid remapped by smolvm's
|
|
||||||
# pack process, causing Claude Code to refuse to use them
|
|
||||||
# on resume. Exclude both; _init_vm recreates them with
|
|
||||||
# mkdir -p + correct ownership on every boot.
|
|
||||||
"--exclude=./tmp",
|
|
||||||
"--exclude=./var/tmp",
|
|
||||||
f"--file={_VM_COMMIT_TAR}",
|
|
||||||
"--directory=/",
|
|
||||||
".",
|
|
||||||
],
|
|
||||||
)
|
|
||||||
if tar_result.returncode > 1:
|
|
||||||
die(
|
|
||||||
f"smolvm exec tar {machine!r} failed (exit {tar_result.returncode}): "
|
|
||||||
f"{tar_result.stderr.strip() or tar_result.stdout.strip() or '<no output>'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Copy from VM to host, then clean up.
|
|
||||||
try:
|
|
||||||
machine_cp(f"{machine}:{_VM_COMMIT_TAR}", str(dest))
|
|
||||||
finally:
|
|
||||||
machine_exec(machine, ["rm", "-f", _VM_COMMIT_TAR])
|
|
||||||
@@ -1,464 +0,0 @@
|
|||||||
"""End-to-end launch flow for the smolmachines backend
|
|
||||||
(PRD 0023 chunks 2d + 4b).
|
|
||||||
|
|
||||||
Brings up the per-bottle docker bridge + sidecar bundle (with
|
|
||||||
real daemons + their config files), creates + starts the smolvm
|
|
||||||
guest pointed at the bundle's pinned IP via TSI's
|
|
||||||
`--allow-cidr <bundle-ip>/32` allowlist, yields a
|
|
||||||
`SmolmachinesBottle` handle, tears everything down on context
|
|
||||||
exit.
|
|
||||||
|
|
||||||
The bundle's daemons consume the inner Plans the docker backend
|
|
||||||
already produces: egress reads routes + CAs from the EgressPlan.
|
|
||||||
Git-gate + supervise plumb through the same plans the docker
|
|
||||||
backend uses, minus the docker-network fields that don't apply here."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import dataclasses
|
|
||||||
import os
|
|
||||||
from contextlib import ExitStack, contextmanager
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Callable, Generator
|
|
||||||
|
|
||||||
from ...egress import (
|
|
||||||
EGRESS_ROUTES_IN_CONTAINER,
|
|
||||||
egress_agent_env_entries,
|
|
||||||
egress_resolve_token_values,
|
|
||||||
egress_sidecar_env_entries,
|
|
||||||
)
|
|
||||||
from ...supervise import QUEUE_DIR_IN_CONTAINER, SUPERVISE_PORT
|
|
||||||
from ...util import expand_tilde
|
|
||||||
from ..docker import util as docker_mod
|
|
||||||
from ..docker.egress import (
|
|
||||||
EGRESS_CA_IN_CONTAINER,
|
|
||||||
EGRESS_PORT as _EGRESS_PORT,
|
|
||||||
egress_tls_init,
|
|
||||||
)
|
|
||||||
from ..docker.git_gate import (
|
|
||||||
GIT_GATE_ACCESS_HOOK_IN_CONTAINER,
|
|
||||||
GIT_GATE_CREDS_DIR_IN_CONTAINER,
|
|
||||||
GIT_GATE_ENTRYPOINT_IN_CONTAINER,
|
|
||||||
GIT_GATE_HOOK_IN_CONTAINER,
|
|
||||||
)
|
|
||||||
from ...git_gate import revoke_git_gate_provisioned_keys
|
|
||||||
from ...log import info, warn
|
|
||||||
from ...bottle_state import (
|
|
||||||
egress_state_dir,
|
|
||||||
git_gate_state_dir,
|
|
||||||
read_committed_image,
|
|
||||||
)
|
|
||||||
from . import loopback_alias as _loopback
|
|
||||||
from . import sidecar_bundle as _bundle
|
|
||||||
from . import smolvm as _smolvm
|
|
||||||
from .bottle import SmolmachinesBottle
|
|
||||||
from .bottle_plan import SmolmachinesBottlePlan
|
|
||||||
from .local_registry import crane_push_tarball, ephemeral_registry
|
|
||||||
|
|
||||||
|
|
||||||
# Repo root, used as the `docker build` context for the agent image.
|
|
||||||
_REPO_DIR = str(Path(__file__).resolve().parent.parent.parent.parent)
|
|
||||||
|
|
||||||
|
|
||||||
# Per-host cache for `smolvm pack create` outputs. Keyed by the
|
|
||||||
# docker image ID so a Dockerfile change automatically invalidates
|
|
||||||
# the cache. `pack create` is idempotent on the smolvm side but
|
|
||||||
# takes several seconds even on a no-op rebuild.
|
|
||||||
_SMOLMACHINE_CACHE_DIR = Path.home() / ".cache" / "bot-bottle" / "smolmachines"
|
|
||||||
|
|
||||||
|
|
||||||
# Container-internal listening ports for each bundle daemon. The
|
|
||||||
# bundle publishes each one on a random host loopback port (see
|
|
||||||
# `_bundle.start_bundle`), and `_bundle.bundle_host_port` looks
|
|
||||||
# them up post-start.
|
|
||||||
_GIT_HTTP_PORT = 9420
|
|
||||||
_SUPERVISE_PORT = SUPERVISE_PORT
|
|
||||||
|
|
||||||
|
|
||||||
@contextmanager
|
|
||||||
def launch(
|
|
||||||
plan: SmolmachinesBottlePlan,
|
|
||||||
*,
|
|
||||||
provision: Callable[[SmolmachinesBottlePlan, "SmolmachinesBottle"], str | None],
|
|
||||||
) -> Generator[SmolmachinesBottle, None, None]:
|
|
||||||
"""Build + run the bottle and yield a handle; tear everything
|
|
||||||
down on exit. Errors during bringup unwind any partial state
|
|
||||||
via the ExitStack."""
|
|
||||||
stack = ExitStack()
|
|
||||||
try:
|
|
||||||
loopback_ip, network = _allocate_resources(plan, stack)
|
|
||||||
plan = _mint_certs(plan)
|
|
||||||
plan = _start_bundle(plan, network, loopback_ip, stack)
|
|
||||||
plan = _discover_urls(plan, loopback_ip)
|
|
||||||
|
|
||||||
agent_from_path = _agent_from_path(plan)
|
|
||||||
|
|
||||||
_launch_vm(plan, agent_from_path, loopback_ip, stack)
|
|
||||||
_init_vm(plan)
|
|
||||||
|
|
||||||
bottle = SmolmachinesBottle(
|
|
||||||
plan.machine_name,
|
|
||||||
prompt_path=None,
|
|
||||||
guest_env=plan.guest_env,
|
|
||||||
agent_command=plan.agent_command,
|
|
||||||
agent_prompt_mode=plan.agent_prompt_mode,
|
|
||||||
agent_provider_template=plan.agent_provider_template,
|
|
||||||
terminal_title=f"{plan.spec.label} ({plan.spec.agent_name})" if plan.spec.label else plan.spec.agent_name,
|
|
||||||
terminal_color=plan.spec.color,
|
|
||||||
agent_workdir=plan.workspace_plan.workdir,
|
|
||||||
)
|
|
||||||
bottle.prompt_path = provision(plan, bottle)
|
|
||||||
|
|
||||||
yield bottle
|
|
||||||
finally:
|
|
||||||
_teardown_smolmachines(stack, plan)
|
|
||||||
|
|
||||||
|
|
||||||
def _teardown_smolmachines(
|
|
||||||
stack: ExitStack,
|
|
||||||
plan: SmolmachinesBottlePlan,
|
|
||||||
) -> None:
|
|
||||||
"""Unwind the ExitStack, then revoke any provisioned deploy keys.
|
|
||||||
|
|
||||||
ExitStack errors are caught and logged (non-fatal) so that key
|
|
||||||
revocation always runs. Revocation errors propagate — a stranded
|
|
||||||
deploy key is a security concern the operator must address."""
|
|
||||||
teardown_exc: BaseException | None = None
|
|
||||||
try:
|
|
||||||
stack.close()
|
|
||||||
except BaseException as exc: # noqa: W0718 — teardown must not fail
|
|
||||||
teardown_exc = exc
|
|
||||||
warn(f"smolmachines teardown failed: {exc!r}")
|
|
||||||
bottle = plan.manifest.bottle
|
|
||||||
revoke_git_gate_provisioned_keys(bottle, git_gate_state_dir(plan.slug))
|
|
||||||
if teardown_exc is not None:
|
|
||||||
raise teardown_exc
|
|
||||||
|
|
||||||
|
|
||||||
def _allocate_resources(
|
|
||||||
plan: SmolmachinesBottlePlan,
|
|
||||||
stack: ExitStack,
|
|
||||||
) -> tuple[str, str]:
|
|
||||||
"""Reserve a loopback alias and create the per-bottle docker bridge.
|
|
||||||
|
|
||||||
macOS only routes 127.0.0.1 by default; the per-bottle alias
|
|
||||||
scopes TSI's allowlist to this bottle's published ports so the
|
|
||||||
agent can't reach other bottles' or host services' ports on
|
|
||||||
loopback. No-op on Linux."""
|
|
||||||
_loopback.ensure_pool()
|
|
||||||
loopback_ip = _loopback.allocate(plan.slug)
|
|
||||||
network = _bundle.bundle_network_name(plan.slug)
|
|
||||||
_bundle.create_bundle_network(network, plan.bundle_subnet, plan.bundle_gateway)
|
|
||||||
stack.callback(_bundle.remove_bundle_network, network)
|
|
||||||
return loopback_ip, network
|
|
||||||
|
|
||||||
|
|
||||||
def _mint_certs(plan: SmolmachinesBottlePlan) -> SmolmachinesBottlePlan:
|
|
||||||
"""Mint the egress MITM CA and return the plan with CA paths filled."""
|
|
||||||
egress_ca_host, egress_ca_cert_only = egress_tls_init(
|
|
||||||
egress_state_dir(plan.slug),
|
|
||||||
)
|
|
||||||
egress_plan = dataclasses.replace(
|
|
||||||
plan.egress_plan,
|
|
||||||
mitmproxy_ca_host_path=egress_ca_host,
|
|
||||||
mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
|
|
||||||
)
|
|
||||||
return dataclasses.replace(plan, egress_plan=egress_plan)
|
|
||||||
|
|
||||||
|
|
||||||
def _start_bundle(
|
|
||||||
plan: SmolmachinesBottlePlan,
|
|
||||||
network: str,
|
|
||||||
loopback_ip: str,
|
|
||||||
stack: ExitStack,
|
|
||||||
) -> SmolmachinesBottlePlan:
|
|
||||||
"""Build the BundleLaunchSpec, resolve token env, start the
|
|
||||||
sidecar bundle container, and register teardown."""
|
|
||||||
bundle_spec = _bundle_launch_spec(plan, network, loopback_ip)
|
|
||||||
token_env = _resolve_token_env(plan, dict(os.environ))
|
|
||||||
_bundle.ensure_bundle_image(bundle_spec.image)
|
|
||||||
_bundle.start_bundle(bundle_spec, env={**os.environ, **token_env})
|
|
||||||
stack.callback(_bundle.stop_bundle, plan.slug)
|
|
||||||
return plan
|
|
||||||
|
|
||||||
|
|
||||||
def _discover_urls(
|
|
||||||
plan: SmolmachinesBottlePlan,
|
|
||||||
loopback_ip: str,
|
|
||||||
) -> SmolmachinesBottlePlan:
|
|
||||||
"""Discover host-side ports for published container ports and
|
|
||||||
return the plan with URLs + guest_env stamped in.
|
|
||||||
|
|
||||||
Docker container IPs (192.168.x.x in the daemon's bridge)
|
|
||||||
aren't reachable from the smolvm guest on macOS — TSI uses
|
|
||||||
macOS networking, and macOS sees the daemon's bridge via the
|
|
||||||
published-port loopback forward only.
|
|
||||||
|
|
||||||
NO_PROXY includes the per-bottle loopback alias so the
|
|
||||||
supervise + git-gate URLs bypass HTTPS_PROXY."""
|
|
||||||
agent_facing_host_port = _bundle.bundle_host_port(
|
|
||||||
plan.slug, _EGRESS_PORT, host_ip=loopback_ip,
|
|
||||||
)
|
|
||||||
agent_proxy_url = f"http://{loopback_ip}:{agent_facing_host_port}"
|
|
||||||
|
|
||||||
agent_git_gate_host = ""
|
|
||||||
if plan.git_gate_plan.upstreams:
|
|
||||||
git_gate_host_port = _bundle.bundle_host_port(
|
|
||||||
plan.slug, _GIT_HTTP_PORT, host_ip=loopback_ip,
|
|
||||||
)
|
|
||||||
agent_git_gate_host = f"{loopback_ip}:{git_gate_host_port}"
|
|
||||||
|
|
||||||
agent_supervise_url = ""
|
|
||||||
if plan.supervise_plan is not None:
|
|
||||||
supervise_host_port = _bundle.bundle_host_port(
|
|
||||||
plan.slug, _SUPERVISE_PORT, host_ip=loopback_ip,
|
|
||||||
)
|
|
||||||
agent_supervise_url = f"http://{loopback_ip}:{supervise_host_port}/"
|
|
||||||
|
|
||||||
existing_no_proxy = plan.guest_env.get("NO_PROXY", "localhost,127.0.0.1")
|
|
||||||
no_proxy = f"{existing_no_proxy},{loopback_ip}"
|
|
||||||
guest_env = {
|
|
||||||
**plan.guest_env,
|
|
||||||
"HTTPS_PROXY": agent_proxy_url,
|
|
||||||
"HTTP_PROXY": agent_proxy_url,
|
|
||||||
"https_proxy": agent_proxy_url,
|
|
||||||
"http_proxy": agent_proxy_url,
|
|
||||||
"NO_PROXY": no_proxy,
|
|
||||||
"no_proxy": no_proxy,
|
|
||||||
}
|
|
||||||
if agent_git_gate_host:
|
|
||||||
guest_env["GIT_GATE_URL"] = f"http://{agent_git_gate_host}"
|
|
||||||
if agent_supervise_url:
|
|
||||||
guest_env["MCP_SUPERVISE_URL"] = agent_supervise_url
|
|
||||||
for entry in egress_agent_env_entries(plan.egress_plan):
|
|
||||||
name, value = entry.split("=", 1)
|
|
||||||
guest_env[name] = value
|
|
||||||
|
|
||||||
return dataclasses.replace(
|
|
||||||
plan,
|
|
||||||
guest_env=guest_env,
|
|
||||||
agent_proxy_url=agent_proxy_url,
|
|
||||||
agent_git_gate_host=agent_git_gate_host,
|
|
||||||
agent_supervise_url=agent_supervise_url,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _launch_vm(
|
|
||||||
plan: SmolmachinesBottlePlan,
|
|
||||||
agent_from_path: Path,
|
|
||||||
loopback_ip: str,
|
|
||||||
stack: ExitStack,
|
|
||||||
) -> None:
|
|
||||||
"""Create, patch, and start the smolvm VM; register teardown.
|
|
||||||
|
|
||||||
--allow-cidr is the per-bottle loopback alias so the guest can
|
|
||||||
only reach this bottle's bundle ports. force_allowlist patches
|
|
||||||
smolvm 0.8.0's silent-drop of --allow-cidr when combined with
|
|
||||||
--from. Smolfile isn't usable here — smolvm 0.8.0 makes --from
|
|
||||||
and --smolfile mutually exclusive."""
|
|
||||||
_smolvm.machine_create(
|
|
||||||
plan.machine_name,
|
|
||||||
from_path=agent_from_path,
|
|
||||||
allow_cidrs=[f"{loopback_ip}/32"],
|
|
||||||
env=plan.guest_env,
|
|
||||||
)
|
|
||||||
stack.callback(_smolvm.machine_delete, plan.machine_name)
|
|
||||||
# Workaround smolvm 0.8.0: `--allow-cidr` is silently dropped
|
|
||||||
# when combined with `--from`. Patch the persisted state DB
|
|
||||||
# before start so the booted VM's TSI actually enforces.
|
|
||||||
_loopback.force_allowlist(plan.machine_name, [f"{loopback_ip}/32"])
|
|
||||||
_smolvm.machine_start(plan.machine_name)
|
|
||||||
stack.callback(_smolvm.machine_stop, plan.machine_name)
|
|
||||||
|
|
||||||
|
|
||||||
def _init_vm(plan: SmolmachinesBottlePlan) -> None:
|
|
||||||
"""Repair filesystem ownership and wait for exec channel readiness.
|
|
||||||
|
|
||||||
Ownership repair: smolvm's pack process remaps files to the host
|
|
||||||
invoker's uid (501 on macOS). /home/node must be node:node so
|
|
||||||
Claude Code can write ~/.claude.json; /tmp + /var/tmp need root
|
|
||||||
mode 1777 so non-root processes can create per-uid scratch dirs.
|
|
||||||
All folded into one sh -c to avoid back-to-back exec calls
|
|
||||||
immediately after machine_start (libkrun exec-channel race).
|
|
||||||
|
|
||||||
mkdir -p guards: when booting from a committed snapshot, /tmp and
|
|
||||||
/var/tmp are excluded from the archive (they're ephemeral and their
|
|
||||||
stale contents would have wrong uid after smolvm's uid remap). The
|
|
||||||
directories must be created before chown/chmod can set permissions.
|
|
||||||
|
|
||||||
wait_exec_ready polls until the exec channel is ready for the
|
|
||||||
subsequent provision calls, replacing the empirical sleep."""
|
|
||||||
_smolvm.machine_exec(plan.machine_name, [
|
|
||||||
"sh", "-c",
|
|
||||||
"mkdir -p /tmp /var/tmp && "
|
|
||||||
"chown -R node:node /home/node && "
|
|
||||||
"chown root:root /tmp /var/tmp && "
|
|
||||||
"chmod 1777 /tmp /var/tmp",
|
|
||||||
])
|
|
||||||
_smolvm.wait_exec_ready(plan.machine_name)
|
|
||||||
|
|
||||||
|
|
||||||
def _bundle_launch_spec(
|
|
||||||
plan: SmolmachinesBottlePlan, network: str, loopback_ip: str,
|
|
||||||
) -> _bundle.BundleLaunchSpec:
|
|
||||||
"""Build a BundleLaunchSpec from the resolved inner Plans.
|
|
||||||
|
|
||||||
Daemons in the CSV:
|
|
||||||
- egress is always present.
|
|
||||||
- git-gate + git-http are conditional on plan.git_gate_plan.upstreams.
|
|
||||||
- supervise is conditional on plan.supervise_plan.
|
|
||||||
|
|
||||||
Env + volumes are the union of the sidecar daemons' needs, with
|
|
||||||
daemon-private values only (HTTPS_PROXY is scoped to the
|
|
||||||
egress process by egress_entrypoint.sh — see PRD 0024's bundle
|
|
||||||
bind-address PR)."""
|
|
||||||
daemons: list[str] = ["egress"]
|
|
||||||
env: list[str] = []
|
|
||||||
volumes: list[tuple[str, str, bool]] = []
|
|
||||||
|
|
||||||
# --- egress -----------------------------------------------
|
|
||||||
ep = plan.egress_plan
|
|
||||||
volumes.append((str(ep.mitmproxy_ca_host_path), EGRESS_CA_IN_CONTAINER, True))
|
|
||||||
if ep.routes:
|
|
||||||
volumes.append((str(ep.routes_path.parent), str(Path(EGRESS_ROUTES_IN_CONTAINER).parent), True))
|
|
||||||
env.extend(egress_sidecar_env_entries(ep))
|
|
||||||
|
|
||||||
# --- git-gate ---------------------------------------------
|
|
||||||
gp = plan.git_gate_plan
|
|
||||||
if gp.upstreams:
|
|
||||||
daemons += ["git-gate", "git-http"]
|
|
||||||
volumes += [
|
|
||||||
(str(gp.entrypoint_script), GIT_GATE_ENTRYPOINT_IN_CONTAINER, True),
|
|
||||||
(str(gp.hook_script), GIT_GATE_HOOK_IN_CONTAINER, True),
|
|
||||||
(str(gp.access_hook_script), GIT_GATE_ACCESS_HOOK_IN_CONTAINER, True),
|
|
||||||
]
|
|
||||||
for u in gp.upstreams:
|
|
||||||
keypath = expand_tilde(u.identity_file)
|
|
||||||
volumes.append((
|
|
||||||
keypath,
|
|
||||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{u.name}-key",
|
|
||||||
True,
|
|
||||||
))
|
|
||||||
if u.known_hosts_file:
|
|
||||||
volumes.append((
|
|
||||||
str(u.known_hosts_file),
|
|
||||||
f"{GIT_GATE_CREDS_DIR_IN_CONTAINER}/{u.name}-known_hosts",
|
|
||||||
True,
|
|
||||||
))
|
|
||||||
|
|
||||||
# --- supervise --------------------------------------------
|
|
||||||
sp = plan.supervise_plan
|
|
||||||
if sp is not None:
|
|
||||||
daemons.append("supervise")
|
|
||||||
env += [
|
|
||||||
f"SUPERVISE_BOTTLE_SLUG={plan.slug}",
|
|
||||||
f"SUPERVISE_QUEUE_DIR={QUEUE_DIR_IN_CONTAINER}",
|
|
||||||
f"SUPERVISE_PORT={SUPERVISE_PORT}",
|
|
||||||
]
|
|
||||||
volumes.append((str(sp.queue_dir), QUEUE_DIR_IN_CONTAINER, False))
|
|
||||||
|
|
||||||
# Container ports the agent reaches from the smolvm guest —
|
|
||||||
# published on host loopback so the guest can dial via TSI +
|
|
||||||
# macOS networking. Egress is always the agent's HTTP/HTTPS proxy.
|
|
||||||
ports_to_publish: list[int] = [_EGRESS_PORT]
|
|
||||||
if gp.upstreams:
|
|
||||||
ports_to_publish.append(_GIT_HTTP_PORT)
|
|
||||||
if sp is not None:
|
|
||||||
ports_to_publish.append(_SUPERVISE_PORT)
|
|
||||||
|
|
||||||
return _bundle.BundleLaunchSpec(
|
|
||||||
slug=plan.slug,
|
|
||||||
network_name=network,
|
|
||||||
subnet=plan.bundle_subnet,
|
|
||||||
gateway=plan.bundle_gateway,
|
|
||||||
bundle_ip=plan.bundle_ip,
|
|
||||||
daemons_csv=",".join(daemons),
|
|
||||||
environment=tuple(env),
|
|
||||||
volumes=tuple(volumes),
|
|
||||||
ports_to_publish=tuple(ports_to_publish),
|
|
||||||
publish_host_ip=loopback_ip,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _resolve_token_env(
|
|
||||||
plan: SmolmachinesBottlePlan, host_env: dict[str, str],
|
|
||||||
) -> dict[str, str]:
|
|
||||||
"""Resolve the egress token env-var values from the host's
|
|
||||||
environ so they reach the bundle's process env via docker's
|
|
||||||
`-e NAME` inheritance. Empty when no routes declare auth."""
|
|
||||||
effective_env = {**host_env, **plan.agent_provision.provisioned_env}
|
|
||||||
return egress_resolve_token_values(plan.egress_plan.token_env_map, effective_env)
|
|
||||||
|
|
||||||
|
|
||||||
def _agent_from_path(plan: SmolmachinesBottlePlan) -> Path:
|
|
||||||
"""Return the `.smolmachine` artifact used for `machine create --from`.
|
|
||||||
|
|
||||||
Prefer a committed VM artifact when one is recorded and still
|
|
||||||
present. If the file was removed, fall back to the normal image
|
|
||||||
build + pack cache path.
|
|
||||||
"""
|
|
||||||
committed = read_committed_image(plan.slug)
|
|
||||||
if committed:
|
|
||||||
committed_path = Path(committed)
|
|
||||||
if committed_path.is_file():
|
|
||||||
info(f"using committed smolmachine {str(committed_path)!r}")
|
|
||||||
return committed_path
|
|
||||||
|
|
||||||
# Build the agent image and pack it into a `.smolmachine`
|
|
||||||
# artifact (or hit the per-Dockerfile-digest cache). Runs here,
|
|
||||||
# not in prepare, so the docker-build output doesn't garble the
|
|
||||||
# dashboard's preflight modal.
|
|
||||||
return _ensure_smolmachine(
|
|
||||||
plan.agent_image,
|
|
||||||
dockerfile=plan.agent_dockerfile_path,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _ensure_smolmachine(image_ref: str, *, dockerfile: str = "") -> Path:
|
|
||||||
"""Build the agent docker image and convert it into a
|
|
||||||
`.smolmachine` artifact, caching the result under
|
|
||||||
`~/.cache/bot-bottle/smolmachines/` keyed by the docker image
|
|
||||||
ID (so a Dockerfile change automatically invalidates the cache).
|
|
||||||
|
|
||||||
Returns the `.smolmachine.smolmachine` sidecar path — that's
|
|
||||||
the file `machine create --from` consumes (pack create produces
|
|
||||||
a launcher binary at `.smolmachine` plus the sidecar alongside
|
|
||||||
it; the sidecar is the actual artifact).
|
|
||||||
|
|
||||||
Conversion path: `docker build` (the existing layer cache
|
|
||||||
makes no-change rebuilds cheap) → `docker save` to a tarball
|
|
||||||
→ spin up an ephemeral registry on a private docker network →
|
|
||||||
`crane push --insecure` from a one-shot container on the same
|
|
||||||
network → `smolvm pack create --image localhost:<host port>/...`
|
|
||||||
→ tear down the registry + network. The crane push detour
|
|
||||||
sidesteps the Docker-Desktop daemon's HTTPS preference for
|
|
||||||
non-loopback registries — see the `local_registry` module
|
|
||||||
docstring for the gory details.
|
|
||||||
|
|
||||||
Each pack-create costs several seconds even on a hot cache,
|
|
||||||
so we skip the whole pipeline when the cached sidecar is
|
|
||||||
already on disk for this image ID."""
|
|
||||||
_SMOLMACHINE_CACHE_DIR.mkdir(parents=True, exist_ok=True)
|
|
||||||
docker_mod.build_image(image_ref, _REPO_DIR, dockerfile=dockerfile)
|
|
||||||
# `sha256:abcd...` -> `abcd...` first 16 chars: short enough to
|
|
||||||
# keep filenames manageable, long enough to make collisions
|
|
||||||
# astronomically unlikely.
|
|
||||||
digest = docker_mod.image_id(image_ref).split(":", 1)[-1][:16]
|
|
||||||
binary = _SMOLMACHINE_CACHE_DIR / f"{digest}.smolmachine"
|
|
||||||
sidecar = _SMOLMACHINE_CACHE_DIR / f"{digest}.smolmachine.smolmachine"
|
|
||||||
if sidecar.is_file():
|
|
||||||
return sidecar
|
|
||||||
tarball = _SMOLMACHINE_CACHE_DIR / f"{digest}.image.tar"
|
|
||||||
docker_mod.save(image_ref, str(tarball))
|
|
||||||
try:
|
|
||||||
with ephemeral_registry() as handle:
|
|
||||||
push_ref = f"{handle.push_endpoint}/bot-bottle:{digest}"
|
|
||||||
pack_ref = f"{handle.pull_endpoint}/bot-bottle:{digest}"
|
|
||||||
crane_push_tarball(handle, str(tarball), push_ref)
|
|
||||||
_smolvm.pack_create(pack_ref, binary)
|
|
||||||
finally:
|
|
||||||
# Tarball is ~500MB-1GB for the agent image; reclaim once
|
|
||||||
# the smolmachine artifact exists. The artifact itself is
|
|
||||||
# the long-lived cache entry.
|
|
||||||
tarball.unlink(missing_ok=True)
|
|
||||||
return sidecar
|
|
||||||
@@ -1,236 +0,0 @@
|
|||||||
"""Ephemeral local OCI registry for the smolmachines agent-image
|
|
||||||
conversion path (PRD 0023 chunk 4c).
|
|
||||||
|
|
||||||
`smolvm pack create --image <ref>` only accepts OCI registry refs
|
|
||||||
— it can't read the local docker daemon's image cache, an OCI
|
|
||||||
layout directory, or a `docker save` tarball. To convert the
|
|
||||||
agent's Dockerfile-built image into a `.smolmachine` artifact we
|
|
||||||
spin up a short-lived `registry:2.8.3` container alongside a
|
|
||||||
`crane` helper container on a private docker network, push via
|
|
||||||
`crane push --insecure <tarball> <registry-container>:5000/...`,
|
|
||||||
and let smolvm pull from the registry's published host port. The
|
|
||||||
network + both containers are torn down after the pack completes.
|
|
||||||
|
|
||||||
Why this two-container dance instead of plain `docker push`:
|
|
||||||
- Docker Desktop's daemon runs in its own Linux VM, so its
|
|
||||||
`localhost` is not the host's loopback. A registry bound to
|
|
||||||
the host's 127.0.0.1 is unreachable from the daemon side.
|
|
||||||
- `host.docker.internal` is reachable from the daemon but isn't
|
|
||||||
in Docker's default insecure-registries CIDRs (only `::1/128`
|
|
||||||
and `127.0.0.0/8` are), so `docker push` to it tries HTTPS,
|
|
||||||
hits a plain-HTTP registry, and dies with
|
|
||||||
`http: server gave HTTP response to HTTPS client`. Adding
|
|
||||||
`host.docker.internal` to daemon.json works but is a one-time
|
|
||||||
manual step the user has to do in Docker Desktop's UI.
|
|
||||||
- Going through a docker network sidesteps the host-vs-daemon
|
|
||||||
loopback mismatch (crane and registry containers see each
|
|
||||||
other on the network) AND the HTTPS preference (crane has an
|
|
||||||
`--insecure` flag that forces plain HTTP).
|
|
||||||
|
|
||||||
The registry is also published on a random host port so smolvm
|
|
||||||
— a host process — can pull from `localhost:<port>` via Docker's
|
|
||||||
port-forward. smolvm's bundled crane auto-falls-back to HTTP for
|
|
||||||
localhost addresses, so no insecure-registries config is needed
|
|
||||||
on that side either."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import os
|
|
||||||
import socket
|
|
||||||
import subprocess
|
|
||||||
import time
|
|
||||||
import uuid
|
|
||||||
from contextlib import contextmanager
|
|
||||||
from dataclasses import dataclass
|
|
||||||
from typing import Generator
|
|
||||||
|
|
||||||
from ...log import die
|
|
||||||
|
|
||||||
|
|
||||||
# registry:2.8.3, pinned by digest. Same env-override pattern as the
|
|
||||||
# sidecar image pin in bot_bottle/backend/docker/sidecar_bundle.py.
|
|
||||||
REGISTRY_IMAGE = os.environ.get(
|
|
||||||
"BOT_BOTTLE_REGISTRY_IMAGE",
|
|
||||||
"registry@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373",
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
# gcr.io/go-containerregistry/crane:latest, pinned by digest. ~10MB,
|
|
||||||
# stable upstream from Google; we only invoke `crane push --insecure`
|
|
||||||
# against a localhost-equivalent registry, so the trust surface is
|
|
||||||
# narrow.
|
|
||||||
CRANE_IMAGE = os.environ.get(
|
|
||||||
"BOT_BOTTLE_CRANE_IMAGE",
|
|
||||||
(
|
|
||||||
"gcr.io/go-containerregistry/crane@sha256:"
|
|
||||||
"0ae17ecb34315aa7cbff28f6eddee3b7adae0b2f90101260d990804db1eb0084"
|
|
||||||
),
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
# Internal port the registry binds to inside its container — fixed
|
|
||||||
# by the registry:2 image. The host-side mapping is random.
|
|
||||||
_REGISTRY_CONTAINER_PORT = "5000"
|
|
||||||
|
|
||||||
|
|
||||||
# How long to wait for the registry's HTTP layer to bind before
|
|
||||||
# giving up. Two seconds is empirically enough; 10s leaves headroom
|
|
||||||
# for slow CI runners without making the failure mode chatty.
|
|
||||||
_READY_TIMEOUT_S = 10.0
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
|
||||||
class RegistryHandle:
|
|
||||||
"""Everything callers need to push to + pull from the ephemeral
|
|
||||||
registry.
|
|
||||||
|
|
||||||
`network` is the per-session docker network — a `crane push`
|
|
||||||
container has to join it to reach the registry by name.
|
|
||||||
`push_endpoint` is the `<host>:<port>` form to embed in image
|
|
||||||
refs given to the crane push container (resolves via docker
|
|
||||||
network DNS). `pull_endpoint` is the `<host>:<port>` form a
|
|
||||||
host process (smolvm) uses; the registry's host port mapping
|
|
||||||
backs this."""
|
|
||||||
|
|
||||||
network: str
|
|
||||||
push_endpoint: str
|
|
||||||
pull_endpoint: str
|
|
||||||
|
|
||||||
|
|
||||||
@contextmanager
|
|
||||||
def ephemeral_registry() -> Generator[RegistryHandle, None, None]:
|
|
||||||
"""Bring up a per-session docker network + a `registry:2.8.3`
|
|
||||||
container on it (published on a random host port), yield a
|
|
||||||
`RegistryHandle`, force-remove both on exit.
|
|
||||||
|
|
||||||
The container is started with `--rm` so a clean exit cleans up
|
|
||||||
on its own; the `finally` block force-removes on abnormal exit
|
|
||||||
(the calling process crashes between yield and close)."""
|
|
||||||
session_id = uuid.uuid4().hex[:12]
|
|
||||||
network = f"bot-bottle-registry-net-{session_id}"
|
|
||||||
registry_name = f"bot-bottle-registry-{session_id}"
|
|
||||||
|
|
||||||
subprocess.run(
|
|
||||||
["docker", "network", "create", network],
|
|
||||||
check=True,
|
|
||||||
capture_output=True,
|
|
||||||
)
|
|
||||||
try:
|
|
||||||
subprocess.run(
|
|
||||||
[
|
|
||||||
"docker", "run", "-d", "--rm",
|
|
||||||
"--name", registry_name,
|
|
||||||
"--network", network,
|
|
||||||
# `-p :5000` (no IP prefix) binds the container's
|
|
||||||
# port 5000 on a random host port across all
|
|
||||||
# interfaces. The host side reaches the registry
|
|
||||||
# via this port — smolvm's `pack create` pulls from
|
|
||||||
# `localhost:<port>` and the docker port-forward
|
|
||||||
# routes there.
|
|
||||||
"-p", _REGISTRY_CONTAINER_PORT,
|
|
||||||
REGISTRY_IMAGE,
|
|
||||||
],
|
|
||||||
check=True,
|
|
||||||
capture_output=True,
|
|
||||||
)
|
|
||||||
try:
|
|
||||||
port = _host_port(registry_name)
|
|
||||||
_wait_ready(port)
|
|
||||||
yield RegistryHandle(
|
|
||||||
network=network,
|
|
||||||
push_endpoint=f"{registry_name}:{_REGISTRY_CONTAINER_PORT}",
|
|
||||||
pull_endpoint=f"localhost:{port}",
|
|
||||||
)
|
|
||||||
finally:
|
|
||||||
subprocess.run(
|
|
||||||
["docker", "rm", "-f", registry_name],
|
|
||||||
check=False,
|
|
||||||
capture_output=True,
|
|
||||||
)
|
|
||||||
finally:
|
|
||||||
subprocess.run(
|
|
||||||
["docker", "network", "rm", network],
|
|
||||||
check=False,
|
|
||||||
capture_output=True,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def crane_push_tarball(handle: RegistryHandle, tarball_path: str, ref: str) -> None:
|
|
||||||
"""Run `crane push --insecure <tarball> <ref>` inside a one-shot
|
|
||||||
container on the registry's docker network. `ref` should
|
|
||||||
reference the registry by `handle.push_endpoint` so the crane
|
|
||||||
container resolves it via docker network DNS.
|
|
||||||
|
|
||||||
Doesn't go through `docker push` to avoid the Docker-Desktop
|
|
||||||
daemon's HTTPS preference for non-loopback hostnames — crane's
|
|
||||||
`--insecure` flag forces plain HTTP, which is what the
|
|
||||||
registry container speaks."""
|
|
||||||
r = subprocess.run(
|
|
||||||
[
|
|
||||||
"docker", "run", "--rm",
|
|
||||||
"--network", handle.network,
|
|
||||||
"-v", f"{tarball_path}:/img.tar:ro",
|
|
||||||
CRANE_IMAGE,
|
|
||||||
"push", "--insecure", "/img.tar", ref,
|
|
||||||
],
|
|
||||||
capture_output=True,
|
|
||||||
text=True,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"crane push of {tarball_path!r} to {ref!r} failed: "
|
|
||||||
f"{(r.stderr or r.stdout or '').strip() or '<no output>'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _host_port(name: str) -> int:
|
|
||||||
"""Resolve the host-side port docker mapped to the registry's
|
|
||||||
container port. `docker port <name> 5000/tcp` returns one or
|
|
||||||
more `host:port` lines (one per address family) — we take the
|
|
||||||
first."""
|
|
||||||
r = subprocess.run(
|
|
||||||
["docker", "port", name, f"{_REGISTRY_CONTAINER_PORT}/tcp"],
|
|
||||||
capture_output=True,
|
|
||||||
text=True,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
if r.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"docker port {name} {_REGISTRY_CONTAINER_PORT}/tcp failed: "
|
|
||||||
f"{(r.stderr or '').strip() or '<no stderr>'}"
|
|
||||||
)
|
|
||||||
# `0.0.0.0:54321\n[::]:54321\n` — split on the last colon to
|
|
||||||
# handle either IPv4 or IPv6 host syntax.
|
|
||||||
line = (r.stdout or "").splitlines()[0].strip()
|
|
||||||
_, _, port_str = line.rpartition(":")
|
|
||||||
try:
|
|
||||||
return int(port_str)
|
|
||||||
except ValueError:
|
|
||||||
die(f"unexpected `docker port` output: {line!r}")
|
|
||||||
|
|
||||||
|
|
||||||
def _wait_ready(port: int) -> None:
|
|
||||||
"""Block until the registry's HTTP layer accepts a TCP
|
|
||||||
connection on `127.0.0.1:<port>`, or `_READY_TIMEOUT_S`
|
|
||||||
elapses.
|
|
||||||
|
|
||||||
A successful TCP connect is sufficient — registry:2.8.3 binds
|
|
||||||
after it's ready to serve `/v2/` requests, so the push that
|
|
||||||
follows will land on a working server. We probe loopback
|
|
||||||
specifically (not via the docker network) because this helper
|
|
||||||
runs on the host."""
|
|
||||||
deadline = time.monotonic() + _READY_TIMEOUT_S
|
|
||||||
last_err: Exception | None = None
|
|
||||||
while time.monotonic() < deadline:
|
|
||||||
try:
|
|
||||||
with socket.create_connection(("127.0.0.1", port), timeout=0.5):
|
|
||||||
return
|
|
||||||
except OSError as e:
|
|
||||||
last_err = e
|
|
||||||
time.sleep(0.1)
|
|
||||||
die(
|
|
||||||
f"local registry on 127.0.0.1:{port} did not accept "
|
|
||||||
f"connections within {_READY_TIMEOUT_S:.0f}s "
|
|
||||||
f"(last error: {last_err})"
|
|
||||||
)
|
|
||||||
@@ -1,272 +0,0 @@
|
|||||||
"""Per-bottle loopback alias allocation + TSI allowlist
|
|
||||||
enforcement (PRD 0023, follow-up to PR #74).
|
|
||||||
|
|
||||||
After the pivot to host-loopback port-forwards, the smolmachines
|
|
||||||
TSI allowlist was `127.0.0.1/32` — which meant the agent VM could
|
|
||||||
reach **any** service bound to macOS's loopback, not just the
|
|
||||||
bundle's published ports. Real downgrade from the docker
|
|
||||||
backend's `--internal` network isolation.
|
|
||||||
|
|
||||||
This module narrows the allowlist by allocating each bottle a
|
|
||||||
unique loopback alias (`127.0.0.16` .. `127.0.0.31`). The
|
|
||||||
bundle's port-forwards bind to that alias, and the alias's /32
|
|
||||||
is what TSI allows.
|
|
||||||
|
|
||||||
**Smolvm 0.8.0 quirk + workaround.** `smolvm machine create
|
|
||||||
--from <smolmachine> --net --allow-cidr X/32` silently drops the
|
|
||||||
flag — verified empirically that the agent process's allowlist
|
|
||||||
ends up `null` in smolvm's persistent state DB (`~/Library/
|
|
||||||
Application Support/smolvm/server/smolvm.db`, `vms` table,
|
|
||||||
`data` BLOB), and the booted VM reaches all of `127.0.0.0/8`
|
|
||||||
regardless of what we passed. Workaround: after machine_create,
|
|
||||||
open the SQLite DB and patch the row's `allowed_cidrs` field
|
|
||||||
directly. Smolvm reads the DB at machine_start, so the patched
|
|
||||||
value takes effect on boot. Tested: enforcement is real — the
|
|
||||||
guest's connect to a non-allowlisted IP fails with `Permission
|
|
||||||
denied`. Other paths we tried (machine update, stop-edit-
|
|
||||||
agent.config.json-restart, --smolfile, --image localhost:N/...)
|
|
||||||
were dead ends.
|
|
||||||
|
|
||||||
macOS only configures `127.0.0.1` on `lo0` by default; the
|
|
||||||
additional aliases require `sudo ifconfig lo0 alias`. We lazily
|
|
||||||
sudo-add the missing pool on first use per boot — the aliases
|
|
||||||
persist on `lo0` until reboot, so subsequent launches don't
|
|
||||||
prompt.
|
|
||||||
|
|
||||||
Linux native daemons share the host's network namespace; the
|
|
||||||
whole `127.0.0.0/8` is reachable by default and aliases are
|
|
||||||
unnecessary. The pool logic detects native-Linux and skips sudo
|
|
||||||
entirely; the DB patch is also gated on macOS.
|
|
||||||
|
|
||||||
Allocation is coordinated by inspecting running bundle
|
|
||||||
containers' published host IPs — each bottle's bundle owns the
|
|
||||||
alias appearing in its port bindings. The lowest-numbered free
|
|
||||||
alias gets handed to a new bottle."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import fcntl
|
|
||||||
import json
|
|
||||||
import platform
|
|
||||||
import re
|
|
||||||
import sqlite3
|
|
||||||
import subprocess
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Iterable
|
|
||||||
|
|
||||||
from ...log import die, info
|
|
||||||
|
|
||||||
|
|
||||||
# smolvm's persistent VM state on macOS — a SQLite DB whose `vms`
|
|
||||||
# table holds one JSON BLOB per machine. The Linux path is
|
|
||||||
# different, but smolmachines is macOS-only in v1 (PRD 0023) so
|
|
||||||
# we hard-code this. If the file moves under us we'll see a
|
|
||||||
# clear FileNotFoundError; not worth defensive cross-platform
|
|
||||||
# detection until the backend actually needs Linux.
|
|
||||||
_SMOLVM_DB_PATH = (
|
|
||||||
Path.home()
|
|
||||||
/ "Library"
|
|
||||||
/ "Application Support"
|
|
||||||
/ "smolvm"
|
|
||||||
/ "server"
|
|
||||||
/ "smolvm.db"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
# Sixteen aliases by default. Tunable for hosts that want more
|
|
||||||
# concurrent bottles (each bottle reserves one alias for its
|
|
||||||
# bundle bringup). The range is chosen to avoid the reserved
|
|
||||||
# 127.0.0.1/2/3 ports (1 is the default, 2 is sometimes used by
|
|
||||||
# CUPS, 3 by other macOS services) and stay well clear of
|
|
||||||
# 127.0.0.53 (systemd-resolved) and 127.0.0.54 (libvirt).
|
|
||||||
_POOL_START = 16
|
|
||||||
_POOL_END = 31 # inclusive
|
|
||||||
|
|
||||||
|
|
||||||
# File lock that serialises concurrent allocate() calls so two
|
|
||||||
# simultaneous launches can't read the same docker state and claim
|
|
||||||
# the same alias. Narrowed to the allocate() call itself; docker run
|
|
||||||
# runs after the lock is released. Once the container is running it
|
|
||||||
# appears in docker state and future allocate() calls will see it.
|
|
||||||
_ALLOC_LOCK_PATH = Path.home() / ".cache" / "bot-bottle" / "smolmachines.lock"
|
|
||||||
|
|
||||||
|
|
||||||
# Loopback aliases pool: 127.0.0.<start>..127.0.0.<end>.
|
|
||||||
def _pool_addresses() -> list[str]:
|
|
||||||
return [f"127.0.0.{i}" for i in range(_POOL_START, _POOL_END + 1)]
|
|
||||||
|
|
||||||
|
|
||||||
def _is_macos() -> bool:
|
|
||||||
return platform.system() == "Darwin"
|
|
||||||
|
|
||||||
|
|
||||||
def ensure_pool() -> None:
|
|
||||||
"""Make sure each address in the pool is up on `lo0`. Lazily
|
|
||||||
runs `sudo ifconfig lo0 alias <ip>/32 up` for missing entries
|
|
||||||
(sudo prompts once, then the aliases persist on lo0 until
|
|
||||||
reboot). No-op on non-macOS hosts."""
|
|
||||||
if not _is_macos():
|
|
||||||
return
|
|
||||||
missing = [ip for ip in _pool_addresses() if not _alias_present(ip)]
|
|
||||||
if not missing:
|
|
||||||
return
|
|
||||||
info(
|
|
||||||
f"smolmachines needs {len(missing)} loopback alias(es) on lo0 "
|
|
||||||
f"({', '.join(missing[:3])}{', ...' if len(missing) > 3 else ''}) "
|
|
||||||
f"to scope per-bottle TSI allowlists. sudo will prompt once; "
|
|
||||||
f"aliases persist until reboot."
|
|
||||||
)
|
|
||||||
for ip in missing:
|
|
||||||
result = subprocess.run(
|
|
||||||
["sudo", "-p", "bot-bottle (loopback alias): ",
|
|
||||||
"ifconfig", "lo0", "alias", f"{ip}/32", "up"],
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"sudo ifconfig lo0 alias {ip} failed (exit "
|
|
||||||
f"{result.returncode}). Re-run with sudo available, "
|
|
||||||
f"or add manually: sudo ifconfig lo0 alias {ip}/32 up"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def force_allowlist(machine_name: str, allowed_cidrs: list[str]) -> None:
|
|
||||||
"""Patch smolvm's persistent VM-state DB to set the machine's
|
|
||||||
`allowed_cidrs` to the given list. Workaround for smolvm
|
|
||||||
0.8.0's silent-drop of `--allow-cidr` when used with `--from`.
|
|
||||||
|
|
||||||
Must run AFTER `smolvm machine create` (the row has to
|
|
||||||
exist) and BEFORE `smolvm machine start` (smolvm reads the
|
|
||||||
row on start; in-flight VMs don't pick up changes). Once
|
|
||||||
smolvm honors the CLI flag upstream this whole function is
|
|
||||||
redundant — flag-respecting create + remove this call from
|
|
||||||
launch.
|
|
||||||
|
|
||||||
No-op on non-macOS — the DB path differs and the Linux
|
|
||||||
smolmachines code path isn't exercised in v1."""
|
|
||||||
if not _is_macos():
|
|
||||||
return
|
|
||||||
if not _SMOLVM_DB_PATH.is_file():
|
|
||||||
die(
|
|
||||||
f"smolvm state DB not found at {_SMOLVM_DB_PATH}. "
|
|
||||||
f"smolvm 0.8.0 expected? `smolvm --version` to check."
|
|
||||||
)
|
|
||||||
con = sqlite3.connect(str(_SMOLVM_DB_PATH))
|
|
||||||
try:
|
|
||||||
cur = con.cursor()
|
|
||||||
row = cur.execute(
|
|
||||||
"SELECT data FROM vms WHERE name = ?", (machine_name,),
|
|
||||||
).fetchone()
|
|
||||||
if row is None:
|
|
||||||
die(
|
|
||||||
f"smolvm DB has no row for machine {machine_name!r} — "
|
|
||||||
f"machine_create must run before force_allowlist."
|
|
||||||
)
|
|
||||||
cfg = json.loads(row[0])
|
|
||||||
cfg["allowed_cidrs"] = list(allowed_cidrs)
|
|
||||||
# Write as BLOB (the column type smolvm uses) — passing a
|
|
||||||
# plain str makes sqlite store it as Text and smolvm then
|
|
||||||
# fails to read it.
|
|
||||||
cur.execute(
|
|
||||||
"UPDATE vms SET data = ? WHERE name = ?",
|
|
||||||
(sqlite3.Binary(json.dumps(cfg).encode()), machine_name),
|
|
||||||
)
|
|
||||||
con.commit()
|
|
||||||
finally:
|
|
||||||
con.close()
|
|
||||||
|
|
||||||
|
|
||||||
def allocate(_slug: str) -> str:
|
|
||||||
"""Pick the lowest-numbered alias from the pool not already
|
|
||||||
in use by a running smolmachines bundle. Bails when the pool
|
|
||||||
is exhausted — the caller should report the limit to the
|
|
||||||
operator. `_slug` is logged for traceability; not otherwise
|
|
||||||
used (no on-disk reservation, allocation is purely
|
|
||||||
docker-state-driven).
|
|
||||||
|
|
||||||
On non-macOS the whole `127.0.0.0/8` is loopback by default;
|
|
||||||
`127.0.0.1` is fine to share and we skip the alias dance.
|
|
||||||
This still returns a deterministic address so launch.py's
|
|
||||||
callers don't have to branch on platform.
|
|
||||||
|
|
||||||
An exclusive file lock serialises concurrent calls so two
|
|
||||||
simultaneous launches don't read the same docker state and
|
|
||||||
claim the same alias."""
|
|
||||||
if not _is_macos():
|
|
||||||
return "127.0.0.1"
|
|
||||||
_ALLOC_LOCK_PATH.parent.mkdir(parents=True, exist_ok=True)
|
|
||||||
with open(_ALLOC_LOCK_PATH, "w", encoding="utf-8") as lf:
|
|
||||||
fcntl.flock(lf, fcntl.LOCK_EX)
|
|
||||||
return _allocate_locked()
|
|
||||||
|
|
||||||
|
|
||||||
def _allocate_locked() -> str:
|
|
||||||
in_use = _aliases_in_use()
|
|
||||||
for ip in _pool_addresses():
|
|
||||||
if ip not in in_use:
|
|
||||||
return ip
|
|
||||||
die(
|
|
||||||
f"smolmachines loopback alias pool exhausted "
|
|
||||||
f"({_POOL_END - _POOL_START + 1} aliases, all in use). "
|
|
||||||
f"Stop a running bottle (`smolvm machine ls --json`) or "
|
|
||||||
f"raise _POOL_END in loopback_alias.py."
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _alias_present(ip: str) -> bool:
|
|
||||||
"""True iff `ifconfig lo0` shows `<ip>` as an inet address.
|
|
||||||
Exact-match — `127.0.0.1` shouldn't match `127.0.0.16`."""
|
|
||||||
result = subprocess.run(
|
|
||||||
["/sbin/ifconfig", "lo0"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
return False
|
|
||||||
pattern = re.compile(rf"\binet {re.escape(ip)}\b")
|
|
||||||
return bool(pattern.search(result.stdout or ""))
|
|
||||||
|
|
||||||
|
|
||||||
def _aliases_in_use() -> set[str]:
|
|
||||||
"""Aliases already bound by another smolmachines bundle's
|
|
||||||
published-port mappings. We inspect every container whose
|
|
||||||
name matches the smolmachines bundle prefix and pull the
|
|
||||||
`HostIp` out of its port bindings."""
|
|
||||||
result = subprocess.run(
|
|
||||||
["docker", "ps", "--format", "{{.Names}}",
|
|
||||||
"--filter", "name=bot-bottle-sidecars-"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
return set()
|
|
||||||
names = [n.strip() for n in (result.stdout or "").splitlines() if n.strip()]
|
|
||||||
in_use: set[str] = set()
|
|
||||||
for name in names:
|
|
||||||
in_use.update(_host_ips_for_container(name))
|
|
||||||
return in_use
|
|
||||||
|
|
||||||
|
|
||||||
def _host_ips_for_container(name: str) -> Iterable[str]:
|
|
||||||
"""Yield the `HostIp` values across all port bindings on
|
|
||||||
container `name`. A bundle binds three or four ports and
|
|
||||||
they all share the same HostIp, so callers can take any."""
|
|
||||||
result = subprocess.run(
|
|
||||||
["docker", "inspect", name,
|
|
||||||
"--format", "{{json .HostConfig.PortBindings}}"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
return ()
|
|
||||||
try:
|
|
||||||
bindings = json.loads(result.stdout or "{}")
|
|
||||||
except json.JSONDecodeError:
|
|
||||||
return ()
|
|
||||||
seen: set[str] = set()
|
|
||||||
for _port, mappings in (bindings or {}).items():
|
|
||||||
for m in mappings or []:
|
|
||||||
host_ip = m.get("HostIp") or ""
|
|
||||||
if host_ip:
|
|
||||||
seen.add(host_ip)
|
|
||||||
return seen
|
|
||||||
|
|
||||||
|
|
||||||
__all__ = ["allocate", "ensure_pool", "force_allowlist"]
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
"""Backend-infrastructure provisioners for the smolmachines backend.
|
|
||||||
|
|
||||||
Per PRD 0050 the per-provider provisioning steps (prompt, skills,
|
|
||||||
declarative provision-plan apply, supervise MCP registration) live on
|
|
||||||
the `AgentProvider` plugin under `bot_bottle/contrib/`. CA and git
|
|
||||||
provisioning also moved to the AgentProvider ABC (with Debian/node
|
|
||||||
defaults); user plugins override them for non-standard images.
|
|
||||||
|
|
||||||
No modules remain in this subpackage. Workspace copying now runs
|
|
||||||
through `BottleBackend.provision_workspace` against the running
|
|
||||||
bottle for every backend.
|
|
||||||
"""
|
|
||||||
@@ -1,151 +0,0 @@
|
|||||||
"""Host-side SIGWINCH → in-VM PTY resize bridge (issue #82).
|
|
||||||
|
|
||||||
smolvm 0.8.0 `machine exec -t` allocates an in-VM PTY but never
|
|
||||||
forwards the host terminal's window size (TIOCSWINSZ) to it. The
|
|
||||||
PTY's initial size is `0 0`, and any host-side resize during the
|
|
||||||
session goes unnoticed — the in-VM claude TUI keeps rendering for
|
|
||||||
whatever (typically tiny) box it last saw, ignoring the operator's
|
|
||||||
tmux pane resize. `docker exec -it` does this forwarding
|
|
||||||
automatically; smolvm doesn't.
|
|
||||||
|
|
||||||
This module wraps `smolvm machine exec` with a thin parent
|
|
||||||
process that:
|
|
||||||
|
|
||||||
1. Spawns the original argv as a child (it gets the inherited
|
|
||||||
TTY, so claude's stdin/stdout/stderr work unchanged).
|
|
||||||
2. On startup + every host SIGWINCH, reads the host terminal
|
|
||||||
size via TIOCGWINSZ on stdin (or stderr if stdin isn't a
|
|
||||||
TTY — tmux respawn-pane gives us a TTY on stdout/stderr)
|
|
||||||
and pushes it into the VM with a side-channel
|
|
||||||
`smolvm machine exec -- sh -c 'for f in /dev/pts/*; do
|
|
||||||
stty -F $f cols X rows Y; done'`. The kernel delivers
|
|
||||||
SIGWINCH to the foreground process group on the slave end
|
|
||||||
automatically, so claude picks up the new size without
|
|
||||||
extra signalling.
|
|
||||||
3. Waits on the child and exits with its returncode.
|
|
||||||
|
|
||||||
The dashboard's tmux pane respawn calls `bottle.agent_argv`
|
|
||||||
which now prepends `[sys.executable, -m, ..., <machine>, --, ...]`
|
|
||||||
to the smolvm argv. Foreground handoff (curses endwin →
|
|
||||||
subprocess.run) goes through the same path so behavior is
|
|
||||||
identical.
|
|
||||||
|
|
||||||
Removable once smolvm grows native SIGWINCH forwarding (upstream
|
|
||||||
follow-up tracked separately)."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import fcntl
|
|
||||||
import signal
|
|
||||||
import struct
|
|
||||||
import subprocess
|
|
||||||
import sys
|
|
||||||
import termios
|
|
||||||
import threading
|
|
||||||
from types import FrameType
|
|
||||||
|
|
||||||
|
|
||||||
# How long to wait after the main exec starts before pushing the
|
|
||||||
# initial size. Concurrent `smolvm machine exec` invocations race
|
|
||||||
# libkrun's per-exec OCI config write during the main exec's
|
|
||||||
# bringup window; the side-channel firing immediately corrupts
|
|
||||||
# `config.json` and the main exec dies with SIGKILL (rc=137) or
|
|
||||||
# libkrun's "parse error: trailing garbage" depending on
|
|
||||||
# scheduling. Two seconds is well past the bringup window on a
|
|
||||||
# warm VM, well under the operator's "this is unresponsive"
|
|
||||||
# threshold, and short enough that claude's initial render
|
|
||||||
# almost always fires after the size has been set.
|
|
||||||
_STARTUP_SYNC_DELAY_SEC = 2.0
|
|
||||||
|
|
||||||
|
|
||||||
def _read_winsize() -> tuple[int, int] | None:
|
|
||||||
"""Return `(rows, cols)` from whichever of stdin / stdout /
|
|
||||||
stderr is a TTY, or None if none are. Different invocation
|
|
||||||
surfaces give us different TTYs:
|
|
||||||
|
|
||||||
- foreground handoff (curses endwin → subprocess.run): all
|
|
||||||
three are the operator's terminal.
|
|
||||||
- tmux respawn-pane: tmux sets all three to the pane's PTY.
|
|
||||||
- non-TTY (someone piped stdin in tests): none are; the
|
|
||||||
sync just no-ops, which is the right behavior."""
|
|
||||||
for stream in (sys.stdin, sys.stdout, sys.stderr):
|
|
||||||
try:
|
|
||||||
fd = stream.fileno()
|
|
||||||
data = fcntl.ioctl(fd, termios.TIOCGWINSZ, b"\x00" * 8)
|
|
||||||
except OSError:
|
|
||||||
continue
|
|
||||||
rows, cols, _, _ = struct.unpack("hhhh", data)
|
|
||||||
if rows > 0 and cols > 0:
|
|
||||||
return rows, cols
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
def _push_size(machine: str, rows: int, cols: int) -> None:
|
|
||||||
"""Side-channel `smolvm machine exec` that sets the size of
|
|
||||||
every PTY in the VM. The shell `for` loop covers the case of
|
|
||||||
multiple concurrent interactive sessions (rare but cheap to
|
|
||||||
handle); `stty -F` returns silently on PTYs that don't apply.
|
|
||||||
|
|
||||||
Best-effort: swallow failures. A failed resize doesn't break
|
|
||||||
the session — it just leaves the in-VM PTY at its old size.
|
|
||||||
|
|
||||||
`stdin=DEVNULL` is load-bearing: under tmux, inheriting the
|
|
||||||
pane PTY here means two concurrent smolvm processes (this one
|
|
||||||
and the agent session the wrapper is shepherding) share the
|
|
||||||
PTY's foreground-process-group / input plumbing, and smolvm
|
|
||||||
bails with an internal config-parse error or SIGKILL within
|
|
||||||
~100ms of the side-channel firing. Outside tmux the same
|
|
||||||
pattern survived, presumably because iTerm's PTY plumbing is
|
|
||||||
more forgiving than tmux's, but the DEVNULL is the right
|
|
||||||
default either way — the side-channel never needs stdin."""
|
|
||||||
subprocess.run(
|
|
||||||
["smolvm", "machine", "exec", "--name", machine, "--",
|
|
||||||
"sh", "-c",
|
|
||||||
f"for f in /dev/pts/*; do "
|
|
||||||
f"stty -F \"$f\" cols {cols} rows {rows} 2>/dev/null; "
|
|
||||||
f"done"],
|
|
||||||
stdin=subprocess.DEVNULL,
|
|
||||||
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def main(argv: list[str]) -> int:
|
|
||||||
"""Entry point. `argv` shape: `<machine> -- <smolvm-argv...>`.
|
|
||||||
|
|
||||||
We don't use argparse — the `--` separator is the contract and
|
|
||||||
everything past it is forwarded verbatim. Keeps the wrapper
|
|
||||||
transparent for callers building argv programmatically."""
|
|
||||||
if len(argv) < 3 or argv[1] != "--":
|
|
||||||
sys.stderr.write(
|
|
||||||
"usage: python -m bot_bottle.backend.smolmachines.pty_resize "
|
|
||||||
"<machine> -- <smolvm-argv...>\n"
|
|
||||||
)
|
|
||||||
return 2
|
|
||||||
machine = argv[0]
|
|
||||||
inner = argv[2:]
|
|
||||||
|
|
||||||
def sync(_signum: int | None = None, _frame: FrameType | None = None) -> None:
|
|
||||||
size = _read_winsize()
|
|
||||||
if size is None:
|
|
||||||
return
|
|
||||||
_push_size(machine, *size)
|
|
||||||
|
|
||||||
signal.signal(signal.SIGWINCH, sync) # type: ignore[arg-type]
|
|
||||||
|
|
||||||
proc = subprocess.Popen(inner)
|
|
||||||
# Initial sync is deferred — see _STARTUP_SYNC_DELAY_SEC.
|
|
||||||
# daemon=True so the timer doesn't block exit when the child
|
|
||||||
# finishes before the delay elapses.
|
|
||||||
timer = threading.Timer(_STARTUP_SYNC_DELAY_SEC, sync)
|
|
||||||
timer.daemon = True
|
|
||||||
timer.start()
|
|
||||||
while True:
|
|
||||||
try:
|
|
||||||
return proc.wait()
|
|
||||||
except KeyboardInterrupt:
|
|
||||||
proc.send_signal(signal.SIGINT)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
sys.exit(main(sys.argv[1:]))
|
|
||||||
@@ -1,83 +0,0 @@
|
|||||||
"""smolmachines `_resolve_plan` (PRD 0023 chunks 2d + 4c).
|
|
||||||
|
|
||||||
Resolves the per-bottle docker subnet + bundle IP and assembles
|
|
||||||
the guest env. The agent's docker image build → smolmachine
|
|
||||||
pack pipeline runs in `launch.launch`, not here, so the
|
|
||||||
dashboard's preflight modal isn't garbled by docker-build output
|
|
||||||
before the operator has confirmed.
|
|
||||||
|
|
||||||
No VM bringup — that's `launch.launch`'s job."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
from .. import BottleSpec
|
|
||||||
from ...manifest import Manifest
|
|
||||||
from ...env import ResolvedEnv
|
|
||||||
from ...agent_provider import AgentProvisionPlan
|
|
||||||
from ...egress import EgressPlan
|
|
||||||
from ...supervise import SupervisePlan
|
|
||||||
from ...git_gate import GitGatePlan
|
|
||||||
from .bottle_plan import SmolmachinesBottlePlan
|
|
||||||
from .util import smolmachines_bundle_subnet, smolmachines_preflight
|
|
||||||
|
|
||||||
def preflight() -> None:
|
|
||||||
smolmachines_preflight()
|
|
||||||
|
|
||||||
|
|
||||||
def build_guest_env(resolved_env: ResolvedEnv) -> dict[str, str]:
|
|
||||||
# Agent's env: resolve through resolve_env() so ?prompt entries
|
|
||||||
# are prompted and ${HOST_VAR} entries are interpolated — matching
|
|
||||||
# the Docker backend's contract. Forwarded (secret/interpolated)
|
|
||||||
# values still reach the guest as -e K=V smolvm flags because
|
|
||||||
# smolvm 0.8.0 has no env-file or stdin injection path; this is
|
|
||||||
# the known argv-exposure gap documented in PRD 0038.
|
|
||||||
# HTTPS_PROXY / GIT_GATE_URL / MCP_SUPERVISE_URL are populated
|
|
||||||
# in launch.py after bundle bringup.
|
|
||||||
return {
|
|
||||||
**resolved_env.literals,
|
|
||||||
**resolved_env.forwarded,
|
|
||||||
"NO_PROXY": "localhost,127.0.0.1",
|
|
||||||
"NODE_EXTRA_CA_CERTS": "/etc/ssl/certs/ca-certificates.crt",
|
|
||||||
"SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt",
|
|
||||||
"REQUESTS_CA_BUNDLE": "/etc/ssl/certs/ca-certificates.crt",
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def resolve_plan(
|
|
||||||
spec: BottleSpec,
|
|
||||||
manifest: Manifest,
|
|
||||||
slug: str,
|
|
||||||
resolved_env: ResolvedEnv,
|
|
||||||
agent_provision_plan: AgentProvisionPlan,
|
|
||||||
egress_plan: EgressPlan,
|
|
||||||
supervise_plan: SupervisePlan | None,
|
|
||||||
git_gate_plan: GitGatePlan,
|
|
||||||
stage_dir: Path,
|
|
||||||
) -> SmolmachinesBottlePlan:
|
|
||||||
"""Materialize the smolmachines plan. The bundle's docker
|
|
||||||
subnet + pinned IP are derived from the slug; the agent's
|
|
||||||
`.smolmachine` artifact is built (or cache-hit) here so
|
|
||||||
launch's `machine create --from` boots without a registry
|
|
||||||
pull. Per-bottle guest env + the TSI allow_cidrs land on the
|
|
||||||
plan for launch to pass straight through to
|
|
||||||
`machine create` flags."""
|
|
||||||
|
|
||||||
# ==== smolmachines specific setup ====
|
|
||||||
subnet, gateway, bundle_ip = smolmachines_bundle_subnet(slug)
|
|
||||||
|
|
||||||
return SmolmachinesBottlePlan(
|
|
||||||
spec=spec,
|
|
||||||
manifest=manifest,
|
|
||||||
stage_dir=stage_dir,
|
|
||||||
slug=slug,
|
|
||||||
bundle_subnet=subnet,
|
|
||||||
bundle_gateway=gateway,
|
|
||||||
bundle_ip=bundle_ip,
|
|
||||||
guest_env=agent_provision_plan.guest_env,
|
|
||||||
git_gate_plan=git_gate_plan,
|
|
||||||
egress_plan=egress_plan,
|
|
||||||
supervise_plan=supervise_plan,
|
|
||||||
agent_provision=agent_provision_plan,
|
|
||||||
)
|
|
||||||
@@ -1,242 +0,0 @@
|
|||||||
"""Per-bottle sidecar bundle bringup for the smolmachines backend
|
|
||||||
(PRD 0023).
|
|
||||||
|
|
||||||
Two docker resources per bottle live here:
|
|
||||||
|
|
||||||
- **A dedicated bridge network**, subnet derived from the slug.
|
|
||||||
The bundle container gets a pinned IP at `<subnet>.2` so the
|
|
||||||
smolvm guest's TSI allowlist (`<bundle-ip>/32`) has a stable
|
|
||||||
target. Without pinning, we'd have to inspect the container's
|
|
||||||
assigned IP after start and feed it back into the Smolfile
|
|
||||||
— a race we can sidestep with `--ip`.
|
|
||||||
|
|
||||||
- **The bundle container itself**, running the PRD 0024 bundle
|
|
||||||
image (`bot-bottle-sidecars:latest` by default). Same
|
|
||||||
image, same daemons, same daemon-private env / bind-mounts
|
|
||||||
as the docker backend.
|
|
||||||
|
|
||||||
This module ships the lifecycle primitives only — create
|
|
||||||
network, start bundle, stop bundle, remove network — wrapped
|
|
||||||
around `subprocess.run(["docker", ...])`. Wiring them into the
|
|
||||||
launch flow + populating the `BundleLaunchSpec` from the inner
|
|
||||||
Plans (EgressPlan, …) lands in chunk 2d."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import subprocess
|
|
||||||
from dataclasses import dataclass, field
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Sequence
|
|
||||||
|
|
||||||
from ...log import die, warn
|
|
||||||
from ..docker import util as docker_mod
|
|
||||||
from ..docker.sidecar_bundle import (
|
|
||||||
SIDECAR_BUNDLE_DOCKERFILE,
|
|
||||||
SIDECAR_BUNDLE_IMAGE,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
_REPO_DIR = str(Path(__file__).resolve().parent.parent.parent.parent)
|
|
||||||
|
|
||||||
|
|
||||||
def bundle_network_name(slug: str) -> str:
|
|
||||||
"""`bot-bottle-bundle-<slug>` — distinct from the docker
|
|
||||||
backend's `bot-bottle-net-<slug>` so a smolmachines bottle
|
|
||||||
and a docker bottle for the same agent don't collide on
|
|
||||||
network name."""
|
|
||||||
return f"bot-bottle-bundle-{slug}"
|
|
||||||
|
|
||||||
|
|
||||||
def bundle_container_name(slug: str) -> str:
|
|
||||||
"""`bot-bottle-sidecars-<slug>` — same name shape the docker
|
|
||||||
backend uses for the bundle (PRD 0024 chunk 5). The dashboard's
|
|
||||||
prefix-based discovery covers both backends with one filter."""
|
|
||||||
return f"bot-bottle-sidecars-{slug}"
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
|
||||||
class BundleLaunchSpec:
|
|
||||||
"""Everything `start_bundle` needs to bring up one bundle
|
|
||||||
container. Populated by chunk-2d's launch flow from the inner
|
|
||||||
Plans the prepare step already produces."""
|
|
||||||
|
|
||||||
slug: str
|
|
||||||
network_name: str
|
|
||||||
subnet: str
|
|
||||||
gateway: str
|
|
||||||
bundle_ip: str
|
|
||||||
image: str = SIDECAR_BUNDLE_IMAGE
|
|
||||||
# Daemon subset CSV for BOT_BOTTLE_SIDECAR_DAEMONS. The
|
|
||||||
# supervisor inside the bundle reads it to skip
|
|
||||||
# bottle-irrelevant daemons (e.g. supervise=False bottles).
|
|
||||||
daemons_csv: str = "egress"
|
|
||||||
# Plain "KEY=VALUE" strings + "KEY" bare names (the bare-name
|
|
||||||
# form inherits the value from the docker-run subprocess env,
|
|
||||||
# matching the docker backend's compose-up secret-forwarding
|
|
||||||
# pattern).
|
|
||||||
environment: Sequence[str] = field(default_factory=tuple)
|
|
||||||
# (host_path, container_path, read_only) bind mounts.
|
|
||||||
volumes: Sequence[tuple[str, str, bool]] = field(default_factory=tuple)
|
|
||||||
# Container ports to publish on `publish_host_ip`, random
|
|
||||||
# host-side port per entry. The smolvm guest's TSI talks via
|
|
||||||
# macOS networking, so docker container IPs (192.168.x.x in
|
|
||||||
# the daemon's bridge) aren't directly reachable from the
|
|
||||||
# guest — host-loopback port-forwards are. Egress's port
|
|
||||||
# is bundle-internal and never published.
|
|
||||||
ports_to_publish: Sequence[int] = field(default_factory=tuple)
|
|
||||||
# Loopback IP to bind published ports against. Per-bottle
|
|
||||||
# loopback aliases (`127.0.0.16` etc., added via sudo
|
|
||||||
# ifconfig lo0 alias) narrow the TSI allowlist so a bottle
|
|
||||||
# can't reach other bottles' (or other host services') ports
|
|
||||||
# via 127.0.0.1.
|
|
||||||
publish_host_ip: str = "127.0.0.1"
|
|
||||||
|
|
||||||
|
|
||||||
def ensure_bundle_image(image: str = SIDECAR_BUNDLE_IMAGE) -> None:
|
|
||||||
"""Build the sidecar bundle image before `docker run`.
|
|
||||||
|
|
||||||
The Docker backend gets this for free from compose's `build:`
|
|
||||||
stanza. smolmachines starts the bundle with plain `docker run`,
|
|
||||||
so without an explicit build a first launch tries to pull the
|
|
||||||
local-only `bot-bottle-sidecars:latest` tag from a registry.
|
|
||||||
"""
|
|
||||||
docker_mod.build_image(
|
|
||||||
image,
|
|
||||||
_REPO_DIR,
|
|
||||||
dockerfile=SIDECAR_BUNDLE_DOCKERFILE,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def create_bundle_network(network_name: str, subnet: str, gateway: str) -> None:
|
|
||||||
"""`docker network create` with an explicit subnet + gateway
|
|
||||||
so the bundle's `--ip` lands on the address the Smolfile's
|
|
||||||
TSI allowlist points at. Idempotent on the caller's side —
|
|
||||||
`start_bundle` catches the "network exists" error and treats
|
|
||||||
it as success (chunk-2d teardown is paired with each create).
|
|
||||||
"""
|
|
||||||
result = subprocess.run(
|
|
||||||
["docker", "network", "create",
|
|
||||||
"--subnet", subnet, "--gateway", gateway,
|
|
||||||
network_name],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
# Already-exists is fine on a resume path; everything else
|
|
||||||
# is fatal — the bundle won't have an addressable network.
|
|
||||||
if "already exists" in (result.stderr or "").lower():
|
|
||||||
return
|
|
||||||
die(
|
|
||||||
f"docker network create {network_name} failed: "
|
|
||||||
f"{(result.stderr or '').strip()}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def remove_bundle_network(network_name: str) -> None:
|
|
||||||
"""Idempotent: a missing network returns success."""
|
|
||||||
result = subprocess.run(
|
|
||||||
["docker", "network", "rm", network_name],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode == 0:
|
|
||||||
return
|
|
||||||
if "no such network" in (result.stderr or "").lower():
|
|
||||||
return
|
|
||||||
# Network with attached containers is the common non-fatal
|
|
||||||
# case during a partial teardown — warn but don't die.
|
|
||||||
warn(
|
|
||||||
f"docker network rm {network_name} failed: "
|
|
||||||
f"{(result.stderr or '').strip()}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def start_bundle(spec: BundleLaunchSpec, *,
|
|
||||||
env: dict[str, str] | None = None) -> None:
|
|
||||||
"""Bring the bundle container up on the per-bottle bridge with
|
|
||||||
the pinned IP. Argv is built deterministically from `spec`;
|
|
||||||
`env` is the host subprocess env (forwarded values for any
|
|
||||||
bare-name entries in `spec.environment`)."""
|
|
||||||
container = bundle_container_name(spec.slug)
|
|
||||||
argv = [
|
|
||||||
"docker", "run",
|
|
||||||
"--name", container,
|
|
||||||
"--detach",
|
|
||||||
"--rm",
|
|
||||||
"--network", spec.network_name,
|
|
||||||
"--ip", spec.bundle_ip,
|
|
||||||
"-e", f"BOT_BOTTLE_SIDECAR_DAEMONS={spec.daemons_csv}",
|
|
||||||
]
|
|
||||||
for entry in spec.environment:
|
|
||||||
argv += ["-e", entry]
|
|
||||||
for host_path, container_path, read_only in spec.volumes:
|
|
||||||
suffix = ":ro" if read_only else ""
|
|
||||||
argv += ["-v", f"{host_path}:{container_path}{suffix}"]
|
|
||||||
# Loopback-only host port-forwards — the smolvm guest's TSI
|
|
||||||
# uses macOS networking, and macOS loopback is the only host
|
|
||||||
# surface that round-trips into Docker Desktop's daemon VM.
|
|
||||||
# Binds to the per-bottle alias so TSI's IP-only allowlist
|
|
||||||
# narrows reachability to this bottle's bundle only.
|
|
||||||
for port in spec.ports_to_publish:
|
|
||||||
argv += ["-p", f"{spec.publish_host_ip}::{port}"]
|
|
||||||
argv.append(spec.image)
|
|
||||||
result = subprocess.run(
|
|
||||||
argv, capture_output=True, text=True,
|
|
||||||
env=dict(env) if env is not None else None, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"docker run for bundle {container} failed: "
|
|
||||||
f"{(result.stderr or '').strip()}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def bundle_host_port(
|
|
||||||
slug: str, container_port: int, *, host_ip: str = "127.0.0.1",
|
|
||||||
) -> int:
|
|
||||||
"""`docker port <bundle> <container_port>/tcp` → the random
|
|
||||||
host-side port docker assigned for the binding on `host_ip`.
|
|
||||||
Called after `start_bundle` on each container port listed in
|
|
||||||
`BundleLaunchSpec.ports_to_publish` so the launch step can
|
|
||||||
build the agent's HTTPS_PROXY / GIT_GATE / SUPERVISE URLs in
|
|
||||||
`<host_ip>:<host port>` form."""
|
|
||||||
container = bundle_container_name(slug)
|
|
||||||
result = subprocess.run(
|
|
||||||
["docker", "port", container, f"{container_port}/tcp"],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode != 0:
|
|
||||||
die(
|
|
||||||
f"docker port {container} {container_port}/tcp failed: "
|
|
||||||
f"{(result.stderr or '').strip() or '<no stderr>'}"
|
|
||||||
)
|
|
||||||
# Each line looks like `127.0.0.16:54321` — one per address
|
|
||||||
# family / host IP. Match on the expected host_ip prefix so
|
|
||||||
# bottles bound to per-bottle aliases pick the right line.
|
|
||||||
for raw in (result.stdout or "").splitlines():
|
|
||||||
line = raw.strip()
|
|
||||||
if line.startswith(f"{host_ip}:"):
|
|
||||||
_, _, port_str = line.rpartition(":")
|
|
||||||
try:
|
|
||||||
return int(port_str)
|
|
||||||
except ValueError:
|
|
||||||
die(f"unexpected `docker port` output: {line!r}")
|
|
||||||
die(
|
|
||||||
f"no port mapping on {host_ip} for {container} "
|
|
||||||
f"{container_port}/tcp; got: {(result.stdout or '').strip()!r}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def stop_bundle(slug: str) -> None:
|
|
||||||
"""Idempotent: a missing container returns success."""
|
|
||||||
container = bundle_container_name(slug)
|
|
||||||
result = subprocess.run(
|
|
||||||
["docker", "rm", "-f", container],
|
|
||||||
capture_output=True, text=True, check=False,
|
|
||||||
)
|
|
||||||
if result.returncode == 0:
|
|
||||||
return
|
|
||||||
if "no such container" in (result.stderr or "").lower():
|
|
||||||
return
|
|
||||||
warn(
|
|
||||||
f"docker rm -f {container} failed: "
|
|
||||||
f"{(result.stderr or '').strip()}"
|
|
||||||
)
|
|
||||||
@@ -1,273 +0,0 @@
|
|||||||
"""Thin subprocess wrapper around the `smolvm` CLI (PRD 0023).
|
|
||||||
|
|
||||||
One thin Python function per smolvm subcommand the launch flow
|
|
||||||
needs. Two design choices worth flagging:
|
|
||||||
|
|
||||||
- **No daemon, no SDK.** smolvm 0.8.0 ships a `smolvm serve`
|
|
||||||
HTTP API as the long-term-clean integration target. The
|
|
||||||
project's stdlib-first ethos + the lower-overhead CLI calls
|
|
||||||
push v1 to shell out via `subprocess.run`. If a future
|
|
||||||
smolvm release makes `serve` mandatory (or significantly
|
|
||||||
faster), revisit.
|
|
||||||
|
|
||||||
- **Two return shapes.** `SmolvmRunResult` (returncode + stdout
|
|
||||||
+ stderr captured) is returned by `machine_exec` because the
|
|
||||||
caller cares about the in-VM command's exit status, and by
|
|
||||||
test helpers that introspect output. The other calls
|
|
||||||
(`machine_start`, `machine_stop`, `pack_create`, etc.) raise
|
|
||||||
`SmolvmError` on non-zero exit — failure to start a VM is
|
|
||||||
fatal to the launch flow, not something callers want to
|
|
||||||
branch on.
|
|
||||||
|
|
||||||
The wrapper is unit-tested with `subprocess.run` mocked; the
|
|
||||||
integration smoke test (chunk 2d) exercises against a real
|
|
||||||
smolvm binary."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import json
|
|
||||||
import shutil
|
|
||||||
import subprocess
|
|
||||||
import time
|
|
||||||
from dataclasses import dataclass
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Mapping, Sequence
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
_SMOLVM = "smolvm"
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass(frozen=True)
|
|
||||||
class SmolvmRunResult:
|
|
||||||
"""Captured result of an in-VM command. Mirrors the structure
|
|
||||||
`Bottle.exec` returns so callers can hand it straight through."""
|
|
||||||
returncode: int
|
|
||||||
stdout: str
|
|
||||||
stderr: str
|
|
||||||
|
|
||||||
|
|
||||||
class SmolvmError(RuntimeError):
|
|
||||||
"""Raised when a smolvm subprocess returns non-zero on a path
|
|
||||||
where the caller has no useful branch to take (start failed,
|
|
||||||
pack failed, etc.). Carries the captured stderr for the
|
|
||||||
operator-facing log line."""
|
|
||||||
|
|
||||||
def __init__(self, argv: Sequence[str], result: subprocess.CompletedProcess[str]):
|
|
||||||
self.argv = list(argv)
|
|
||||||
self.returncode = result.returncode
|
|
||||||
self.stdout = result.stdout
|
|
||||||
self.stderr = result.stderr
|
|
||||||
cmd = " ".join(self.argv)
|
|
||||||
super().__init__(
|
|
||||||
f"{cmd!r} failed (exit {result.returncode}): "
|
|
||||||
f"{(result.stderr or '').strip() or '<no stderr>'}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def _smolvm(*args: str, env: Mapping[str, str] | None = None,
|
|
||||||
check: bool = True) -> subprocess.CompletedProcess[str]:
|
|
||||||
"""One subprocess call into the smolvm CLI. `check=True`
|
|
||||||
raises SmolvmError on non-zero; `check=False` returns the
|
|
||||||
CompletedProcess for the caller to inspect."""
|
|
||||||
argv = [_SMOLVM, *args]
|
|
||||||
result = subprocess.run(
|
|
||||||
argv,
|
|
||||||
capture_output=True,
|
|
||||||
text=True,
|
|
||||||
env=dict(env) if env is not None else None,
|
|
||||||
check=False,
|
|
||||||
)
|
|
||||||
if check and result.returncode != 0:
|
|
||||||
raise SmolvmError(argv, result)
|
|
||||||
return result
|
|
||||||
|
|
||||||
|
|
||||||
# --- Pack ----------------------------------------------------------------
|
|
||||||
|
|
||||||
|
|
||||||
def pack_create(image: str, output: Path) -> None:
|
|
||||||
"""`smolvm pack create --image <image> -o <output>`. Converts
|
|
||||||
an OCI image into a self-contained `.smolmachine` artifact
|
|
||||||
smolvm can boot via `machine create --from`. Idempotent on the
|
|
||||||
smolvm side — re-running with the same image+output rebuilds
|
|
||||||
from layer cache."""
|
|
||||||
_smolvm("pack", "create", "--image", image, "-o", str(output))
|
|
||||||
|
|
||||||
|
|
||||||
def pack_create_from_vm(name: str, output: Path) -> None:
|
|
||||||
"""`smolvm pack create --from-vm <name> -o <output>`.
|
|
||||||
|
|
||||||
Snapshots an existing persistent VM into a pack artifact. As
|
|
||||||
with `pack_create`, smolvm writes a launcher at `output` and the
|
|
||||||
bootable sidecar at `output.smolmachine`.
|
|
||||||
"""
|
|
||||||
_smolvm("pack", "create", "--from-vm", name, "-o", str(output))
|
|
||||||
|
|
||||||
|
|
||||||
# --- Machine lifecycle ---------------------------------------------------
|
|
||||||
|
|
||||||
|
|
||||||
def machine_create(
|
|
||||||
name: str,
|
|
||||||
*,
|
|
||||||
image: str | None = None,
|
|
||||||
from_path: Path | None = None,
|
|
||||||
allow_cidrs: Sequence[str] = (),
|
|
||||||
env: Mapping[str, str] | None = None,
|
|
||||||
) -> None:
|
|
||||||
"""`smolvm machine create NAME [--image IMG | --from PATH]
|
|
||||||
[--allow-cidr CIDR ...] [-e K=V ...]`. NAME is positional
|
|
||||||
(the CLI's exception to the `--name` pattern other
|
|
||||||
subcommands use).
|
|
||||||
|
|
||||||
`image` (registry ref like `alpine:latest`) and `from_path`
|
|
||||||
(a `.smolmachine` artifact) are mutually exclusive — one or
|
|
||||||
the other tells smolvm what to boot. The wrapper doesn't
|
|
||||||
enforce exclusivity; smolvm errors clearly enough.
|
|
||||||
|
|
||||||
`allow_cidrs` and `env` are passed as CLI flags instead of a
|
|
||||||
Smolfile because `--from` and `--smolfile` are themselves
|
|
||||||
mutually exclusive in smolvm 0.8.0 — and we want `--from`'s
|
|
||||||
no-pull-at-start property. The flag form gives the same
|
|
||||||
result without the Smolfile complication.
|
|
||||||
|
|
||||||
`--net` is sent explicitly when `allow_cidrs` is non-empty.
|
|
||||||
smolvm 0.8.0's docs say `--allow-cidr` implies `--net`, but
|
|
||||||
empirically the implication only fires when no `--from` is
|
|
||||||
set — `--from PATH --allow-cidr X/32` silently produces a
|
|
||||||
machine with `network: false` and no routes in the guest, so
|
|
||||||
the agent can't reach the bundle's pinned IP."""
|
|
||||||
args: list[str] = ["machine", "create"]
|
|
||||||
if image is not None:
|
|
||||||
args += ["--image", image]
|
|
||||||
if from_path is not None:
|
|
||||||
args += ["--from", str(from_path)]
|
|
||||||
if allow_cidrs:
|
|
||||||
args.append("--net")
|
|
||||||
for cidr in allow_cidrs:
|
|
||||||
args += ["--allow-cidr", cidr]
|
|
||||||
if env:
|
|
||||||
for k, v in env.items():
|
|
||||||
args += ["-e", f"{k}={v}"]
|
|
||||||
args.append(name)
|
|
||||||
_smolvm(*args)
|
|
||||||
|
|
||||||
|
|
||||||
def machine_is_running(name: str) -> bool:
|
|
||||||
"""Return True if the named VM is in the 'running' state."""
|
|
||||||
result = _smolvm("machine", "ls", "--json", check=False)
|
|
||||||
if result.returncode != 0:
|
|
||||||
return False
|
|
||||||
try:
|
|
||||||
machines = json.loads(result.stdout or "[]")
|
|
||||||
except ValueError:
|
|
||||||
return False
|
|
||||||
return any(
|
|
||||||
isinstance(m, dict) and m.get("name") == name and m.get("state") == "running"
|
|
||||||
for m in machines
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def machine_start(name: str) -> None:
|
|
||||||
"""`smolvm machine start --name NAME`."""
|
|
||||||
_smolvm("machine", "start", "--name", name)
|
|
||||||
|
|
||||||
|
|
||||||
def machine_stop(name: str) -> None:
|
|
||||||
"""`smolvm machine stop --name NAME`. Idempotent against
|
|
||||||
already-stopped machines: smolvm prints a notice and exits 0
|
|
||||||
in that case, so no special handling here."""
|
|
||||||
_smolvm("machine", "stop", "--name", name)
|
|
||||||
|
|
||||||
|
|
||||||
def machine_delete(name: str) -> None:
|
|
||||||
"""`smolvm machine delete -f NAME`. NAME is positional. `-f`
|
|
||||||
skips the interactive confirmation — required for
|
|
||||||
non-interactive teardown."""
|
|
||||||
_smolvm("machine", "delete", "-f", name)
|
|
||||||
|
|
||||||
|
|
||||||
def machine_exec(
|
|
||||||
name: str,
|
|
||||||
argv: Sequence[str],
|
|
||||||
*,
|
|
||||||
env: Mapping[str, str] | None = None,
|
|
||||||
workdir: str | None = None,
|
|
||||||
timeout: str | None = None,
|
|
||||||
) -> SmolvmRunResult:
|
|
||||||
"""`smolvm machine exec --name NAME [-w DIR] [--timeout DUR]
|
|
||||||
[-e K=V ...] -- ARGV...`. Returns the captured result rather
|
|
||||||
than raising — callers (including `Bottle.exec`) care about
|
|
||||||
the in-VM command's exit code, not just whether smolvm ran.
|
|
||||||
|
|
||||||
`env` here is in-VM env vars (`-e K=V`), not the host
|
|
||||||
subprocess env — smolvm's own argv carries them through the
|
|
||||||
VMM."""
|
|
||||||
flags: list[str] = ["machine", "exec", "--name", name]
|
|
||||||
if workdir is not None:
|
|
||||||
flags += ["-w", workdir]
|
|
||||||
if timeout is not None:
|
|
||||||
flags += ["--timeout", timeout]
|
|
||||||
if env:
|
|
||||||
for k, v in env.items():
|
|
||||||
flags += ["-e", f"{k}={v}"]
|
|
||||||
# `--` separator before the command. smolvm's CLI requires it
|
|
||||||
# so its own flag parser doesn't grab argv items that look
|
|
||||||
# like flags.
|
|
||||||
flags.append("--")
|
|
||||||
flags += list(argv)
|
|
||||||
result = _smolvm(*flags, check=False)
|
|
||||||
return SmolvmRunResult(
|
|
||||||
returncode=result.returncode,
|
|
||||||
stdout=result.stdout or "",
|
|
||||||
stderr=result.stderr or "",
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def wait_exec_ready(name: str, *, timeout: float = 5.0) -> None:
|
|
||||||
"""Poll `machine exec true` until exit 0 or `timeout` elapses.
|
|
||||||
|
|
||||||
Replaces `time.sleep(1.5)` after `machine_start`: libkrun's exec
|
|
||||||
channel needs a brief warm-up before back-to-back exec calls are
|
|
||||||
safe. Polling exits as soon as the channel is ready and fails
|
|
||||||
loudly if the VM never responds."""
|
|
||||||
deadline = time.monotonic() + timeout
|
|
||||||
delay = 0.1
|
|
||||||
while time.monotonic() < deadline:
|
|
||||||
r = machine_exec(name, ["true"])
|
|
||||||
if r.returncode == 0:
|
|
||||||
return
|
|
||||||
remaining = deadline - time.monotonic()
|
|
||||||
if remaining <= 0:
|
|
||||||
break
|
|
||||||
time.sleep(min(delay, remaining))
|
|
||||||
delay = min(delay * 2, 0.5)
|
|
||||||
argv = ["smolvm", "machine", "exec", "--name", name, "--", "true"]
|
|
||||||
raise SmolvmError(
|
|
||||||
argv,
|
|
||||||
subprocess.CompletedProcess(
|
|
||||||
args=argv, returncode=-1, stdout="",
|
|
||||||
stderr=f"exec channel not ready after {timeout:.0f}s — VM may have failed to boot.",
|
|
||||||
),
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def machine_cp(src: str, dst: str) -> None:
|
|
||||||
"""`smolvm machine cp SRC DST`. Path syntax: `machine:path` to
|
|
||||||
reference a path inside the VM, bare path for the host. Both
|
|
||||||
SRC and DST are positional; either side can be machine: or
|
|
||||||
bare. Empty path is a no-op (returns immediately without
|
|
||||||
invoking smolvm)."""
|
|
||||||
if not src or not dst:
|
|
||||||
return
|
|
||||||
_smolvm("machine", "cp", src, dst)
|
|
||||||
|
|
||||||
|
|
||||||
# --- Discovery -----------------------------------------------------------
|
|
||||||
|
|
||||||
|
|
||||||
def is_available() -> bool:
|
|
||||||
"""True iff `smolvm` is on PATH. Used by the integration test
|
|
||||||
suite's skip-guards."""
|
|
||||||
return shutil.which(_SMOLVM) is not None
|
|
||||||
@@ -1,50 +0,0 @@
|
|||||||
"""Slug / preflight / subnet helpers for the smolmachines backend
|
|
||||||
(PRD 0023). Kept in its own module so the renderers can be
|
|
||||||
unit-tested without importing the docker subprocess paths."""
|
|
||||||
|
|
||||||
from __future__ import annotations
|
|
||||||
|
|
||||||
import hashlib
|
|
||||||
import shutil
|
|
||||||
|
|
||||||
from ...log import die
|
|
||||||
|
|
||||||
|
|
||||||
def smolmachines_preflight() -> None:
|
|
||||||
"""Ensure `smolvm` is on PATH before the launch flow runs.
|
|
||||||
Called from `_resolve_plan`; gives the operator a clear
|
|
||||||
install pointer rather than a cryptic FileNotFoundError
|
|
||||||
later. `gvproxy` is no longer required — see the PRD's design
|
|
||||||
pivot section."""
|
|
||||||
if shutil.which("smolvm") is not None:
|
|
||||||
return
|
|
||||||
die(
|
|
||||||
"BOT_BOTTLE_BACKEND=smolmachines requires `smolvm` on "
|
|
||||||
"PATH. Install with: "
|
|
||||||
"curl -sSL https://smolmachines.com/install.sh | sh. "
|
|
||||||
"To use the legacy Docker backend instead, set "
|
|
||||||
"BOT_BOTTLE_BACKEND=docker or pass --backend=docker."
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def smolmachines_bundle_subnet(slug: str) -> tuple[str, str, str]:
|
|
||||||
"""Derive a per-bottle docker subnet + gateway IP + bundle IP
|
|
||||||
from the slug.
|
|
||||||
|
|
||||||
Returns `(subnet_cidr, gateway_ip, bundle_ip)`. The third
|
|
||||||
octet comes from SHA-256 of the slug mod 254 (skipping 17 to
|
|
||||||
avoid the docker-default bridge), so parallel bottles get
|
|
||||||
distinct /24s and `resume` reuses the same /24. The bundle
|
|
||||||
container always lands at `.2`; gateway is `.1`; the smolvm
|
|
||||||
Smolfile's `allow_cidrs` is `<bundle_ip>/32`."""
|
|
||||||
digest = hashlib.sha256(slug.encode("utf-8")).digest()
|
|
||||||
octet = (digest[0] % 254) + 1
|
|
||||||
# Skip the docker-default bridge to dodge the most common
|
|
||||||
# collision (operators with `docker0` at 172.17.x.x or a
|
|
||||||
# 192.168.17.x VPN client).
|
|
||||||
if octet == 17:
|
|
||||||
octet = 18
|
|
||||||
subnet = f"192.168.{octet}.0/24"
|
|
||||||
gateway = f"192.168.{octet}.1"
|
|
||||||
bundle_ip = f"192.168.{octet}.2"
|
|
||||||
return subnet, gateway, bundle_ip
|
|
||||||
+16
-17
@@ -36,7 +36,7 @@ from dataclasses import dataclass
|
|||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from typing import cast
|
from typing import cast
|
||||||
|
|
||||||
from . import supervise as _supervise
|
from .paths import bot_bottle_root
|
||||||
|
|
||||||
|
|
||||||
# Directory layout: ~/.bot-bottle/state/<identity>/...
|
# Directory layout: ~/.bot-bottle/state/<identity>/...
|
||||||
@@ -44,16 +44,16 @@ _STATE_SUBDIR = "state"
|
|||||||
_PER_BOTTLE_DOCKERFILE_NAME = "Dockerfile"
|
_PER_BOTTLE_DOCKERFILE_NAME = "Dockerfile"
|
||||||
_COMMITTED_IMAGE_NAME = "committed-image"
|
_COMMITTED_IMAGE_NAME = "committed-image"
|
||||||
_TRANSCRIPT_SUBDIR = "transcript"
|
_TRANSCRIPT_SUBDIR = "transcript"
|
||||||
# Per-sidecar scratch subdirs. PRD 0018 chunk 2: bind-mount sources
|
# Per-daemon scratch subdirs. PRD 0018 chunk 2: bind-mount sources
|
||||||
# live here so chunk 3's `docker compose up` can find them at stable
|
# live here so chunk 3's `docker compose up` can find them at stable
|
||||||
# paths. Each sidecar's `prepare()` writes config + CAs into its own
|
# paths. Each daemon's `prepare()` writes config + CAs into its own
|
||||||
# subdir; the launch step is unchanged today (still `docker cp`).
|
# subdir; the launch step is unchanged today (still `docker cp`).
|
||||||
_EGRESS_SUBDIR = "egress"
|
_EGRESS_SUBDIR = "egress"
|
||||||
_GIT_GATE_SUBDIR = "git-gate"
|
_GIT_GATE_SUBDIR = "git-gate"
|
||||||
_SUPERVISE_SUBDIR = "supervise"
|
_SUPERVISE_SUBDIR = "supervise"
|
||||||
_AGENT_SUBDIR = "agent"
|
_AGENT_SUBDIR = "agent"
|
||||||
_METADATA_NAME = "metadata.json"
|
_METADATA_NAME = "metadata.json"
|
||||||
# Live-config dir bind-mounted into the supervise sidecar (read-only).
|
# Live-config dir bind-mounted into the supervise daemon (read-only).
|
||||||
# Host's apply paths keep these files fresh so supervise's
|
# Host's apply paths keep these files fresh so supervise's
|
||||||
# `list-egress-routes` MCP tool returns the current state —
|
# `list-egress-routes` MCP tool returns the current state —
|
||||||
# not a snapshot from launch time.
|
# not a snapshot from launch time.
|
||||||
@@ -105,9 +105,9 @@ class BottleMetadata:
|
|||||||
# written before chunk 3 (resume / inspect should fall back to
|
# written before chunk 3 (resume / inspect should fall back to
|
||||||
# deriving from identity in that case).
|
# deriving from identity in that case).
|
||||||
compose_project: str = ""
|
compose_project: str = ""
|
||||||
# PRD 0040: backend name ("docker" or "smolmachines"). Empty string
|
# PRD 0040: backend name ("docker", "firecracker", "macos-container").
|
||||||
# for state dirs written before PRD 0040; callers default to "docker"
|
# Empty string for state dirs written before PRD 0040; callers default
|
||||||
# for backward compatibility.
|
# to "docker" for backward compatibility.
|
||||||
backend: str = ""
|
backend: str = ""
|
||||||
label: str = ""
|
label: str = ""
|
||||||
color: str = ""
|
color: str = ""
|
||||||
@@ -163,7 +163,7 @@ def read_metadata(identity: str) -> BottleMetadata | None:
|
|||||||
def bottle_state_dir(identity: str) -> Path:
|
def bottle_state_dir(identity: str) -> Path:
|
||||||
"""Per-bottle state directory on the host. Created lazily by the
|
"""Per-bottle state directory on the host. Created lazily by the
|
||||||
write helpers; readers tolerate its absence."""
|
write helpers; readers tolerate its absence."""
|
||||||
return _supervise.bot_bottle_root() / _STATE_SUBDIR / identity
|
return bot_bottle_root() / _STATE_SUBDIR / identity
|
||||||
|
|
||||||
|
|
||||||
def per_bottle_dockerfile_path(identity: str) -> Path:
|
def per_bottle_dockerfile_path(identity: str) -> Path:
|
||||||
@@ -222,7 +222,7 @@ def per_bottle_image_tag(identity: str) -> str:
|
|||||||
|
|
||||||
def live_config_dir(identity: str) -> Path:
|
def live_config_dir(identity: str) -> Path:
|
||||||
"""Per-bottle live-config dir. Bind-mounted read-only into the
|
"""Per-bottle live-config dir. Bind-mounted read-only into the
|
||||||
supervise sidecar; the host's apply paths refresh the files on
|
supervise daemon; the host's apply paths refresh the files on
|
||||||
every operator approval so the agent's `list-*` MCP tools always
|
every operator approval so the agent's `list-*` MCP tools always
|
||||||
return current state."""
|
return current state."""
|
||||||
return bottle_state_dir(identity) / _LIVE_CONFIG_SUBDIR
|
return bottle_state_dir(identity) / _LIVE_CONFIG_SUBDIR
|
||||||
@@ -260,9 +260,9 @@ def transcript_snapshot_dir(identity: str) -> Path:
|
|||||||
return bottle_state_dir(identity) / _TRANSCRIPT_SUBDIR
|
return bottle_state_dir(identity) / _TRANSCRIPT_SUBDIR
|
||||||
|
|
||||||
|
|
||||||
# --- Per-sidecar scratch subdirs (PRD 0018 chunk 2) ------------------------
|
# --- Per-daemon scratch subdirs (PRD 0018 chunk 2) ------------------------
|
||||||
#
|
#
|
||||||
# Each sidecar gets its own subdir under the bottle's state dir for
|
# Each daemon gets its own subdir under the bottle's state dir for
|
||||||
# bind-mount sources (config, CAs, hooks, etc.). Prepare-time writes
|
# bind-mount sources (config, CAs, hooks, etc.). Prepare-time writes
|
||||||
# land here; the state dir's normal cleanup (`cleanup_state`) reaps
|
# land here; the state dir's normal cleanup (`cleanup_state`) reaps
|
||||||
# them along with everything else when the bottle session ends and
|
# them along with everything else when the bottle session ends and
|
||||||
@@ -270,23 +270,22 @@ def transcript_snapshot_dir(identity: str) -> Path:
|
|||||||
|
|
||||||
|
|
||||||
def egress_state_dir(identity: str) -> Path:
|
def egress_state_dir(identity: str) -> Path:
|
||||||
"""State subdir for the egress sidecar: routes.yaml + the
|
"""State subdir for the egress daemon: routes.yaml + the
|
||||||
per-bottle mitmproxy CA. Bind-mount source from chunk 3 onward."""
|
per-bottle mitmproxy CA. Bind-mount source from chunk 3 onward."""
|
||||||
return bottle_state_dir(identity) / _EGRESS_SUBDIR
|
return bottle_state_dir(identity) / _EGRESS_SUBDIR
|
||||||
|
|
||||||
|
|
||||||
def git_gate_state_dir(identity: str) -> Path:
|
def git_gate_state_dir(identity: str) -> Path:
|
||||||
"""State subdir for the git-gate sidecar: entrypoint + hooks +
|
"""State subdir for the git-gate daemon: entrypoint + hooks +
|
||||||
per-upstream known_hosts. Bind-mount source from chunk 3
|
per-upstream known_hosts. Bind-mount source from chunk 3
|
||||||
onward."""
|
onward."""
|
||||||
return bottle_state_dir(identity) / _GIT_GATE_SUBDIR
|
return bottle_state_dir(identity) / _GIT_GATE_SUBDIR
|
||||||
|
|
||||||
|
|
||||||
def supervise_state_dir(identity: str) -> Path:
|
def supervise_state_dir(identity: str) -> Path:
|
||||||
"""State subdir reserved for supervise sidecar bind-mount sources.
|
"""State subdir reserved for supervise daemon bind-mount sources.
|
||||||
The queue dir is intentionally NOT under here — it lives at
|
Runtime queue/audit rows live in the host-level bot-bottle SQLite
|
||||||
~/.bot-bottle/queue/<slug>/ alongside the audit logs, so it
|
database, so they survive state-dir cleanup."""
|
||||||
survives state-dir cleanup."""
|
|
||||||
return bottle_state_dir(identity) / _SUPERVISE_SUBDIR
|
return bottle_state_dir(identity) / _SUPERVISE_SUBDIR
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +1,19 @@
|
|||||||
"""Main CLI dispatcher.
|
"""Main CLI dispatcher.
|
||||||
|
|
||||||
Commands: cleanup, commit, edit, info, init, list, resume, start, supervise
|
Commands: backend, cleanup, commit, edit, info, init, list, resume, start, supervise
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
from ..errors import MissingEnvVarError
|
||||||
from ..log import Die, die, error
|
from ..log import Die, die, error
|
||||||
from ..manifest import ManifestError
|
from ..manifest import ManifestError
|
||||||
|
from ..store_manager import StoreManager
|
||||||
from ._common import PROG
|
from ._common import PROG
|
||||||
from . import list as _list_mod
|
from . import list as _list_mod
|
||||||
|
from .backend import cmd_backend
|
||||||
from .cleanup import cmd_cleanup
|
from .cleanup import cmd_cleanup
|
||||||
from .commit import cmd_commit
|
from .commit import cmd_commit
|
||||||
from .edit import cmd_edit
|
from .edit import cmd_edit
|
||||||
@@ -23,6 +26,7 @@ from .supervise import cmd_supervise
|
|||||||
cmd_list = _list_mod.cmd_list
|
cmd_list = _list_mod.cmd_list
|
||||||
|
|
||||||
COMMANDS = {
|
COMMANDS = {
|
||||||
|
"backend": cmd_backend,
|
||||||
"cleanup": cmd_cleanup,
|
"cleanup": cmd_cleanup,
|
||||||
"commit": cmd_commit,
|
"commit": cmd_commit,
|
||||||
"edit": cmd_edit,
|
"edit": cmd_edit,
|
||||||
@@ -38,6 +42,7 @@ COMMANDS = {
|
|||||||
def usage() -> None:
|
def usage() -> None:
|
||||||
sys.stderr.write(f"usage: {PROG} <command> [args...]\n\n")
|
sys.stderr.write(f"usage: {PROG} <command> [args...]\n\n")
|
||||||
sys.stderr.write("Commands:\n")
|
sys.stderr.write("Commands:\n")
|
||||||
|
sys.stderr.write(" backend set up / check / undo a backend's host prerequisites (setup|status|teardown)\n")
|
||||||
sys.stderr.write(" cleanup stop and remove all active bot-bottle containers\n")
|
sys.stderr.write(" cleanup stop and remove all active bot-bottle containers\n")
|
||||||
sys.stderr.write(" commit snapshot a running bottle's container state to a Docker image\n")
|
sys.stderr.write(" commit snapshot a running bottle's container state to a Docker image\n")
|
||||||
sys.stderr.write(" edit open an agent in vim for editing\n")
|
sys.stderr.write(" edit open an agent in vim for editing\n")
|
||||||
@@ -74,11 +79,25 @@ def main(argv: list[str] | None = None) -> int:
|
|||||||
if handler is None:
|
if handler is None:
|
||||||
usage()
|
usage()
|
||||||
die(f"unknown command: {command}")
|
die(f"unknown command: {command}")
|
||||||
|
mgr = StoreManager.instance()
|
||||||
|
if not mgr.is_migrated():
|
||||||
|
sys.stderr.write("bot-bottle: database schema is out of date\n")
|
||||||
|
sys.stderr.write("Migrate now? [y/N] ")
|
||||||
|
sys.stderr.flush()
|
||||||
|
try:
|
||||||
|
answer = sys.stdin.readline().strip().lower()
|
||||||
|
except EOFError:
|
||||||
|
answer = ""
|
||||||
|
if answer != "y":
|
||||||
|
error("migration required — re-run and confirm to migrate")
|
||||||
|
return 1
|
||||||
|
mgr.migrate()
|
||||||
try:
|
try:
|
||||||
return handler(rest) or 0
|
return handler(rest) or 0
|
||||||
|
except MissingEnvVarError as e:
|
||||||
|
error(str(e))
|
||||||
|
return 1
|
||||||
except ManifestError as e:
|
except ManifestError as e:
|
||||||
# Manifest/config problems surface as a catchable exception;
|
|
||||||
# print the reason and exit non-zero (same UX die() used to give).
|
|
||||||
error(str(e))
|
error(str(e))
|
||||||
return 1
|
return 1
|
||||||
except Die as e:
|
except Die as e:
|
||||||
|
|||||||
@@ -0,0 +1,46 @@
|
|||||||
|
"""`backend` CLI command — generic host setup/status across backends.
|
||||||
|
|
||||||
|
`./cli.py backend setup [--backend=NAME]` provisions (or points at how
|
||||||
|
to provision) the chosen backend's one-time host prerequisites.
|
||||||
|
`./cli.py backend status [--backend=NAME]` reports readiness.
|
||||||
|
`./cli.py backend teardown [--backend=NAME]` undoes setup (uninstall).
|
||||||
|
|
||||||
|
All dispatch to the backend's `setup()` / `status()` / `teardown()`
|
||||||
|
classmethods, so there are no backend-specific commands — swapping
|
||||||
|
backends is just a different `--backend` (or `$BOT_BOTTLE_BACKEND`, or
|
||||||
|
the host default).
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
from ..backend import get_bottle_backend, known_backend_names
|
||||||
|
from ._common import PROG
|
||||||
|
|
||||||
|
|
||||||
|
def cmd_backend(args: list[str]) -> int:
|
||||||
|
parser = argparse.ArgumentParser(
|
||||||
|
prog=f"{PROG} backend",
|
||||||
|
description="Set up or check a backend's host prerequisites.",
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"action",
|
||||||
|
choices=("setup", "status", "teardown"),
|
||||||
|
help="setup: provision/print host prerequisites; status: report "
|
||||||
|
"readiness; teardown: undo setup (uninstall)",
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--backend",
|
||||||
|
choices=known_backend_names(),
|
||||||
|
default=None,
|
||||||
|
help="backend to target (default: $BOT_BOTTLE_BACKEND or the host default)",
|
||||||
|
)
|
||||||
|
ns = parser.parse_args(args)
|
||||||
|
|
||||||
|
backend = get_bottle_backend(ns.backend)
|
||||||
|
if ns.action == "setup":
|
||||||
|
return backend.setup()
|
||||||
|
if ns.action == "teardown":
|
||||||
|
return backend.teardown()
|
||||||
|
return backend.status()
|
||||||
@@ -1,14 +1,14 @@
|
|||||||
"""cleanup: stop and remove all orphaned bot-bottle resources.
|
"""cleanup: stop and remove all orphaned bot-bottle resources.
|
||||||
|
|
||||||
Walks every registered backend (docker + smolmachines) so a single
|
Walks every registered backend (docker, firecracker, macos-container)
|
||||||
`./cli.py cleanup` reaps both backends' leftovers — orphaned
|
so a single `./cli.py cleanup` reaps every backend's leftovers — a
|
||||||
smolvm machines won't survive a docker-only cleanup pass (issue
|
firecracker bottle's VM processes and run dirs won't survive a
|
||||||
addressed alongside #77).
|
docker-only cleanup pass (issue addressed alongside #77).
|
||||||
|
|
||||||
Each backend's `prepare_cleanup` enumerates its own resources;
|
Each backend's `prepare_cleanup` enumerates its own resources;
|
||||||
docker's `_list_orphan_state_dirs` consults
|
docker's `_list_orphan_state_dirs` consults
|
||||||
`enumerate_active_agents()` for the union of live identities so
|
`enumerate_active_agents()` for the union of live identities so
|
||||||
state dirs of running smolmachines bottles aren't reaped. State
|
state dirs of running non-docker bottles aren't reaped. State
|
||||||
dirs are shared layout, so docker is the single owner of that
|
dirs are shared layout, so docker is the single owner of that
|
||||||
bucket.
|
bucket.
|
||||||
|
|
||||||
|
|||||||
@@ -2,10 +2,10 @@
|
|||||||
|
|
||||||
Docker bottles are committed to a local Docker image. Macos-container
|
Docker bottles are committed to a local Docker image. Macos-container
|
||||||
bottles are exported and rebuilt as a local Apple Container image.
|
bottles are exported and rebuilt as a local Apple Container image.
|
||||||
Smolmachines bottles are packed from the running VM into a
|
Firecracker bottles stream the guest rootfs out over SSH and rebuild a
|
||||||
`.smolmachine` artifact. The resulting reference is stored in
|
local Docker image. The resulting reference is stored in per-bottle
|
||||||
per-bottle state so the next `./cli.py resume <slug>` boots from the
|
state so the next `./cli.py resume <slug>` boots from the snapshot
|
||||||
snapshot instead of rebuilding from the Dockerfile.
|
instead of rebuilding from the Dockerfile.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|||||||
@@ -45,8 +45,9 @@ def cmd_list(argv: list[str]) -> int:
|
|||||||
print(name)
|
print(name)
|
||||||
return 0
|
return 0
|
||||||
|
|
||||||
# `active` enumerates every backend (docker + smolmachines)
|
# `active` enumerates every backend (docker, firecracker,
|
||||||
# so smolmachines bottles aren't hidden behind the env var.
|
# macos-container) so non-docker bottles aren't hidden behind
|
||||||
|
# the env var.
|
||||||
active = enumerate_active_agents()
|
active = enumerate_active_agents()
|
||||||
if not active:
|
if not active:
|
||||||
print("no active bot-bottle bottles", file=sys.stderr)
|
print("no active bot-bottle bottles", file=sys.stderr)
|
||||||
|
|||||||
+170
-10
@@ -2,6 +2,11 @@
|
|||||||
interactive claude-code session. The container is torn down when the
|
interactive claude-code session. The container is torn down when the
|
||||||
session ends.
|
session ends.
|
||||||
|
|
||||||
|
`--headless` selects a non-interactive launch (agent/bottles/label from
|
||||||
|
flags, no TUI selectors, no y/N prompt) for orchestrators,
|
||||||
|
CI, and webhook dispatch. The agent still execs on the inherited
|
||||||
|
stdio/PTY, so an orchestrator that allocates the PTY drives the session.
|
||||||
|
|
||||||
The launch core is shared with `cli.py resume <identity>` through
|
The launch core is shared with `cli.py resume <identity>` through
|
||||||
the private orchestrator `_launch_bottle`.
|
the private orchestrator `_launch_bottle`.
|
||||||
"""
|
"""
|
||||||
@@ -16,7 +21,7 @@ import tempfile
|
|||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from typing import Callable
|
from typing import Callable
|
||||||
|
|
||||||
from ..agent_provider import runtime_for
|
from ..agent_provider import get_provider, runtime_for
|
||||||
from ..backend import (
|
from ..backend import (
|
||||||
Bottle,
|
Bottle,
|
||||||
BottleSpec,
|
BottleSpec,
|
||||||
@@ -31,7 +36,7 @@ from ..bottle_state import (
|
|||||||
is_preserved,
|
is_preserved,
|
||||||
mark_preserved,
|
mark_preserved,
|
||||||
)
|
)
|
||||||
from ..log import info
|
from ..log import info, die
|
||||||
from ..manifest import Manifest, ManifestIndex
|
from ..manifest import Manifest, ManifestIndex
|
||||||
from ._common import PROG, USER_CWD, read_tty_line
|
from ._common import PROG, USER_CWD, read_tty_line
|
||||||
from . import tui
|
from . import tui
|
||||||
@@ -41,6 +46,17 @@ def cmd_start(argv: list[str]) -> int:
|
|||||||
parser = argparse.ArgumentParser(prog=f"{PROG} start", add_help=True)
|
parser = argparse.ArgumentParser(prog=f"{PROG} start", add_help=True)
|
||||||
parser.add_argument("--dry-run", action="store_true")
|
parser.add_argument("--dry-run", action="store_true")
|
||||||
parser.add_argument("--cwd", action="store_true", help="copy host cwd into the running bottle")
|
parser.add_argument("--cwd", action="store_true", help="copy host cwd into the running bottle")
|
||||||
|
parser.add_argument(
|
||||||
|
"--no-cache",
|
||||||
|
action="store_true",
|
||||||
|
help=(
|
||||||
|
"rebuild agent/sidecar images from scratch, bypassing the "
|
||||||
|
"build layer cache. Use when an image looks broken after a "
|
||||||
|
"dependency bump — e.g. an installer's optionalDependencies "
|
||||||
|
"fetch silently no-op'd on a transient failure and got baked "
|
||||||
|
"into a cached layer."
|
||||||
|
),
|
||||||
|
)
|
||||||
parser.add_argument(
|
parser.add_argument(
|
||||||
"--backend",
|
"--backend",
|
||||||
choices=known_backend_names(),
|
choices=known_backend_names(),
|
||||||
@@ -50,6 +66,39 @@ def cmd_start(argv: list[str]) -> int:
|
|||||||
"or host auto-selection). Overrides the env var when set."
|
"or host auto-selection). Overrides the env var when set."
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--headless",
|
||||||
|
action="store_true",
|
||||||
|
help=(
|
||||||
|
"non-interactive launch: take agent/bottles/label from flags, "
|
||||||
|
"skip all prompts. For orchestrators, CI, and webhooks."
|
||||||
|
),
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--bottle",
|
||||||
|
action="append",
|
||||||
|
default=None,
|
||||||
|
metavar="NAME",
|
||||||
|
help=(
|
||||||
|
"bottle to compose, repeatable (order = merge order). In "
|
||||||
|
"--headless, defaults to the agent's own bottle when omitted."
|
||||||
|
),
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--label",
|
||||||
|
default=None,
|
||||||
|
help="bottle label / terminal title (--headless default: agent name)",
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--color",
|
||||||
|
default=None,
|
||||||
|
help="bottle color, one of the 16 ANSI color names (--headless default: none)",
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"--prompt",
|
||||||
|
default=None,
|
||||||
|
help="initial task prompt delivered to the agent (required with --headless)",
|
||||||
|
)
|
||||||
parser.add_argument(
|
parser.add_argument(
|
||||||
"name",
|
"name",
|
||||||
nargs="?",
|
nargs="?",
|
||||||
@@ -59,11 +108,29 @@ def cmd_start(argv: list[str]) -> int:
|
|||||||
args = parser.parse_args(argv)
|
args = parser.parse_args(argv)
|
||||||
|
|
||||||
dry_run = args.dry_run or os.environ.get("BOT_BOTTLE_DRY_RUN") == "1"
|
dry_run = args.dry_run or os.environ.get("BOT_BOTTLE_DRY_RUN") == "1"
|
||||||
|
if args.no_cache or os.environ.get("BOT_BOTTLE_NO_CACHE") == "1":
|
||||||
|
# Read by build_image() in each backend's util module — set here
|
||||||
|
# so both the interactive and --headless paths pick it up without
|
||||||
|
# threading a no_cache field through every backend's plan dataclass.
|
||||||
|
os.environ["BOT_BOTTLE_NO_CACHE"] = "1"
|
||||||
|
|
||||||
manifest = ManifestIndex.resolve(USER_CWD)
|
manifest = ManifestIndex.resolve(USER_CWD)
|
||||||
|
backend_name: str | None = args.backend
|
||||||
|
|
||||||
|
if args.headless:
|
||||||
|
return _start_headless(
|
||||||
|
manifest, args, dry_run=dry_run, backend_name=backend_name
|
||||||
|
)
|
||||||
|
|
||||||
agent_name: str | None = args.name
|
agent_name: str | None = args.name
|
||||||
if agent_name is None:
|
if agent_name is None:
|
||||||
|
if not manifest.all_agent_names:
|
||||||
|
print(
|
||||||
|
"bot-bottle: no agents defined. "
|
||||||
|
"Add an agent to ~/.bot-bottle/agents/ or ./bot-bottle/agents/ to get started.",
|
||||||
|
file=sys.stderr,
|
||||||
|
)
|
||||||
|
return 1
|
||||||
agent_name = tui.filter_select(
|
agent_name = tui.filter_select(
|
||||||
manifest.all_agent_names,
|
manifest.all_agent_names,
|
||||||
title="Select agent",
|
title="Select agent",
|
||||||
@@ -71,8 +138,6 @@ def cmd_start(argv: list[str]) -> int:
|
|||||||
if agent_name is None:
|
if agent_name is None:
|
||||||
return 0
|
return 0
|
||||||
|
|
||||||
backend_name: str | None = args.backend
|
|
||||||
|
|
||||||
# Bottle multiselect: always show after agent selection so operators
|
# Bottle multiselect: always show after agent selection so operators
|
||||||
# can compose bottles at launch time without editing agent manifests.
|
# can compose bottles at launch time without editing agent manifests.
|
||||||
available_bottles = manifest.all_bottle_names
|
available_bottles = manifest.all_bottle_names
|
||||||
@@ -109,6 +174,84 @@ def cmd_start(argv: list[str]) -> int:
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# --- Headless launch -----------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
def _start_headless(
|
||||||
|
manifest: ManifestIndex,
|
||||||
|
args: argparse.Namespace,
|
||||||
|
*,
|
||||||
|
dry_run: bool,
|
||||||
|
backend_name: str | None,
|
||||||
|
) -> int:
|
||||||
|
"""Non-interactive launch path for orchestrators / CI / webhooks.
|
||||||
|
|
||||||
|
Resolves agent, bottles, label, and color from flags + manifest
|
||||||
|
defaults instead of the TUI selectors, and auto-confirms the
|
||||||
|
preflight. Otherwise runs the same launch core as the interactive
|
||||||
|
path, so the agent still execs on the inherited stdio/PTY — an
|
||||||
|
orchestrator allocates that PTY and relays it to its
|
||||||
|
desktop/mobile clients."""
|
||||||
|
agent_name = args.name
|
||||||
|
if not agent_name:
|
||||||
|
die("--headless requires an agent name: ./cli.py start <agent> --headless")
|
||||||
|
manifest.require_agent(agent_name) # raises ManifestError if unknown
|
||||||
|
|
||||||
|
prompt = args.prompt
|
||||||
|
if not prompt:
|
||||||
|
die(
|
||||||
|
"--headless requires --prompt: "
|
||||||
|
"./cli.py start <agent> --headless --prompt 'Do the thing'"
|
||||||
|
)
|
||||||
|
|
||||||
|
if args.bottle:
|
||||||
|
bottle_names: tuple[str, ...] = tuple(args.bottle)
|
||||||
|
else:
|
||||||
|
default_bottle = _peek_agent_bottle(manifest, agent_name)
|
||||||
|
if not default_bottle:
|
||||||
|
die(
|
||||||
|
f"--headless: agent '{agent_name}' has no default bottle; "
|
||||||
|
f"pass one or more --bottle NAME"
|
||||||
|
)
|
||||||
|
bottle_names = (default_bottle,)
|
||||||
|
|
||||||
|
label = _uniquify_label_headless(args.label or agent_name)
|
||||||
|
|
||||||
|
spec = BottleSpec(
|
||||||
|
manifest=manifest,
|
||||||
|
agent_name=agent_name,
|
||||||
|
copy_cwd=args.cwd,
|
||||||
|
user_cwd=USER_CWD,
|
||||||
|
label=label,
|
||||||
|
color=args.color or "",
|
||||||
|
bottle_names=bottle_names,
|
||||||
|
headless=True,
|
||||||
|
)
|
||||||
|
return _launch_bottle(
|
||||||
|
spec,
|
||||||
|
dry_run=dry_run,
|
||||||
|
backend_name=backend_name,
|
||||||
|
assume_yes=True,
|
||||||
|
headless_prompt_text=prompt,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _uniquify_label_headless(label: str) -> str:
|
||||||
|
"""Non-interactive analog of `_resolve_unique_label`: if the label's
|
||||||
|
slug collides with a running bottle, append -2, -3, … until free,
|
||||||
|
logging the chosen label. Orchestrators fire-and-forget many bottles,
|
||||||
|
so silently picking a free name beats erroring on every collision."""
|
||||||
|
active_slugs = {a.slug for a in enumerate_active_agents()}
|
||||||
|
if docker_mod.slugify(label) not in active_slugs:
|
||||||
|
return label
|
||||||
|
n = 2
|
||||||
|
while docker_mod.slugify(f"{label}-{n}") in active_slugs:
|
||||||
|
n += 1
|
||||||
|
chosen = f"{label}-{n}"
|
||||||
|
info(f"label '{label}' already in use; using '{chosen}'")
|
||||||
|
return chosen
|
||||||
|
|
||||||
|
|
||||||
# --- Launch helpers ------------------------------------------------------
|
# --- Launch helpers ------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
@@ -116,7 +259,7 @@ def prepare_with_preflight(
|
|||||||
spec: BottleSpec,
|
spec: BottleSpec,
|
||||||
*,
|
*,
|
||||||
stage_dir: Path,
|
stage_dir: Path,
|
||||||
render_preflight: Callable[[DockerBottlePlan], None],
|
render_preflight: Callable[[DockerBottlePlan, str], None],
|
||||||
prompt_yes: Callable[[], bool],
|
prompt_yes: Callable[[], bool],
|
||||||
dry_run: bool = False,
|
dry_run: bool = False,
|
||||||
backend_name: str | None = None,
|
backend_name: str | None = None,
|
||||||
@@ -137,7 +280,7 @@ def prepare_with_preflight(
|
|||||||
plan = backend.prepare(spec, stage_dir=stage_dir)
|
plan = backend.prepare(spec, stage_dir=stage_dir)
|
||||||
identity = _identity_from_plan(plan)
|
identity = _identity_from_plan(plan)
|
||||||
|
|
||||||
render_preflight(plan)
|
render_preflight(plan, backend.name)
|
||||||
|
|
||||||
if dry_run:
|
if dry_run:
|
||||||
info("dry-run requested; not starting container.")
|
info("dry-run requested; not starting container.")
|
||||||
@@ -264,8 +407,9 @@ def _text_prompt_yes() -> bool:
|
|||||||
|
|
||||||
|
|
||||||
def _text_render_preflight():
|
def _text_render_preflight():
|
||||||
def _render(plan: DockerBottlePlan) -> None:
|
def _render(plan: DockerBottlePlan, backend_name: str) -> None:
|
||||||
print(file=sys.stderr)
|
print(file=sys.stderr)
|
||||||
|
print(f"backend: {backend_name}", file=sys.stderr)
|
||||||
print(_manifest_to_yaml(plan.manifest), file=sys.stderr)
|
print(_manifest_to_yaml(plan.manifest), file=sys.stderr)
|
||||||
return _render
|
return _render
|
||||||
|
|
||||||
@@ -376,10 +520,19 @@ def _launch_bottle(
|
|||||||
*,
|
*,
|
||||||
dry_run: bool,
|
dry_run: bool,
|
||||||
backend_name: str | None = None,
|
backend_name: str | None = None,
|
||||||
|
assume_yes: bool = False,
|
||||||
|
headless_prompt_text: str = "",
|
||||||
) -> int:
|
) -> int:
|
||||||
"""Shared launch core for `start` and `resume`. Builds the plan,
|
"""Shared launch core for `start` and `resume`. Builds the plan,
|
||||||
prints / dry-runs / prompts as appropriate, brings the bottle up,
|
prints / dry-runs / prompts as appropriate, brings the bottle up,
|
||||||
attaches claude, and prints the resume hint on session end."""
|
attaches claude, and prints the resume hint on session end.
|
||||||
|
|
||||||
|
`assume_yes` skips the interactive y/N confirmation (headless /
|
||||||
|
orchestrator launches), where there is no human at the prompt.
|
||||||
|
|
||||||
|
`headless_prompt_text` is passed to the provider's `headless_prompt`
|
||||||
|
method and the resulting args are appended to startup_args so the
|
||||||
|
agent receives the initial task without interactive input."""
|
||||||
stage_dir = Path(tempfile.mkdtemp(prefix="bot-bottle-stage."))
|
stage_dir = Path(tempfile.mkdtemp(prefix="bot-bottle-stage."))
|
||||||
identity = ""
|
identity = ""
|
||||||
try:
|
try:
|
||||||
@@ -387,7 +540,7 @@ def _launch_bottle(
|
|||||||
spec,
|
spec,
|
||||||
stage_dir=stage_dir,
|
stage_dir=stage_dir,
|
||||||
render_preflight=_text_render_preflight(),
|
render_preflight=_text_render_preflight(),
|
||||||
prompt_yes=_text_prompt_yes,
|
prompt_yes=(lambda: True) if assume_yes else _text_prompt_yes,
|
||||||
dry_run=dry_run,
|
dry_run=dry_run,
|
||||||
backend_name=backend_name,
|
backend_name=backend_name,
|
||||||
)
|
)
|
||||||
@@ -397,10 +550,17 @@ def _launch_bottle(
|
|||||||
backend = get_bottle_backend(backend_name)
|
backend = get_bottle_backend(backend_name)
|
||||||
with backend.launch(plan) as bottle:
|
with backend.launch(plan) as bottle:
|
||||||
agent_provider_template = getattr(plan, "agent_provider_template", "claude")
|
agent_provider_template = getattr(plan, "agent_provider_template", "claude")
|
||||||
|
extra_args: tuple[str, ...] = ()
|
||||||
|
if headless_prompt_text:
|
||||||
|
extra_args = tuple(
|
||||||
|
get_provider(agent_provider_template).headless_prompt(
|
||||||
|
headless_prompt_text
|
||||||
|
)
|
||||||
|
)
|
||||||
exit_code = attach_agent(
|
exit_code = attach_agent(
|
||||||
bottle,
|
bottle,
|
||||||
agent_provider_template=agent_provider_template,
|
agent_provider_template=agent_provider_template,
|
||||||
startup_args=plan.agent_provision.startup_args,
|
startup_args=plan.agent_provision.startup_args + extra_args,
|
||||||
)
|
)
|
||||||
info(
|
info(
|
||||||
f"session ended (exit {exit_code}); "
|
f"session ended (exit {exit_code}); "
|
||||||
|
|||||||
+11
-23
@@ -19,7 +19,7 @@ from dataclasses import dataclass
|
|||||||
from datetime import datetime, timezone
|
from datetime import datetime, timezone
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
from .. import supervise as _supervise
|
from ..paths import bot_bottle_root
|
||||||
from ..bottle_state import read_metadata
|
from ..bottle_state import read_metadata
|
||||||
from ..backend.docker.egress_apply import (
|
from ..backend.docker.egress_apply import (
|
||||||
EgressApplyError,
|
EgressApplyError,
|
||||||
@@ -28,9 +28,6 @@ from ..backend.docker.egress_apply import (
|
|||||||
from ..backend.macos_container.egress_apply import (
|
from ..backend.macos_container.egress_apply import (
|
||||||
applicator as _macos_applicator,
|
applicator as _macos_applicator,
|
||||||
)
|
)
|
||||||
from ..backend.smolmachines.egress_apply import (
|
|
||||||
applicator as _smolmachines_applicator,
|
|
||||||
)
|
|
||||||
from ..log import Die, error, info
|
from ..log import Die, error, info
|
||||||
|
|
||||||
from ..supervise import (
|
from ..supervise import (
|
||||||
@@ -45,7 +42,7 @@ from ..supervise import (
|
|||||||
TOOL_EGRESS_BLOCK,
|
TOOL_EGRESS_BLOCK,
|
||||||
TOOL_GITLEAKS_ALLOW,
|
TOOL_GITLEAKS_ALLOW,
|
||||||
TOOL_EGRESS_TOKEN_ALLOW,
|
TOOL_EGRESS_TOKEN_ALLOW,
|
||||||
list_pending_proposals,
|
list_all_pending_proposals,
|
||||||
render_diff,
|
render_diff,
|
||||||
write_audit_entry,
|
write_audit_entry,
|
||||||
write_response,
|
write_response,
|
||||||
@@ -63,10 +60,9 @@ _REPORT_ONLY_TOOLS: tuple[str, ...] = (TOOL_GITLEAKS_ALLOW, TOOL_EGRESS_TOKEN_AL
|
|||||||
|
|
||||||
@dataclass(frozen=True)
|
@dataclass(frozen=True)
|
||||||
class QueuedProposal:
|
class QueuedProposal:
|
||||||
"""A pending proposal plus the queue dir it was found in."""
|
"""A pending proposal from the supervise queue."""
|
||||||
|
|
||||||
proposal: Proposal
|
proposal: Proposal
|
||||||
queue_dir: Path
|
|
||||||
|
|
||||||
|
|
||||||
# Errors any remediation engine may raise. Caught by the TUI key
|
# Errors any remediation engine may raise. Caught by the TUI key
|
||||||
@@ -80,22 +76,15 @@ def apply_routes_change(slug: str, content: str) -> tuple[str, str]:
|
|||||||
backend = meta.backend if meta is not None else ""
|
backend = meta.backend if meta is not None else ""
|
||||||
if backend == "macos-container":
|
if backend == "macos-container":
|
||||||
return _macos_applicator.apply_routes_change(slug, content)
|
return _macos_applicator.apply_routes_change(slug, content)
|
||||||
if backend == "smolmachines":
|
|
||||||
return _smolmachines_applicator.apply_routes_change(slug, content)
|
|
||||||
return _docker_applicator.apply_routes_change(slug, content)
|
return _docker_applicator.apply_routes_change(slug, content)
|
||||||
|
|
||||||
|
|
||||||
def discover_pending() -> list[QueuedProposal]:
|
def discover_pending() -> list[QueuedProposal]:
|
||||||
"""Walk ~/.bot-bottle/queue/* and collect pending proposals."""
|
"""Collect pending proposals across bottles."""
|
||||||
queue_root = _supervise.bot_bottle_root() / "queue"
|
out = [
|
||||||
if not queue_root.is_dir():
|
QueuedProposal(proposal=proposal)
|
||||||
return []
|
for proposal in list_all_pending_proposals()
|
||||||
out: list[QueuedProposal] = []
|
]
|
||||||
for slug_dir in sorted(queue_root.iterdir()):
|
|
||||||
if not slug_dir.is_dir():
|
|
||||||
continue
|
|
||||||
for proposal in list_pending_proposals(slug_dir):
|
|
||||||
out.append(QueuedProposal(proposal=proposal, queue_dir=slug_dir))
|
|
||||||
out.sort(key=lambda q: q.proposal.arrival_timestamp)
|
out.sort(key=lambda q: q.proposal.arrival_timestamp)
|
||||||
return out
|
return out
|
||||||
|
|
||||||
@@ -118,7 +107,6 @@ def _detail_lines(
|
|||||||
(f"tool: {p.tool}", 0),
|
(f"tool: {p.tool}", 0),
|
||||||
(f"id: {p.id}", 0),
|
(f"id: {p.id}", 0),
|
||||||
(f"arrived: {p.arrival_timestamp}", 0),
|
(f"arrived: {p.arrival_timestamp}", 0),
|
||||||
(f"queue: {qp.queue_dir}", 0),
|
|
||||||
("", 0),
|
("", 0),
|
||||||
("justification:", 0),
|
("justification:", 0),
|
||||||
]
|
]
|
||||||
@@ -165,7 +153,7 @@ def approve(
|
|||||||
notes=notes,
|
notes=notes,
|
||||||
final_file=final_file,
|
final_file=final_file,
|
||||||
)
|
)
|
||||||
write_response(qp.queue_dir, response)
|
write_response(qp.proposal.bottle_slug, response)
|
||||||
_write_audit(
|
_write_audit(
|
||||||
qp, action=status, notes=notes,
|
qp, action=status, notes=notes,
|
||||||
diff_before=diff_before, diff_after=diff_after,
|
diff_before=diff_before, diff_after=diff_after,
|
||||||
@@ -179,7 +167,7 @@ def reject(qp: QueuedProposal, *, reason: str) -> None:
|
|||||||
notes=reason,
|
notes=reason,
|
||||||
final_file=None,
|
final_file=None,
|
||||||
)
|
)
|
||||||
write_response(qp.queue_dir, response)
|
write_response(qp.proposal.bottle_slug, response)
|
||||||
_write_audit(qp, action=STATUS_REJECTED, notes=reason, diff_before="", diff_after="")
|
_write_audit(qp, action=STATUS_REJECTED, notes=reason, diff_before="", diff_after="")
|
||||||
|
|
||||||
|
|
||||||
@@ -288,7 +276,7 @@ def _write_crash_log(exc: BaseException) -> Path:
|
|||||||
)
|
)
|
||||||
entry = f"=== supervise crash {stamp} ===\n{body}\n"
|
entry = f"=== supervise crash {stamp} ===\n{body}\n"
|
||||||
try:
|
try:
|
||||||
log_dir = _supervise.bot_bottle_root() / "logs"
|
log_dir = bot_bottle_root() / "logs"
|
||||||
log_dir.mkdir(parents=True, exist_ok=True)
|
log_dir.mkdir(parents=True, exist_ok=True)
|
||||||
path = log_dir / "supervise-crash.log"
|
path = log_dir / "supervise-crash.log"
|
||||||
with path.open("a", encoding="utf-8") as fh:
|
with path.open("a", encoding="utf-8") as fh:
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ FROM node:22-slim
|
|||||||
# to it) works against egress's bumped TLS without the agent needing
|
# to it) works against egress's bumped TLS without the agent needing
|
||||||
# local DNS.
|
# local DNS.
|
||||||
RUN apt-get update \
|
RUN apt-get update \
|
||||||
&& apt-get install -y --no-install-recommends git ca-certificates curl ripgrep \
|
&& apt-get install -y --no-install-recommends git ca-certificates curl ripgrep iproute2 dnsutils \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# App-specific deps. Python isn't required by claude-code itself
|
# App-specific deps. Python isn't required by claude-code itself
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ The Claude-specific behavior previously inlined under
|
|||||||
`agent_provider.agent_provision_plan` (claude.json trust marker,
|
`agent_provider.agent_provision_plan` (claude.json trust marker,
|
||||||
api.anthropic.com egress route, OAuth-token placeholder), plus
|
api.anthropic.com egress route, OAuth-token placeholder), plus
|
||||||
the `claude mcp add` invocation that registers the supervise
|
the `claude mcp add` invocation that registers the supervise
|
||||||
sidecar in claude-code's user config (PRD 0013)."""
|
gateway in claude-code's user config (PRD 0013)."""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
@@ -91,6 +91,7 @@ _RUNTIME = AgentProviderRuntime(
|
|||||||
prompt_mode="append_file",
|
prompt_mode="append_file",
|
||||||
bypass_args=("--dangerously-skip-permissions",),
|
bypass_args=("--dangerously-skip-permissions",),
|
||||||
resume_args=("--continue",),
|
resume_args=("--continue",),
|
||||||
|
smoke_test=("claude", "--version"),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@@ -217,7 +218,7 @@ class ClaudeAgentProvider(AgentProvider):
|
|||||||
if not agent.skills:
|
if not agent.skills:
|
||||||
return
|
return
|
||||||
skills_dir = _skills_dir(plan.guest_home)
|
skills_dir = _skills_dir(plan.guest_home)
|
||||||
bottle.exec(f"mkdir -p {skills_dir}", user="root")
|
bottle.exec(f"mkdir -p {shlex.quote(skills_dir)}", user="root")
|
||||||
for name in agent.skills:
|
for name in agent.skills:
|
||||||
src = host_skill_dir(name)
|
src = host_skill_dir(name)
|
||||||
if not os.path.isdir(src):
|
if not os.path.isdir(src):
|
||||||
@@ -227,9 +228,13 @@ class ClaudeAgentProvider(AgentProvider):
|
|||||||
)
|
)
|
||||||
dst = f"{skills_dir}/{name}"
|
dst = f"{skills_dir}/{name}"
|
||||||
info(f"copying skill {name} into {bottle.name}:{dst}")
|
info(f"copying skill {name} into {bottle.name}:{dst}")
|
||||||
bottle.exec(f"rm -rf {dst} && mkdir -p {dst}", user="root")
|
# Defense in depth: skill names are validated kebab-case at
|
||||||
|
# manifest load, but quote the path so a future unvalidated
|
||||||
|
# field can't inject shell metacharacters here either.
|
||||||
|
dst_q = shlex.quote(dst)
|
||||||
|
bottle.exec(f"rm -rf {dst_q} && mkdir -p {dst_q}", user="root")
|
||||||
bottle.cp_in(f"{src}/.", f"{dst}/")
|
bottle.cp_in(f"{src}/.", f"{dst}/")
|
||||||
bottle.exec(f"chown -R node:node {dst}", user="root")
|
bottle.exec(f"chown -R node:node {dst_q}", user="root")
|
||||||
|
|
||||||
def provision_prompt(self, plan: "BottlePlan", bottle: "Bottle") -> str | None:
|
def provision_prompt(self, plan: "BottlePlan", bottle: "Bottle") -> str | None:
|
||||||
"""Copy the prompt file into the guest, fix ownership/mode.
|
"""Copy the prompt file into the guest, fix ownership/mode.
|
||||||
@@ -289,7 +294,7 @@ class ClaudeAgentProvider(AgentProvider):
|
|||||||
supervise_url: str,
|
supervise_url: str,
|
||||||
) -> None:
|
) -> None:
|
||||||
"""Run `claude mcp add` inside the agent guest to register the
|
"""Run `claude mcp add` inside the agent guest to register the
|
||||||
supervise sidecar in claude-code's user config (~/.claude.json).
|
supervise daemon in claude-code's user config (~/.claude.json).
|
||||||
|
|
||||||
Failure is logged but not fatal — the bottle still works without
|
Failure is logged but not fatal — the bottle still works without
|
||||||
the entry; the operator can register it manually."""
|
the entry; the operator can register it manually."""
|
||||||
@@ -309,6 +314,9 @@ class ClaudeAgentProvider(AgentProvider):
|
|||||||
f"claude mcp add --scope user --transport http supervise {supervise_url}"
|
f"claude mcp add --scope user --transport http supervise {supervise_url}"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def headless_prompt(self, prompt: str) -> list[str]:
|
||||||
|
return ["-p", prompt]
|
||||||
|
|
||||||
|
|
||||||
def _exec(bottle: "Bottle", script: str, error: str) -> None:
|
def _exec(bottle: "Bottle", script: str, error: str) -> None:
|
||||||
result = bottle.exec(script, user="root")
|
result = bottle.exec(script, user="root")
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ The Codex-specific behavior previously inlined under
|
|||||||
`agent_provider.agent_provision_plan` (config.toml trust marker,
|
`agent_provider.agent_provision_plan` (config.toml trust marker,
|
||||||
chatgpt.com / api.openai.com egress routes, optional host-credential
|
chatgpt.com / api.openai.com egress routes, optional host-credential
|
||||||
forwarding with dummy-auth.json + verify), plus the `codex mcp add`
|
forwarding with dummy-auth.json + verify), plus the `codex mcp add`
|
||||||
invocation that registers the supervise sidecar in Codex's
|
invocation that registers the supervise daemon in Codex's
|
||||||
~/.codex/config.toml (PRD 0050)."""
|
~/.codex/config.toml (PRD 0050)."""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
@@ -34,6 +34,12 @@ if TYPE_CHECKING:
|
|||||||
|
|
||||||
|
|
||||||
_SUPERVISE_MCP_NAME = "supervise"
|
_SUPERVISE_MCP_NAME = "supervise"
|
||||||
|
_CODEX_CLI = "/home/node/.codex/packages/standalone/current/bin/codex"
|
||||||
|
_CODEX_CLI_PATH = (
|
||||||
|
"/home/node/.local/bin:"
|
||||||
|
"/home/node/.codex/packages/standalone/current/bin:"
|
||||||
|
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _skills_dir(guest_home: str) -> str:
|
def _skills_dir(guest_home: str) -> str:
|
||||||
@@ -50,11 +56,12 @@ def _prompt_path(guest_home: str) -> str:
|
|||||||
|
|
||||||
_RUNTIME = AgentProviderRuntime(
|
_RUNTIME = AgentProviderRuntime(
|
||||||
template="codex",
|
template="codex",
|
||||||
command="codex",
|
command=_CODEX_CLI,
|
||||||
image="bot-bottle-codex:latest",
|
image="bot-bottle-codex:latest",
|
||||||
prompt_mode="read_prompt_file",
|
prompt_mode="read_prompt_file",
|
||||||
bypass_args=("--dangerously-bypass-approvals-and-sandbox",),
|
bypass_args=("--dangerously-bypass-approvals-and-sandbox",),
|
||||||
resume_args=("resume", "--last"),
|
resume_args=("resume", "--last"),
|
||||||
|
smoke_test=(_CODEX_CLI, "--version"),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@@ -145,7 +152,8 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
"env",
|
"env",
|
||||||
f"HOME={guest_home}",
|
f"HOME={guest_home}",
|
||||||
f"CODEX_HOME={auth_dir}",
|
f"CODEX_HOME={auth_dir}",
|
||||||
"codex", "login", "status",
|
f"PATH={_CODEX_CLI_PATH}",
|
||||||
|
_CODEX_CLI, "login", "status",
|
||||||
), (
|
), (
|
||||||
"codex host credentials: dummy auth was copied into the "
|
"codex host credentials: dummy auth was copied into the "
|
||||||
"guest, but Codex did not accept it"
|
"guest, but Codex did not accept it"
|
||||||
@@ -183,7 +191,7 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
if not agent.skills:
|
if not agent.skills:
|
||||||
return
|
return
|
||||||
skills_dir = _skills_dir(plan.guest_home)
|
skills_dir = _skills_dir(plan.guest_home)
|
||||||
bottle.exec(f"mkdir -p {skills_dir}", user="root")
|
bottle.exec(f"mkdir -p {shlex.quote(skills_dir)}", user="root")
|
||||||
for name in agent.skills:
|
for name in agent.skills:
|
||||||
src = host_skill_dir(name)
|
src = host_skill_dir(name)
|
||||||
if not os.path.isdir(src):
|
if not os.path.isdir(src):
|
||||||
@@ -193,9 +201,13 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
)
|
)
|
||||||
dst = f"{skills_dir}/{name}"
|
dst = f"{skills_dir}/{name}"
|
||||||
info(f"copying skill {name} into {bottle.name}:{dst}")
|
info(f"copying skill {name} into {bottle.name}:{dst}")
|
||||||
bottle.exec(f"rm -rf {dst} && mkdir -p {dst}", user="root")
|
# Defense in depth: skill names are validated kebab-case at
|
||||||
|
# manifest load, but quote the path so a future unvalidated
|
||||||
|
# field can't inject shell metacharacters here either.
|
||||||
|
dst_q = shlex.quote(dst)
|
||||||
|
bottle.exec(f"rm -rf {dst_q} && mkdir -p {dst_q}", user="root")
|
||||||
bottle.cp_in(f"{src}/.", f"{dst}/")
|
bottle.cp_in(f"{src}/.", f"{dst}/")
|
||||||
bottle.exec(f"chown -R node:node {dst}", user="root")
|
bottle.exec(f"chown -R node:node {dst_q}", user="root")
|
||||||
|
|
||||||
def provision_prompt(self, plan: "BottlePlan", bottle: "Bottle") -> str | None:
|
def provision_prompt(self, plan: "BottlePlan", bottle: "Bottle") -> str | None:
|
||||||
"""Copy the prompt file into the guest, fix ownership/mode.
|
"""Copy the prompt file into the guest, fix ownership/mode.
|
||||||
@@ -255,7 +267,7 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
supervise_url: str,
|
supervise_url: str,
|
||||||
) -> None:
|
) -> None:
|
||||||
"""Run `codex mcp add` inside the agent guest to register the
|
"""Run `codex mcp add` inside the agent guest to register the
|
||||||
supervise sidecar in Codex's user config (~/.codex/config.toml).
|
supervise daemon in Codex's user config (~/.codex/config.toml).
|
||||||
|
|
||||||
Mirrors the Claude provider's `claude mcp add` flow — failure
|
Mirrors the Claude provider's `claude mcp add` flow — failure
|
||||||
is logged but not fatal."""
|
is logged but not fatal."""
|
||||||
@@ -263,7 +275,7 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
return
|
return
|
||||||
info(f"registering supervise MCP server in agent codex config → {supervise_url}")
|
info(f"registering supervise MCP server in agent codex config → {supervise_url}")
|
||||||
r = bottle.exec(
|
r = bottle.exec(
|
||||||
f"codex mcp add {_SUPERVISE_MCP_NAME} --url "
|
f"{shlex.quote(_CODEX_CLI)} mcp add {_SUPERVISE_MCP_NAME} --url "
|
||||||
f"{shlex.quote(supervise_url)}",
|
f"{shlex.quote(supervise_url)}",
|
||||||
user="node",
|
user="node",
|
||||||
)
|
)
|
||||||
@@ -275,6 +287,9 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
f"codex mcp add supervise --url {shlex.quote(supervise_url)}"
|
f"codex mcp add supervise --url {shlex.quote(supervise_url)}"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def headless_prompt(self, prompt: str) -> list[str]:
|
||||||
|
return [prompt]
|
||||||
|
|
||||||
|
|
||||||
def _exec(bottle: "Bottle", script: str, error: str) -> None:
|
def _exec(bottle: "Bottle", script: str, error: str) -> None:
|
||||||
result = bottle.exec(script, user="root")
|
result = bottle.exec(script, user="root")
|
||||||
|
|||||||
@@ -238,7 +238,7 @@ class PiAgentProvider(AgentProvider):
|
|||||||
if not agent.skills:
|
if not agent.skills:
|
||||||
return
|
return
|
||||||
skills_dir = _skills_dir(plan.guest_home)
|
skills_dir = _skills_dir(plan.guest_home)
|
||||||
bottle.exec(f"mkdir -p {skills_dir}", user="root")
|
bottle.exec(f"mkdir -p {shlex.quote(skills_dir)}", user="root")
|
||||||
for name in agent.skills:
|
for name in agent.skills:
|
||||||
src = host_skill_dir(name)
|
src = host_skill_dir(name)
|
||||||
if not os.path.isdir(src):
|
if not os.path.isdir(src):
|
||||||
@@ -248,9 +248,13 @@ class PiAgentProvider(AgentProvider):
|
|||||||
)
|
)
|
||||||
dst = f"{skills_dir}/{name}"
|
dst = f"{skills_dir}/{name}"
|
||||||
info(f"copying skill {name} into {bottle.name}:{dst}")
|
info(f"copying skill {name} into {bottle.name}:{dst}")
|
||||||
bottle.exec(f"rm -rf {dst} && mkdir -p {dst}", user="root")
|
# Defense in depth: skill names are validated kebab-case at
|
||||||
|
# manifest load, but quote the path so a future unvalidated
|
||||||
|
# field can't inject shell metacharacters here either.
|
||||||
|
dst_q = shlex.quote(dst)
|
||||||
|
bottle.exec(f"rm -rf {dst_q} && mkdir -p {dst_q}", user="root")
|
||||||
bottle.cp_in(f"{src}/.", f"{dst}/")
|
bottle.cp_in(f"{src}/.", f"{dst}/")
|
||||||
bottle.exec(f"chown -R node:node {dst}", user="root")
|
bottle.exec(f"chown -R node:node {dst_q}", user="root")
|
||||||
|
|
||||||
def provision_prompt(self, plan: "BottlePlan", bottle: "Bottle") -> str | None:
|
def provision_prompt(self, plan: "BottlePlan", bottle: "Bottle") -> str | None:
|
||||||
prompt_path = _prompt_path(plan.guest_home)
|
prompt_path = _prompt_path(plan.guest_home)
|
||||||
@@ -311,6 +315,9 @@ class PiAgentProvider(AgentProvider):
|
|||||||
) -> None:
|
) -> None:
|
||||||
del plan, bottle, supervise_url
|
del plan, bottle, supervise_url
|
||||||
|
|
||||||
|
def headless_prompt(self, prompt: str) -> list[str]:
|
||||||
|
return ["-p", prompt]
|
||||||
|
|
||||||
|
|
||||||
def _exec(bottle: "Bottle", script: str, error: str) -> None:
|
def _exec(bottle: "Bottle", script: str, error: str) -> None:
|
||||||
result = bottle.exec(script, user="root")
|
result = bottle.exec(script, user="root")
|
||||||
|
|||||||
@@ -0,0 +1,59 @@
|
|||||||
|
"""Shared SQLite-backed store base class for bot-bottle (PRD 0013)."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import sqlite3
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
try:
|
||||||
|
from .migrations import TableMigrations
|
||||||
|
except ImportError:
|
||||||
|
from migrations import TableMigrations # type: ignore[import-not-found] # pylint: disable=import-error,no-name-in-module
|
||||||
|
|
||||||
|
|
||||||
|
class DbVersionError(Exception):
|
||||||
|
"""Raised when the on-disk schema is behind the current migration list."""
|
||||||
|
|
||||||
|
|
||||||
|
class DbStore:
|
||||||
|
"""Base for SQLite-backed stores. Subclasses resolve db_path then call super().__init__."""
|
||||||
|
|
||||||
|
def __init__(self, db_path: Path, migrations: TableMigrations) -> None:
|
||||||
|
self.db_path = db_path
|
||||||
|
self._migrations = migrations
|
||||||
|
self.db_path.parent.mkdir(parents=True, exist_ok=True)
|
||||||
|
|
||||||
|
def _connect(self) -> sqlite3.Connection:
|
||||||
|
conn = sqlite3.connect(self.db_path)
|
||||||
|
conn.row_factory = sqlite3.Row
|
||||||
|
return conn
|
||||||
|
|
||||||
|
def is_migrated(self) -> bool:
|
||||||
|
"""Return True if the DB is fully up-to-date, False if migration is needed."""
|
||||||
|
if not self.db_path.exists():
|
||||||
|
return False
|
||||||
|
try:
|
||||||
|
with self._connect() as conn:
|
||||||
|
row = conn.execute(
|
||||||
|
"SELECT version FROM schema_versions WHERE module = ?",
|
||||||
|
(self._migrations.schema_key,),
|
||||||
|
).fetchone()
|
||||||
|
except sqlite3.OperationalError:
|
||||||
|
return False
|
||||||
|
version = row[0] if row else 0
|
||||||
|
return version == len(self._migrations.migrations)
|
||||||
|
|
||||||
|
def migrate(self) -> None:
|
||||||
|
"""Apply any pending migrations and set permissions on the DB file."""
|
||||||
|
with self._connect() as conn:
|
||||||
|
self._migrations.apply(conn)
|
||||||
|
self._chmod()
|
||||||
|
|
||||||
|
def _chmod(self) -> None:
|
||||||
|
try:
|
||||||
|
self.db_path.chmod(0o600)
|
||||||
|
except OSError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = ["DbStore", "DbVersionError"]
|
||||||
+81
-20
@@ -3,7 +3,7 @@
|
|||||||
Pure Python, no mitmproxy dependency. Each detector is a module-level
|
Pure Python, no mitmproxy dependency. Each detector is a module-level
|
||||||
function returning `ScanResult | None`.
|
function returning `ScanResult | None`.
|
||||||
|
|
||||||
Ships flat into the sidecar bundle image alongside
|
Ships flat into the gateway image alongside
|
||||||
`egress_addon_core.py` — both this file and the package source use
|
`egress_addon_core.py` — both this file and the package source use
|
||||||
the same try/except import shim pattern.
|
the same try/except import shim pattern.
|
||||||
"""
|
"""
|
||||||
@@ -11,6 +11,7 @@ the same try/except import shim pattern.
|
|||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
|
import functools
|
||||||
import gzip
|
import gzip
|
||||||
import re
|
import re
|
||||||
import typing
|
import typing
|
||||||
@@ -126,8 +127,29 @@ def redact_tokens(
|
|||||||
# Known secrets detector
|
# Known secrets detector
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Encoded-variant cache. Provisioned secrets are stable for the life of the
|
||||||
|
# proxy, but `_encoded_variants` is on the per-request hot path — it runs for
|
||||||
|
# every secret on every redaction and known-secret scan (host, path, each
|
||||||
|
# header, body). Deriving the variant set is relatively expensive (gzip +
|
||||||
|
# nine encodings), so memoize it per distinct secret. The proxy process
|
||||||
|
# already holds these values in `os.environ`, so caching them here adds no
|
||||||
|
# new exposure. The cache is bounded (lru_cache maxsize) so a long-lived
|
||||||
|
# proxy that sees rotating secrets evicts the oldest rather than growing
|
||||||
|
# without limit; 256 comfortably covers the EGRESS_TOKEN_* set in practice.
|
||||||
|
_VARIANT_CACHE_MAXSIZE = 256
|
||||||
|
|
||||||
|
|
||||||
def _encoded_variants(secret: str) -> list[str]:
|
def _encoded_variants(secret: str) -> list[str]:
|
||||||
"""Return the secret plus common encoded variants for exfil detection."""
|
"""Return the secret plus common encoded variants for exfil detection.
|
||||||
|
|
||||||
|
The variant set is computed once per distinct secret and cached; callers
|
||||||
|
get a fresh list so they can't mutate the shared cached tuple."""
|
||||||
|
return list(_compute_encoded_variants(secret))
|
||||||
|
|
||||||
|
|
||||||
|
@functools.lru_cache(maxsize=_VARIANT_CACHE_MAXSIZE)
|
||||||
|
def _compute_encoded_variants(secret: str) -> tuple[str, ...]:
|
||||||
|
"""Derive the secret plus its encoded variants (memoized, bounded)."""
|
||||||
seen: set[str] = {secret}
|
seen: set[str] = {secret}
|
||||||
variants: list[str] = [secret]
|
variants: list[str] = [secret]
|
||||||
|
|
||||||
@@ -161,7 +183,7 @@ def _encoded_variants(secret: str) -> list[str]:
|
|||||||
# gzip + base64 (deterministic: mtime=0); recognisable by H4sI prefix
|
# gzip + base64 (deterministic: mtime=0); recognisable by H4sI prefix
|
||||||
_add(base64.b64encode(gzip.compress(secret_bytes, mtime=0)).decode("ascii"))
|
_add(base64.b64encode(gzip.compress(secret_bytes, mtime=0)).decode("ascii"))
|
||||||
|
|
||||||
return variants
|
return tuple(variants)
|
||||||
|
|
||||||
|
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
@@ -187,18 +209,24 @@ def _alnum_projection(text: str) -> str:
|
|||||||
|
|
||||||
|
|
||||||
def _find_partial_window(secret_alnum: str, text_alnum: str, min_len: int) -> int | None:
|
def _find_partial_window(secret_alnum: str, text_alnum: str, min_len: int) -> int | None:
|
||||||
"""Return the position in text_alnum where any min_len-char window of
|
"""Return the earliest position in text_alnum holding a min_len-char window
|
||||||
secret_alnum first appears, or None.
|
that also appears in secret_alnum, or None.
|
||||||
|
|
||||||
Slides a window of width min_len across secret_alnum and searches for
|
The secret's set of min_len-grams is small (bounded by the secret length),
|
||||||
each window in text_alnum. The first hit position is returned.
|
so building it once and sweeping the text a single time is O(len(text))
|
||||||
|
rather than the O(len(secret) * len(text)) of repeated substring searches —
|
||||||
|
which matters because this runs per provisioned secret on every request
|
||||||
|
body. Coverage is unchanged: a hit still means at least min_len consecutive
|
||||||
|
alphanumeric characters of the secret leaked into the text.
|
||||||
"""
|
"""
|
||||||
if len(secret_alnum) < min_len or len(text_alnum) < min_len:
|
if len(secret_alnum) < min_len or len(text_alnum) < min_len:
|
||||||
return None
|
return None
|
||||||
for i in range(len(secret_alnum) - min_len + 1):
|
secret_grams = {
|
||||||
window = secret_alnum[i:i + min_len]
|
secret_alnum[i:i + min_len]
|
||||||
pos = text_alnum.find(window)
|
for i in range(len(secret_alnum) - min_len + 1)
|
||||||
if pos >= 0:
|
}
|
||||||
|
for pos in range(len(text_alnum) - min_len + 1):
|
||||||
|
if text_alnum[pos:pos + min_len] in secret_grams:
|
||||||
return pos
|
return pos
|
||||||
return None
|
return None
|
||||||
|
|
||||||
@@ -364,19 +392,52 @@ JAILBREAK_PHRASES: tuple[re.Pattern[str], ...] = (
|
|||||||
PROXIMITY_CHARS = 500
|
PROXIMITY_CHARS = 500
|
||||||
|
|
||||||
|
|
||||||
|
def _match_gap(a: re.Match[str], b: re.Match[str]) -> int:
|
||||||
|
"""Character gap between two match spans; 0 when they overlap or touch."""
|
||||||
|
return max(0, max(a.start(), b.start()) - min(a.end(), b.end()))
|
||||||
|
|
||||||
|
|
||||||
def _closest_pair(
|
def _closest_pair(
|
||||||
a_matches: list[re.Match[str]],
|
a_matches: list[re.Match[str]],
|
||||||
b_matches: list[re.Match[str]],
|
b_matches: list[re.Match[str]],
|
||||||
|
*,
|
||||||
|
within: int | None = None,
|
||||||
) -> tuple[re.Match[str], re.Match[str]] | None:
|
) -> tuple[re.Match[str], re.Match[str]] | None:
|
||||||
"""Return the pair (a, b) with the smallest character gap, or None."""
|
"""Return the (a, b) pair with the smallest character gap, or None when
|
||||||
|
either list is empty.
|
||||||
|
|
||||||
|
Runs in O(n log n) sort + O(n) merge rather than the O(n*m) cross product:
|
||||||
|
both lists are sorted by start offset and swept with a two-pointer merge,
|
||||||
|
advancing whichever span ends first (it can only get farther from any
|
||||||
|
later span in the other list). This matters because the inputs are
|
||||||
|
attacker-controlled response-body matches that have already passed the
|
||||||
|
body-size cap, so the quadratic form is a latent DoS.
|
||||||
|
|
||||||
|
When `within` is set, returns as soon as a pair with gap <= within is
|
||||||
|
found: the only caller blocks on any pair inside the proximity threshold,
|
||||||
|
so the exact global minimum past that point doesn't change the decision.
|
||||||
|
"""
|
||||||
|
if not a_matches or not b_matches:
|
||||||
|
return None
|
||||||
|
a_sorted = sorted(a_matches, key=lambda m: m.start())
|
||||||
|
b_sorted = sorted(b_matches, key=lambda m: m.start())
|
||||||
|
i = j = 0
|
||||||
best: tuple[re.Match[str], re.Match[str]] | None = None
|
best: tuple[re.Match[str], re.Match[str]] | None = None
|
||||||
best_gap: int | None = None
|
best_gap: int | None = None
|
||||||
for a in a_matches:
|
while i < len(a_sorted) and j < len(b_sorted):
|
||||||
for b in b_matches:
|
a, b = a_sorted[i], b_sorted[j]
|
||||||
gap = max(0, max(a.start(), b.start()) - min(a.end(), b.end()))
|
gap = _match_gap(a, b)
|
||||||
if best_gap is None or gap < best_gap:
|
if best_gap is None or gap < best_gap:
|
||||||
best_gap = gap
|
best_gap = gap
|
||||||
best = (a, b)
|
best = (a, b)
|
||||||
|
if within is not None and gap <= within:
|
||||||
|
return best
|
||||||
|
# Advance the span that ends first; it cannot form a closer pair with
|
||||||
|
# any later (further-right) span from the other list.
|
||||||
|
if a.end() <= b.end():
|
||||||
|
i += 1
|
||||||
|
else:
|
||||||
|
j += 1
|
||||||
return best
|
return best
|
||||||
|
|
||||||
|
|
||||||
@@ -386,9 +447,9 @@ def scan_naive_injection(text: str) -> ScanResult | None:
|
|||||||
jailbreak_hits = [m for p in JAILBREAK_PHRASES for m in p.finditer(text)]
|
jailbreak_hits = [m for p in JAILBREAK_PHRASES for m in p.finditer(text)]
|
||||||
|
|
||||||
if disclosure_hits and jailbreak_hits:
|
if disclosure_hits and jailbreak_hits:
|
||||||
pair = _closest_pair(disclosure_hits, jailbreak_hits)
|
pair = _closest_pair(disclosure_hits, jailbreak_hits, within=PROXIMITY_CHARS)
|
||||||
if pair is not None:
|
if pair is not None:
|
||||||
dist = max(0, max(pair[0].start(), pair[1].start()) - min(pair[0].end(), pair[1].end()))
|
dist = _match_gap(pair[0], pair[1])
|
||||||
if dist <= PROXIMITY_CHARS:
|
if dist <= PROXIMITY_CHARS:
|
||||||
first = pair[0] if pair[0].start() <= pair[1].start() else pair[1]
|
first = pair[0] if pair[0].start() <= pair[1].start() else pair[1]
|
||||||
return ScanResult(
|
return ScanResult(
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
"""Lean, framework-free `docker` subprocess primitive.
|
||||||
|
|
||||||
|
Deliberately a top-level module with a single stdlib import so it can be
|
||||||
|
reused from anywhere without cost. It is intentionally *not* placed in
|
||||||
|
`backend.docker.util`: importing that module runs `backend/__init__.py`,
|
||||||
|
which eagerly loads all three bottle backends (docker + firecracker +
|
||||||
|
macos) plus the manifest/egress/git-gate/supervise framework — ~76 modules
|
||||||
|
— which would drag the whole backend layer into the deliberately-lean
|
||||||
|
orchestrator. This primitive stays free of that so both the orchestrator's
|
||||||
|
docker components and (in time) `backend.docker.util` can share it."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
|
||||||
|
def run_docker(argv: list[str]) -> subprocess.CompletedProcess[str]:
|
||||||
|
"""Run a `docker` command, capturing stdout/stderr as text. Never raises
|
||||||
|
on a non-zero exit — callers inspect `returncode` / `stderr` so they can
|
||||||
|
stay fail-closed or tolerate idempotent no-ops (e.g. removing an
|
||||||
|
already-absent container)."""
|
||||||
|
return subprocess.run(
|
||||||
|
argv, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = ["run_docker"]
|
||||||
+13
-10
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
This module defines the abstract proxy (`Egress`), its plan
|
This module defines the abstract proxy (`Egress`), its plan
|
||||||
dataclass (`EgressPlan`), and the resolved per-route shape
|
dataclass (`EgressPlan`), and the resolved per-route shape
|
||||||
(`EgressRoute`). The sidecar's start/stop lifecycle is backend-
|
(`EgressRoute`). The gateway's start/stop lifecycle is backend-
|
||||||
specific and lives on concrete subclasses (see
|
specific and lives on concrete subclasses (see
|
||||||
`bot_bottle/backend/docker/egress.py`).
|
`bot_bottle/backend/docker/egress.py`).
|
||||||
"""
|
"""
|
||||||
@@ -23,6 +23,7 @@ from .egress_addon_core import (
|
|||||||
PathMatch as CorePathMatch,
|
PathMatch as CorePathMatch,
|
||||||
Route,
|
Route,
|
||||||
)
|
)
|
||||||
|
from .errors import MissingEnvVarError
|
||||||
from .log import die
|
from .log import die
|
||||||
|
|
||||||
if TYPE_CHECKING:
|
if TYPE_CHECKING:
|
||||||
@@ -62,8 +63,8 @@ def _random_canary_env() -> str:
|
|||||||
return f"{first}_{second}_SECRET"
|
return f"{first}_{second}_SECRET"
|
||||||
|
|
||||||
|
|
||||||
def egress_sidecar_env_entries(plan: "EgressPlan") -> tuple[str, ...]:
|
def egress_gateway_env_entries(plan: "EgressPlan") -> tuple[str, ...]:
|
||||||
"""Return sidecar env entries needed by egress across all backends."""
|
"""Return gateway env entries needed by egress across all backends."""
|
||||||
env: list[str] = []
|
env: list[str] = []
|
||||||
if plan.routes:
|
if plan.routes:
|
||||||
env.extend(sorted(plan.token_env_map.keys()))
|
env.extend(sorted(plan.token_env_map.keys()))
|
||||||
@@ -86,7 +87,7 @@ class EgressRoute(Route):
|
|||||||
|
|
||||||
Inherits `host`, `matches`, `auth_scheme`, and `token_env`
|
Inherits `host`, `matches`, `auth_scheme`, and `token_env`
|
||||||
from `egress_addon_core.Route` — those are the fields that cross the
|
from `egress_addon_core.Route` — those are the fields that cross the
|
||||||
YAML wire into the sidecar. The fields below are host-only and
|
YAML wire into the gateway. The fields below are host-only and
|
||||||
are never serialised to the addon.
|
are never serialised to the addon.
|
||||||
|
|
||||||
`token_ref` is the host env var the CLI reads at launch and forwards
|
`token_ref` is the host env var the CLI reads at launch and forwards
|
||||||
@@ -354,16 +355,18 @@ def egress_resolve_token_values(
|
|||||||
for token_env, token_ref in token_env_map.items():
|
for token_env, token_ref in token_env_map.items():
|
||||||
value = host_env.get(token_ref)
|
value = host_env.get(token_ref)
|
||||||
if value is None:
|
if value is None:
|
||||||
die(
|
raise MissingEnvVarError(
|
||||||
|
token_ref,
|
||||||
f"egress: host env var '{token_ref}' is unset. Set it "
|
f"egress: host env var '{token_ref}' is unset. Set it "
|
||||||
f"before launching, or remove the corresponding auth block "
|
f"before launching, or remove the corresponding auth block "
|
||||||
f"from bottle.egress.routes."
|
f"from bottle.egress.routes.",
|
||||||
)
|
)
|
||||||
if not value:
|
if not value:
|
||||||
die(
|
raise MissingEnvVarError(
|
||||||
|
token_ref,
|
||||||
f"egress: host env var '{token_ref}' is empty. The "
|
f"egress: host env var '{token_ref}' is empty. The "
|
||||||
f"egress will not inject an empty token; set it to "
|
f"egress will not inject an empty token; set it to "
|
||||||
f"the real value or remove the route's auth block."
|
f"the real value or remove the route's auth block.",
|
||||||
)
|
)
|
||||||
out[token_env] = value
|
out[token_env] = value
|
||||||
return out
|
return out
|
||||||
@@ -383,7 +386,7 @@ class Egress(ABC):
|
|||||||
routes_path.write_text(egress_render_routes(routes, log=log))
|
routes_path.write_text(egress_render_routes(routes, log=log))
|
||||||
routes_path.chmod(0o600)
|
routes_path.chmod(0o600)
|
||||||
# Generate a per-session fake secret under a plausible random env name.
|
# Generate a per-session fake secret under a plausible random env name.
|
||||||
# The sidecar marks that exact env name as sensitive for known-secret
|
# The gateway marks that exact env name as sensitive for known-secret
|
||||||
# scanning; the agent receives the same name/value as exfil bait.
|
# scanning; the agent receives the same name/value as exfil bait.
|
||||||
canary = secrets.token_urlsafe(32)
|
canary = secrets.token_urlsafe(32)
|
||||||
return EgressPlan(
|
return EgressPlan(
|
||||||
@@ -409,6 +412,6 @@ __all__ = [
|
|||||||
"egress_resolve_token_values",
|
"egress_resolve_token_values",
|
||||||
"egress_routes_for_bottle",
|
"egress_routes_for_bottle",
|
||||||
"egress_agent_env_entries",
|
"egress_agent_env_entries",
|
||||||
"egress_sidecar_env_entries",
|
"egress_gateway_env_entries",
|
||||||
"egress_token_env_map",
|
"egress_token_env_map",
|
||||||
]
|
]
|
||||||
|
|||||||
+119
-46
@@ -1,4 +1,4 @@
|
|||||||
"""mitmproxy addon entrypoint for the egress sidecar (PRD 0017, PRD 0053).
|
"""mitmproxy addon entrypoint for the egress gateway (PRD 0017, PRD 0053).
|
||||||
|
|
||||||
Loaded by `mitmdump -s /app/egress_addon.py` inside the
|
Loaded by `mitmdump -s /app/egress_addon.py` inside the
|
||||||
egress container."""
|
egress container."""
|
||||||
@@ -10,6 +10,7 @@ import json
|
|||||||
import os
|
import os
|
||||||
import signal
|
import signal
|
||||||
import sys
|
import sys
|
||||||
|
import typing
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
from mitmproxy import http # type: ignore[import-not-found] # pylint: disable=import-error
|
from mitmproxy import http # type: ignore[import-not-found] # pylint: disable=import-error
|
||||||
@@ -32,6 +33,7 @@ from egress_addon_core import ( # type: ignore[import-not-found] # pylint: dis
|
|||||||
is_git_push_request,
|
is_git_push_request,
|
||||||
load_config,
|
load_config,
|
||||||
match_route,
|
match_route,
|
||||||
|
resolve_client_context,
|
||||||
outbound_scan_headers,
|
outbound_scan_headers,
|
||||||
route_to_yaml_dict,
|
route_to_yaml_dict,
|
||||||
scan_inbound,
|
scan_inbound,
|
||||||
@@ -51,11 +53,26 @@ try:
|
|||||||
except ImportError: # pragma: no cover - host-side path
|
except ImportError: # pragma: no cover - host-side path
|
||||||
from bot_bottle import supervise as _sv # type: ignore[import-not-found]
|
from bot_bottle import supervise as _sv # type: ignore[import-not-found]
|
||||||
|
|
||||||
|
try:
|
||||||
|
from policy_resolver import PolicyResolver # type: ignore[import-not-found]
|
||||||
|
except ImportError: # pragma: no cover - host-side path
|
||||||
|
from bot_bottle.policy_resolver import PolicyResolver
|
||||||
|
|
||||||
|
|
||||||
DEFAULT_ROUTES_PATH = "/etc/egress/routes.yaml"
|
DEFAULT_ROUTES_PATH = "/etc/egress/routes.yaml"
|
||||||
|
|
||||||
INTROSPECT_HOST = "_egress.local"
|
INTROSPECT_HOST = "_egress.local"
|
||||||
|
|
||||||
|
# Consolidated (multi-tenant) mode: when this points at the per-host
|
||||||
|
# orchestrator's control plane, the addon resolves each client's Config by
|
||||||
|
# source IP per request instead of using a single static routes file. Unset
|
||||||
|
# → legacy per-bottle single-tenant mode (unchanged).
|
||||||
|
ORCHESTRATOR_URL_ENV = "BOT_BOTTLE_ORCHESTRATOR_URL"
|
||||||
|
|
||||||
|
# App-layer identity token (defense-in-depth over the source-IP invariant);
|
||||||
|
# the agent injects it, the addon strips it so it never leaks upstream.
|
||||||
|
IDENTITY_HEADER = "x-bot-bottle-identity"
|
||||||
|
|
||||||
# Seconds the egress proxy holds a token-blocked request open waiting for the
|
# Seconds the egress proxy holds a token-blocked request open waiting for the
|
||||||
# operator's supervisor decision (PRD 0062), overridable via env.
|
# operator's supervisor decision (PRD 0062), overridable via env.
|
||||||
DEFAULT_TOKEN_ALLOW_TIMEOUT_SECONDS = 300.0
|
DEFAULT_TOKEN_ALLOW_TIMEOUT_SECONDS = 300.0
|
||||||
@@ -72,21 +89,40 @@ _TOKEN_ALLOW_JUSTIFICATION = (
|
|||||||
|
|
||||||
|
|
||||||
class EgressAddon:
|
class EgressAddon:
|
||||||
|
# Class default so addons built via __new__ (e.g. in tests) default to
|
||||||
|
# single-tenant; __init__ sets the instance attribute for real runs.
|
||||||
|
_resolver: "PolicyResolver | None" = None
|
||||||
|
|
||||||
def __init__(self) -> None:
|
def __init__(self) -> None:
|
||||||
self.routes_path = os.environ.get("EGRESS_ROUTES", DEFAULT_ROUTES_PATH)
|
self.routes_path = os.environ.get("EGRESS_ROUTES", DEFAULT_ROUTES_PATH)
|
||||||
self.config: Config = Config(routes=())
|
self.config: Config = Config(routes=())
|
||||||
# Tokens the operator has approved this session (PRD 0062). In-memory
|
# Consolidated mode: resolve per-client Config from the orchestrator.
|
||||||
# only — a restart re-prompts. Mutated only from the asyncio loop that
|
# Absent → single-tenant (static routes file); behaviour unchanged.
|
||||||
# runs the addon hooks, so no lock is needed.
|
orch_url = os.environ.get(ORCHESTRATOR_URL_ENV, "").strip()
|
||||||
self.safe_tokens: set[str] = set()
|
self._resolver = PolicyResolver(orch_url) if orch_url else None
|
||||||
self._supervise_queue_dir = os.environ.get("SUPERVISE_QUEUE_DIR", "").strip()
|
# Tokens the operator has approved this session (PRD 0062), keyed by
|
||||||
|
# bottle so the shared gateway keeps each bottle's safelist separate —
|
||||||
|
# a global set would let bottle A's approved secret pass bottle B's DLP
|
||||||
|
# scan. In-memory only (a restart re-prompts); mutated only from the
|
||||||
|
# asyncio loop that runs the addon hooks, so no lock is needed.
|
||||||
|
self._safe_tokens: dict[str, set[str]] = {}
|
||||||
self._supervise_slug = os.environ.get("SUPERVISE_BOTTLE_SLUG", "").strip()
|
self._supervise_slug = os.environ.get("SUPERVISE_BOTTLE_SLUG", "").strip()
|
||||||
self._token_allow_timeout = _token_allow_timeout_from_env(os.environ)
|
self._token_allow_timeout = _token_allow_timeout_from_env(os.environ)
|
||||||
self._reload(initial=True)
|
self._reload(initial=True)
|
||||||
self._install_sighup()
|
self._install_sighup()
|
||||||
|
|
||||||
def _supervise_available(self) -> bool:
|
@staticmethod
|
||||||
return bool(self._supervise_queue_dir and self._supervise_slug)
|
def _supervise_available(slug: str) -> bool:
|
||||||
|
"""Supervise is reachable for this request iff we resolved a bottle to
|
||||||
|
attribute its proposals to (single-tenant env slug, or a source-IP
|
||||||
|
-attributed bottle id). Empty → fail closed (no queue to write to)."""
|
||||||
|
return bool(slug)
|
||||||
|
|
||||||
|
def _safe_tokens_for(self, slug: str) -> set[str]:
|
||||||
|
"""This bottle's operator-approved DLP safelist (PRD 0062), created on
|
||||||
|
first use. Keyed by bottle so the shared gateway never leaks one
|
||||||
|
bottle's approved token into another's scan."""
|
||||||
|
return self._safe_tokens.setdefault(slug, set())
|
||||||
|
|
||||||
def _reload(self, *, initial: bool = False) -> None:
|
def _reload(self, *, initial: bool = False) -> None:
|
||||||
try:
|
try:
|
||||||
@@ -195,6 +231,28 @@ class EgressAddon:
|
|||||||
+ "\n"
|
+ "\n"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def _resolve_flow(
|
||||||
|
self, flow: http.HTTPFlow,
|
||||||
|
) -> "tuple[Config, str, typing.Mapping[str, str]]":
|
||||||
|
"""The `(Config, supervise slug, env)` to apply to this request.
|
||||||
|
Single-tenant → the static `self.config`, the env slug, and the process
|
||||||
|
env. Consolidated → the calling bottle's Config + bottle id + auth
|
||||||
|
tokens, resolved by source IP in one round-trip (fail-closed to deny-all
|
||||||
|
+ empty slug if unattributed); `env` is the process env overlaid with
|
||||||
|
the bottle's tokens, so upstream-auth injection (and DLP) use *this*
|
||||||
|
bottle's credentials — exactly what the per-bottle gateway daemon's env did.
|
||||||
|
The identity token, if the agent injected one, is read then stripped so
|
||||||
|
it never leaks upstream."""
|
||||||
|
if self._resolver is None:
|
||||||
|
return self.config, self._supervise_slug, os.environ
|
||||||
|
conn = flow.client_conn
|
||||||
|
client_ip = conn.peername[0] if conn and conn.peername else ""
|
||||||
|
token = flow.request.headers.get(IDENTITY_HEADER, "")
|
||||||
|
flow.request.headers.pop(IDENTITY_HEADER, None)
|
||||||
|
config, slug, tokens = resolve_client_context(self._resolver, client_ip, token)
|
||||||
|
env = {**os.environ, **tokens} if tokens else os.environ
|
||||||
|
return config, slug, env
|
||||||
|
|
||||||
async def request(self, flow: http.HTTPFlow) -> None:
|
async def request(self, flow: http.HTTPFlow) -> None:
|
||||||
request_path, _, query = flow.request.path.partition("?")
|
request_path, _, query = flow.request.path.partition("?")
|
||||||
|
|
||||||
@@ -202,12 +260,14 @@ class EgressAddon:
|
|||||||
self._serve_introspection(flow, request_path)
|
self._serve_introspection(flow, request_path)
|
||||||
return
|
return
|
||||||
|
|
||||||
|
config, slug, env = self._resolve_flow(flow)
|
||||||
|
|
||||||
# DLP outbound scan BEFORE stripping auth — catches tokens the
|
# DLP outbound scan BEFORE stripping auth — catches tokens the
|
||||||
# agent tried to smuggle in any header, path, query param, or body.
|
# agent tried to smuggle in any header, path, query param, or body.
|
||||||
# Hostname is included to catch DNS-tunnelling exfiltration attempts.
|
# Hostname is included to catch DNS-tunnelling exfiltration attempts.
|
||||||
route = match_route(self.config.routes, flow.request.pretty_host)
|
route = match_route(config.routes, flow.request.pretty_host)
|
||||||
if route is not None:
|
if route is not None:
|
||||||
if not await self._handle_outbound_dlp(flow, route):
|
if not await self._handle_outbound_dlp(flow, route, slug, env):
|
||||||
return
|
return
|
||||||
# The redact policy may have rewritten the request line; recompute
|
# The redact policy may have rewritten the request line; recompute
|
||||||
# the path/query the git checks below rely on.
|
# the path/query the git checks below rely on.
|
||||||
@@ -225,7 +285,7 @@ class EgressAddon:
|
|||||||
|
|
||||||
if is_git_fetch_request(request_path, query):
|
if is_git_fetch_request(request_path, query):
|
||||||
git_decision = decide_git_fetch(
|
git_decision = decide_git_fetch(
|
||||||
self.config.routes, flow.request.pretty_host,
|
config.routes, flow.request.pretty_host,
|
||||||
)
|
)
|
||||||
if git_decision.action == "block":
|
if git_decision.action == "block":
|
||||||
self._block(
|
self._block(
|
||||||
@@ -236,17 +296,17 @@ class EgressAddon:
|
|||||||
return
|
return
|
||||||
|
|
||||||
# Strip agent-set Authorization after DLP scan so smuggled tokens
|
# Strip agent-set Authorization after DLP scan so smuggled tokens
|
||||||
# are caught above; the route may inject sidecar-owned auth below.
|
# are caught above; the route may inject gateway-owned auth below.
|
||||||
flow.request.headers.pop("authorization", None)
|
flow.request.headers.pop("authorization", None)
|
||||||
|
|
||||||
# Build headers mapping for match evaluation
|
# Build headers mapping for match evaluation
|
||||||
req_headers = {k.lower(): v for k, v in flow.request.headers.items()}
|
req_headers = {k.lower(): v for k, v in flow.request.headers.items()}
|
||||||
|
|
||||||
decision = decide(
|
decision = decide(
|
||||||
self.config.routes,
|
config.routes,
|
||||||
flow.request.pretty_host,
|
flow.request.pretty_host,
|
||||||
request_path,
|
request_path,
|
||||||
os.environ,
|
env,
|
||||||
request_method=flow.request.method,
|
request_method=flow.request.method,
|
||||||
request_headers=req_headers,
|
request_headers=req_headers,
|
||||||
)
|
)
|
||||||
@@ -258,7 +318,7 @@ class EgressAddon:
|
|||||||
if decision.inject_authorization is not None:
|
if decision.inject_authorization is not None:
|
||||||
flow.request.headers["authorization"] = decision.inject_authorization
|
flow.request.headers["authorization"] = decision.inject_authorization
|
||||||
|
|
||||||
if self.config.log >= LOG_FULL:
|
if config.log >= LOG_FULL:
|
||||||
self._log_request(flow)
|
self._log_request(flow)
|
||||||
|
|
||||||
def _block_dlp(self, flow: http.HTTPFlow, result: ScanResult) -> None:
|
def _block_dlp(self, flow: http.HTTPFlow, result: ScanResult) -> None:
|
||||||
@@ -271,10 +331,13 @@ class EgressAddon:
|
|||||||
self,
|
self,
|
||||||
flow: http.HTTPFlow,
|
flow: http.HTTPFlow,
|
||||||
route: Route,
|
route: Route,
|
||||||
|
slug: str,
|
||||||
|
env: "typing.Mapping[str, str]",
|
||||||
) -> bool:
|
) -> bool:
|
||||||
"""Scan the outbound request and apply the route's on-match policy
|
"""Scan the outbound request and apply the route's on-match policy
|
||||||
(PRD 0062). Returns True if the request may be forwarded, False if a
|
(PRD 0062). `env` is the per-bottle env overlay (process env + this
|
||||||
403 response has been written to `flow`.
|
bottle's tokens) used for DLP detection. Returns True if the request may
|
||||||
|
be forwarded, False if a 403 response has been written to `flow`.
|
||||||
|
|
||||||
Loops so the supervise policy can re-scan after each approval — a
|
Loops so the supervise policy can re-scan after each approval — a
|
||||||
second, un-approved token in the same request is still caught."""
|
second, un-approved token in the same request is still caught."""
|
||||||
@@ -291,8 +354,8 @@ class EgressAddon:
|
|||||||
flow.request.pretty_host, request_path, query, headers, "",
|
flow.request.pretty_host, request_path, query, headers, "",
|
||||||
)
|
)
|
||||||
result = scan_outbound(
|
result = scan_outbound(
|
||||||
route, scan_text, os.environ,
|
route, scan_text, env,
|
||||||
safe_tokens=self.safe_tokens, crlf_text=crlf_text,
|
safe_tokens=self._safe_tokens_for(slug), crlf_text=crlf_text,
|
||||||
)
|
)
|
||||||
if result is None or result.severity != "block":
|
if result is None or result.severity != "block":
|
||||||
return True
|
return True
|
||||||
@@ -302,7 +365,7 @@ class EgressAddon:
|
|||||||
# redact scrubs every detection (tokens and structural CRLF) and
|
# redact scrubs every detection (tokens and structural CRLF) and
|
||||||
# forwards; it fails closed only if a match survives the scrub.
|
# forwards; it fails closed only if a match survives the scrub.
|
||||||
if policy == ON_MATCH_REDACT:
|
if policy == ON_MATCH_REDACT:
|
||||||
if self._redact_outbound(flow, route):
|
if self._redact_outbound(flow, route, env):
|
||||||
if self.config.log >= LOG_BLOCKS:
|
if self.config.log >= LOG_BLOCKS:
|
||||||
sys.stderr.write(json.dumps({
|
sys.stderr.write(json.dumps({
|
||||||
"event": "egress_redacted",
|
"event": "egress_redacted",
|
||||||
@@ -327,32 +390,34 @@ class EgressAddon:
|
|||||||
|
|
||||||
# supervise (default): hold the request for operator approval.
|
# supervise (default): hold the request for operator approval.
|
||||||
# Fall back to a hard 403 when supervise isn't wired for the bottle.
|
# Fall back to a hard 403 when supervise isn't wired for the bottle.
|
||||||
if not self._supervise_available():
|
if not self._supervise_available(slug):
|
||||||
self._block_dlp(flow, result)
|
self._block_dlp(flow, result)
|
||||||
return False
|
return False
|
||||||
approved = await self._supervise_token_block(flow, request_path, result)
|
approved = await self._supervise_token_block(flow, request_path, result, slug, env)
|
||||||
if not approved:
|
if not approved:
|
||||||
return False # _supervise_token_block wrote the 403 response
|
return False # _supervise_token_block wrote the 403 response
|
||||||
# loop: the approved value is now in safe_tokens; re-scan.
|
# loop: the approved value is now in safe_tokens; re-scan.
|
||||||
|
|
||||||
def _redact_outbound(self, flow: http.HTTPFlow, route: Route) -> bool:
|
def _redact_outbound(
|
||||||
|
self, flow: http.HTTPFlow, route: Route, env: "typing.Mapping[str, str]",
|
||||||
|
) -> bool:
|
||||||
"""Scrub detected tokens (and CRLF injection sequences) from the mutable
|
"""Scrub detected tokens (and CRLF injection sequences) from the mutable
|
||||||
request surfaces (body, headers, path/query) and re-scan. Returns True
|
request surfaces (body, headers, path/query) and re-scan. `env` is the
|
||||||
if the request is now clean; False if a block-severity match remains on
|
per-bottle env overlay. Returns True if the request is now clean; False
|
||||||
a surface redaction cannot rewrite (the hostname) so the caller fails
|
if a block-severity match remains on a surface redaction cannot rewrite
|
||||||
closed."""
|
(the hostname) so the caller fails closed."""
|
||||||
body = flow.request.get_text(strict=False)
|
body = flow.request.get_text(strict=False)
|
||||||
if body:
|
if body:
|
||||||
redacted_body = redact_tokens(body, env=os.environ)
|
redacted_body = redact_tokens(body, env=env)
|
||||||
if redacted_body != body:
|
if redacted_body != body:
|
||||||
flow.request.text = redacted_body
|
flow.request.text = redacted_body
|
||||||
for name, value in list(flow.request.headers.items()):
|
for name, value in list(flow.request.headers.items()):
|
||||||
if name.lower() == "host":
|
if name.lower() == "host":
|
||||||
continue # routing-critical; never a legitimate token
|
continue # routing-critical; never a legitimate token
|
||||||
redacted = strip_crlf(redact_tokens(value, env=os.environ))
|
redacted = strip_crlf(redact_tokens(value, env=env))
|
||||||
if redacted != value:
|
if redacted != value:
|
||||||
flow.request.headers[name] = redacted
|
flow.request.headers[name] = redacted
|
||||||
redacted_path = strip_crlf(redact_tokens(flow.request.path, env=os.environ))
|
redacted_path = strip_crlf(redact_tokens(flow.request.path, env=env))
|
||||||
if redacted_path != flow.request.path:
|
if redacted_path != flow.request.path:
|
||||||
flow.request.path = redacted_path
|
flow.request.path = redacted_path
|
||||||
|
|
||||||
@@ -365,7 +430,7 @@ class EgressAddon:
|
|||||||
crlf_text = build_outbound_scan_text(
|
crlf_text = build_outbound_scan_text(
|
||||||
flow.request.pretty_host, request_path, query, headers, "",
|
flow.request.pretty_host, request_path, query, headers, "",
|
||||||
)
|
)
|
||||||
result = scan_outbound(route, scan_text, os.environ, crlf_text=crlf_text)
|
result = scan_outbound(route, scan_text, env, crlf_text=crlf_text)
|
||||||
return result is None or result.severity != "block"
|
return result is None or result.severity != "block"
|
||||||
|
|
||||||
async def _supervise_token_block(
|
async def _supervise_token_block(
|
||||||
@@ -373,29 +438,34 @@ class EgressAddon:
|
|||||||
flow: http.HTTPFlow,
|
flow: http.HTTPFlow,
|
||||||
request_path: str,
|
request_path: str,
|
||||||
result: ScanResult,
|
result: ScanResult,
|
||||||
|
slug: str,
|
||||||
|
env: "typing.Mapping[str, str]",
|
||||||
) -> bool:
|
) -> bool:
|
||||||
"""Route a token DLP block to the operator's supervisor queue and wait.
|
"""Route a token DLP block to the operator's supervisor queue and wait.
|
||||||
|
|
||||||
Returns True if the operator approved (the matched value is added to
|
`slug` attributes the proposal to the calling bottle (its own queue +
|
||||||
`self.safe_tokens` and the caller re-scans); False if the request must
|
safelist) — in the shared gateway this is what keeps one bottle's
|
||||||
be blocked (a 403 response has been written to `flow`)."""
|
approval from unblocking another's request. `env` is the per-bottle env
|
||||||
|
overlay used to redact secrets from the proposal text. Returns True if
|
||||||
|
the operator approved (the matched value is added to that bottle's
|
||||||
|
safelist and the caller re-scans); False if the request must be blocked
|
||||||
|
(a 403 response has been written to `flow`)."""
|
||||||
host = flow.request.pretty_host
|
host = flow.request.pretty_host
|
||||||
payload = build_token_allow_payload(
|
payload = build_token_allow_payload(
|
||||||
redact_tokens(host, env=os.environ),
|
redact_tokens(host, env=env),
|
||||||
flow.request.method,
|
flow.request.method,
|
||||||
redact_tokens(request_path, env=os.environ),
|
redact_tokens(request_path, env=env),
|
||||||
result,
|
result,
|
||||||
)
|
)
|
||||||
proposal = _sv.Proposal.new(
|
proposal = _sv.Proposal.new(
|
||||||
bottle_slug=self._supervise_slug,
|
bottle_slug=slug,
|
||||||
tool=_sv.TOOL_EGRESS_TOKEN_ALLOW,
|
tool=_sv.TOOL_EGRESS_TOKEN_ALLOW,
|
||||||
proposed_file=payload,
|
proposed_file=payload,
|
||||||
justification=_TOKEN_ALLOW_JUSTIFICATION,
|
justification=_TOKEN_ALLOW_JUSTIFICATION,
|
||||||
current_file_hash=_sv.sha256_hex(payload),
|
current_file_hash=_sv.sha256_hex(payload),
|
||||||
)
|
)
|
||||||
queue_dir = Path(self._supervise_queue_dir)
|
|
||||||
try:
|
try:
|
||||||
_sv.write_proposal(queue_dir, proposal)
|
_sv.write_proposal(proposal)
|
||||||
except OSError as e:
|
except OSError as e:
|
||||||
sys.stderr.write(
|
sys.stderr.write(
|
||||||
f"egress: could not queue token-allow proposal: {e}; "
|
f"egress: could not queue token-allow proposal: {e}; "
|
||||||
@@ -411,13 +481,13 @@ class EgressAddon:
|
|||||||
**self._req_ctx(flow),
|
**self._req_ctx(flow),
|
||||||
}) + "\n")
|
}) + "\n")
|
||||||
|
|
||||||
response = await self._await_token_response(queue_dir, proposal.id)
|
response = await self._await_token_response(proposal.id, slug)
|
||||||
_sv.archive_proposal(queue_dir, proposal.id)
|
_sv.archive_proposal(slug, proposal.id)
|
||||||
|
|
||||||
if response is not None and response.status in (
|
if response is not None and response.status in (
|
||||||
_sv.STATUS_APPROVED, _sv.STATUS_MODIFIED,
|
_sv.STATUS_APPROVED, _sv.STATUS_MODIFIED,
|
||||||
):
|
):
|
||||||
self.safe_tokens.add(result.matched)
|
self._safe_tokens_for(slug).add(result.matched)
|
||||||
if self.config.log >= LOG_BLOCKS:
|
if self.config.log >= LOG_BLOCKS:
|
||||||
sys.stderr.write(json.dumps({
|
sys.stderr.write(json.dumps({
|
||||||
"event": "egress_token_allowed",
|
"event": "egress_token_allowed",
|
||||||
@@ -439,16 +509,16 @@ class EgressAddon:
|
|||||||
|
|
||||||
async def _await_token_response(
|
async def _await_token_response(
|
||||||
self,
|
self,
|
||||||
queue_dir: Path,
|
|
||||||
proposal_id: str,
|
proposal_id: str,
|
||||||
|
slug: str,
|
||||||
) -> "_sv.Response | None":
|
) -> "_sv.Response | None":
|
||||||
"""Poll the queue dir for the operator's response without blocking the
|
"""Poll the DB for the operator's response without blocking the
|
||||||
proxy event loop. Returns the Response, or None on timeout."""
|
proxy event loop. Returns the Response, or None on timeout."""
|
||||||
loop = asyncio.get_running_loop()
|
loop = asyncio.get_running_loop()
|
||||||
deadline = loop.time() + self._token_allow_timeout
|
deadline = loop.time() + self._token_allow_timeout
|
||||||
while True:
|
while True:
|
||||||
try:
|
try:
|
||||||
return _sv.read_response(queue_dir, proposal_id)
|
return _sv.read_response(slug, proposal_id)
|
||||||
except (OSError, ValueError, KeyError):
|
except (OSError, ValueError, KeyError):
|
||||||
# Not written yet, or a partial/malformed write — retry until
|
# Not written yet, or a partial/malformed write — retry until
|
||||||
# the deadline, then fail closed.
|
# the deadline, then fail closed.
|
||||||
@@ -502,6 +572,9 @@ class EgressAddon:
|
|||||||
"""
|
"""
|
||||||
if flow.websocket is None: # type: ignore[union-attr]
|
if flow.websocket is None: # type: ignore[union-attr]
|
||||||
return
|
return
|
||||||
|
# WebSocket DLP runs against the static config only (single-tenant); in
|
||||||
|
# the consolidated gateway self.config has no routes, so this is inert
|
||||||
|
# until websocket routing is made source-IP-aware (a separate slice).
|
||||||
route = match_route(self.config.routes, flow.request.pretty_host)
|
route = match_route(self.config.routes, flow.request.pretty_host)
|
||||||
if route is None:
|
if route is None:
|
||||||
return
|
return
|
||||||
@@ -512,7 +585,7 @@ class EgressAddon:
|
|||||||
# not an injection vector here — scan only for credential leakage.
|
# not an injection vector here — scan only for credential leakage.
|
||||||
result = scan_outbound(
|
result = scan_outbound(
|
||||||
route, content, os.environ,
|
route, content, os.environ,
|
||||||
safe_tokens=self.safe_tokens, crlf_text="",
|
safe_tokens=self._safe_tokens_for(self._supervise_slug), crlf_text="",
|
||||||
)
|
)
|
||||||
if result is not None and result.severity == "block":
|
if result is not None and result.severity == "block":
|
||||||
sys.stderr.write(f"egress DLP: {result.reason}\n")
|
sys.stderr.write(f"egress DLP: {result.reason}\n")
|
||||||
|
|||||||
@@ -3,12 +3,12 @@
|
|||||||
Split out of `egress_addon.py` so the host's unit tests can
|
Split out of `egress_addon.py` so the host's unit tests can
|
||||||
exercise the parse + decision functions without depending on the
|
exercise the parse + decision functions without depending on the
|
||||||
`mitmproxy` package. The companion module wraps these with the
|
`mitmproxy` package. The companion module wraps these with the
|
||||||
`mitmproxy.http.HTTPFlow` API and is loaded inside the sidecar
|
`mitmproxy.http.HTTPFlow` API and is loaded inside the gateway
|
||||||
container.
|
container.
|
||||||
|
|
||||||
Imports: stdlib + `yaml_subset` (which is itself stdlib-only and
|
Imports: stdlib + `yaml_subset` (which is itself stdlib-only and
|
||||||
ships flat into the sidecar bundle image alongside this file —
|
ships flat into the gateway image alongside this file —
|
||||||
see `Dockerfile.sidecars`)."""
|
see `Dockerfile.gateway`)."""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
@@ -22,7 +22,7 @@ except ImportError: # pragma: no cover - host-side path
|
|||||||
from .yaml_subset import YamlSubsetError, parse_yaml_subset
|
from .yaml_subset import YamlSubsetError, parse_yaml_subset
|
||||||
|
|
||||||
# DLP detector-config parsing lives in a sibling module (also flat-bundled
|
# DLP detector-config parsing lives in a sibling module (also flat-bundled
|
||||||
# into the sidecar — see Dockerfile.sidecars). Re-exported below so existing
|
# into the gateway — see Dockerfile.gateway). Re-exported below so existing
|
||||||
# `from egress_addon_core import ON_MATCH_*` callers keep working.
|
# `from egress_addon_core import ON_MATCH_*` callers keep working.
|
||||||
try:
|
try:
|
||||||
from egress_dlp_config import ( # type: ignore[import-not-found]
|
from egress_dlp_config import ( # type: ignore[import-not-found]
|
||||||
@@ -120,7 +120,7 @@ class ScanResult:
|
|||||||
reason: str
|
reason: str
|
||||||
location: str = "" # where the match was found, e.g. "body", "authorization header"
|
location: str = "" # where the match was found, e.g. "body", "authorization header"
|
||||||
context: str = "" # surrounding text with the match replaced by REDACT
|
context: str = "" # surrounding text with the match replaced by REDACT
|
||||||
# Raw substring the detector matched. Used inside the sidecar to key the
|
# Raw substring the detector matched. Used inside the gateway to key the
|
||||||
# supervisor-approved "safe tokens" set (PRD 0062); never logged or written
|
# supervisor-approved "safe tokens" set (PRD 0062); never logged or written
|
||||||
# to a proposal file. Empty for structural detectors (CRLF) that carry no
|
# to a proposal file. Empty for structural detectors (CRLF) that carry no
|
||||||
# safelist-able value.
|
# safelist-able value.
|
||||||
@@ -413,6 +413,70 @@ def load_config(text: str) -> "Config":
|
|||||||
return parse_config(payload)
|
return parse_config(payload)
|
||||||
|
|
||||||
|
|
||||||
|
class PolicyResolverLike(typing.Protocol):
|
||||||
|
"""The bit of `policy_resolver.PolicyResolver` this module needs — kept a
|
||||||
|
Protocol so egress_addon_core stays free of that import."""
|
||||||
|
|
||||||
|
def resolve(self, source_ip: str, identity_token: str = ...) -> "str | None":
|
||||||
|
...
|
||||||
|
|
||||||
|
|
||||||
|
def _config_from_policy(policy: "str | None") -> "Config":
|
||||||
|
"""Parse a resolved policy blob into a Config, fail-closed: None / empty /
|
||||||
|
unparseable all become a deny-all Config (no routes → every request
|
||||||
|
blocked)."""
|
||||||
|
if not policy:
|
||||||
|
return Config(routes=()) # unattributed or empty → deny-all
|
||||||
|
try:
|
||||||
|
return load_config(policy)
|
||||||
|
except ValueError:
|
||||||
|
return Config(routes=()) # unparseable policy → deny
|
||||||
|
|
||||||
|
|
||||||
|
def resolve_client_config(
|
||||||
|
resolver: PolicyResolverLike, client_ip: str, identity_token: str = ""
|
||||||
|
) -> "Config":
|
||||||
|
"""The calling client's egress Config, resolved from the orchestrator via
|
||||||
|
`resolver` and parsed — **fail-closed**. An unattributed client (None), a
|
||||||
|
resolver error, or an unparseable policy all yield a deny-all Config (no
|
||||||
|
routes → every request blocked). A compromised, absent, or confused
|
||||||
|
orchestrator must never *widen* a bottle's egress."""
|
||||||
|
try:
|
||||||
|
policy = resolver.resolve(client_ip, identity_token)
|
||||||
|
except Exception: # noqa: BLE001 # pylint: disable=broad-exception-caught
|
||||||
|
return Config(routes=()) # orchestrator unreachable/errored → deny
|
||||||
|
return _config_from_policy(policy)
|
||||||
|
|
||||||
|
|
||||||
|
class ContextResolverLike(typing.Protocol):
|
||||||
|
"""The bit of `policy_resolver.PolicyResolver` `resolve_client_context`
|
||||||
|
needs — one round-trip returning policy, bottle id, and auth tokens."""
|
||||||
|
|
||||||
|
def resolve_policy_and_bottle_id(
|
||||||
|
self, source_ip: str, identity_token: str = ...,
|
||||||
|
) -> "tuple[str | None, str | None, dict[str, str]]":
|
||||||
|
...
|
||||||
|
|
||||||
|
|
||||||
|
def resolve_client_context(
|
||||||
|
resolver: ContextResolverLike, client_ip: str, identity_token: str = "",
|
||||||
|
) -> "tuple[Config, str, dict[str, str]]":
|
||||||
|
"""The calling client's `(Config, bottle_id, tokens)` in one round-trip —
|
||||||
|
**fail-closed**. The Config follows `resolve_client_config`'s deny-all
|
||||||
|
rules; the bottle id is `""` whenever unattributed or the orchestrator
|
||||||
|
errored (caller treats as "supervise unavailable", never another bottle's
|
||||||
|
queue); `tokens` are the per-bottle upstream auth values the addon injects.
|
||||||
|
One `/resolve` keys the egress policy, the supervise queue + safelist, and
|
||||||
|
auth injection."""
|
||||||
|
try:
|
||||||
|
policy, bottle_id, tokens = resolver.resolve_policy_and_bottle_id(
|
||||||
|
client_ip, identity_token,
|
||||||
|
)
|
||||||
|
except Exception: # noqa: BLE001 # pylint: disable=broad-exception-caught
|
||||||
|
return Config(routes=()), "", {} # orchestrator unreachable/errored → deny
|
||||||
|
return _config_from_policy(policy), (bottle_id or ""), tokens
|
||||||
|
|
||||||
|
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
# Match evaluation
|
# Match evaluation
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
@@ -613,7 +677,7 @@ def outbound_scan_headers(
|
|||||||
) -> dict[str, str]:
|
) -> dict[str, str]:
|
||||||
"""Return request headers that should be included in outbound DLP.
|
"""Return request headers that should be included in outbound DLP.
|
||||||
|
|
||||||
Routes that inject sidecar-owned auth always strip the agent's
|
Routes that inject gateway-owned auth always strip the agent's
|
||||||
Authorization header before forwarding. Scanning that header first
|
Authorization header before forwarding. Scanning that header first
|
||||||
creates false positives for provider clients that insist on sending
|
creates false positives for provider clients that insist on sending
|
||||||
their own bearer-shaped placeholder, while still not changing what
|
their own bearer-shaped placeholder, while still not changing what
|
||||||
@@ -664,7 +728,7 @@ def scan_outbound(
|
|||||||
crlf_text: str | None = None,
|
crlf_text: str | None = None,
|
||||||
) -> ScanResult | None:
|
) -> ScanResult | None:
|
||||||
# Lazy import to avoid circular deps and keep dlp_detectors optional
|
# Lazy import to avoid circular deps and keep dlp_detectors optional
|
||||||
# at import time (the sidecar copies it flat alongside this file).
|
# at import time (the gateway copies it flat alongside this file).
|
||||||
try:
|
try:
|
||||||
from dlp_detectors import ( # type: ignore[import-not-found]
|
from dlp_detectors import ( # type: ignore[import-not-found]
|
||||||
scan_crlf_injection,
|
scan_crlf_injection,
|
||||||
@@ -804,6 +868,10 @@ __all__ = [
|
|||||||
"is_git_push_request",
|
"is_git_push_request",
|
||||||
"is_git_fetch_request",
|
"is_git_fetch_request",
|
||||||
"load_config",
|
"load_config",
|
||||||
|
"resolve_client_config",
|
||||||
|
"resolve_client_context",
|
||||||
|
"PolicyResolverLike",
|
||||||
|
"ContextResolverLike",
|
||||||
"match_route",
|
"match_route",
|
||||||
"outbound_scan_headers",
|
"outbound_scan_headers",
|
||||||
"parse_config",
|
"parse_config",
|
||||||
|
|||||||
@@ -6,8 +6,8 @@ and what the proxy does when an outbound detector matches a token
|
|||||||
kept apart from the request-time scan/decision flow in `egress_addon_core`
|
kept apart from the request-time scan/decision flow in `egress_addon_core`
|
||||||
so each half reads top-to-bottom without scrolling past the other.
|
so each half reads top-to-bottom without scrolling past the other.
|
||||||
|
|
||||||
Stdlib-only; ships flat into the sidecar bundle image alongside
|
Stdlib-only; ships flat into the gateway image alongside
|
||||||
`egress_addon_core.py` — see `Dockerfile.sidecars`."""
|
`egress_addon_core.py` — see `Dockerfile.gateway`."""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# Egress daemon entrypoint inside the sidecar bundle (PRD 0024).
|
# Egress daemon entrypoint inside the gateway (PRD 0024).
|
||||||
#
|
#
|
||||||
# Extracted verbatim from Dockerfile.egress's prior inline `sh -c`
|
# Extracted verbatim from Dockerfile.egress's prior inline `sh -c`
|
||||||
# ENTRYPOINT so the supervisor in bot_bottle/sidecar_init.py can
|
# ENTRYPOINT so the supervisor in bot_bottle/gateway_init.py can
|
||||||
# call it as a normal child. Behavior is unchanged:
|
# call it as a normal child. Behavior is unchanged:
|
||||||
#
|
#
|
||||||
# * Upstream proxy: when EGRESS_UPSTREAM_PROXY is set, switch
|
# * Upstream proxy: when EGRESS_UPSTREAM_PROXY is set, switch
|
||||||
@@ -22,7 +22,7 @@ set -e
|
|||||||
|
|
||||||
# Pin mitmproxy's config dir to the bind-mount location of its CA
|
# Pin mitmproxy's config dir to the bind-mount location of its CA
|
||||||
# regardless of which user mitmdump runs as. In the legacy
|
# regardless of which user mitmdump runs as. In the legacy
|
||||||
# four-sidecar setup (Dockerfile.egress, USER mitmproxy) this
|
# four-daemon setup (Dockerfile.egress, USER mitmproxy) this
|
||||||
# resolved naturally to `~mitmproxy/.mitmproxy`. In the PRD 0024
|
# resolved naturally to `~mitmproxy/.mitmproxy`. In the PRD 0024
|
||||||
# bundle (USER root) `~root/.mitmproxy` is empty, so without this
|
# bundle (USER root) `~root/.mitmproxy` is empty, so without this
|
||||||
# flag mitmdump would generate a fresh CA on the wrong path and
|
# flag mitmdump would generate a fresh CA on the wrong path and
|
||||||
@@ -37,8 +37,8 @@ if [ -n "$EGRESS_UPSTREAM_PROXY" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Bind address. Docker backend wants `0.0.0.0` (agent dials egress
|
# Bind address. Docker backend wants `0.0.0.0` (agent dials egress
|
||||||
# directly via the docker network alias). Smolmachines backend
|
# directly via the docker network alias). A VM backend uses
|
||||||
# uses EGRESS_LISTEN_HOST when a non-default binding is needed.
|
# EGRESS_LISTEN_HOST when a non-default binding is needed.
|
||||||
LISTEN_HOST_FLAG=""
|
LISTEN_HOST_FLAG=""
|
||||||
if [ -n "$EGRESS_LISTEN_HOST" ]; then
|
if [ -n "$EGRESS_LISTEN_HOST" ]; then
|
||||||
LISTEN_HOST_FLAG="--listen-host $EGRESS_LISTEN_HOST"
|
LISTEN_HOST_FLAG="--listen-host $EGRESS_LISTEN_HOST"
|
||||||
|
|||||||
+4
-2
@@ -35,6 +35,7 @@ import re
|
|||||||
import sys
|
import sys
|
||||||
from dataclasses import dataclass, field
|
from dataclasses import dataclass, field
|
||||||
|
|
||||||
|
from .errors import MissingEnvVarError
|
||||||
from .log import die
|
from .log import die
|
||||||
from .manifest import Manifest
|
from .manifest import Manifest
|
||||||
|
|
||||||
@@ -136,9 +137,10 @@ def resolve_env(manifest: Manifest) -> ResolvedEnv:
|
|||||||
host_var = env_entry_interpolated_from(raw)
|
host_var = env_entry_interpolated_from(raw)
|
||||||
host_value = os.environ.get(host_var, "")
|
host_value = os.environ.get(host_var, "")
|
||||||
if not host_value:
|
if not host_value:
|
||||||
die(
|
raise MissingEnvVarError(
|
||||||
|
host_var,
|
||||||
f"env entry {name} is interpolated from ${host_var}, "
|
f"env entry {name} is interpolated from ${host_var}, "
|
||||||
f"but ${host_var} is unset or empty in the host environment."
|
f"but ${host_var} is unset or empty in the host environment.",
|
||||||
)
|
)
|
||||||
forwarded[name] = host_value
|
forwarded[name] = host_value
|
||||||
else: # literal
|
else: # literal
|
||||||
|
|||||||
@@ -0,0 +1,18 @@
|
|||||||
|
"""bot-bottle application-level exception hierarchy.
|
||||||
|
|
||||||
|
Exceptions here are caught by the CLI dispatcher (``cli/__init__.py``)
|
||||||
|
and rendered as ``bot-bottle: error: …`` lines — same UX as ``die()``,
|
||||||
|
but without coupling library code to stderr output."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
|
||||||
|
class MissingEnvVarError(Exception):
|
||||||
|
"""Raised when a required host environment variable is unset or empty.
|
||||||
|
|
||||||
|
``var_name`` is the exact name of the missing variable so callers
|
||||||
|
can display it without re-parsing the message string."""
|
||||||
|
|
||||||
|
def __init__(self, var_name: str, message: str) -> None:
|
||||||
|
self.var_name = var_name
|
||||||
|
super().__init__(message)
|
||||||
@@ -1,26 +1,26 @@
|
|||||||
"""Per-bottle sidecar supervisor (PRD 0024 chunk 1).
|
"""Gateway data-plane supervisor (PRD 0070; PRD 0024 bundle shape).
|
||||||
|
|
||||||
PID 1 inside the `bot-bottle-sidecars` bundle image. Spawns
|
PID 1 inside the `bot-bottle-gateway` data-plane image. Spawns
|
||||||
the configured daemons (egress, git-gate, supervise),
|
the configured daemons (egress, git-gate, supervise),
|
||||||
forwards SIGTERM/SIGINT to each child, and propagates per-daemon
|
forwards SIGTERM/SIGINT to each child, and propagates per-daemon
|
||||||
stdout+stderr to the container log with a `[name] ` prefix.
|
stdout+stderr to the container log with a `[name] ` prefix.
|
||||||
|
|
||||||
Failure policy (interim): when a child dies unexpectedly, the
|
Failure policy (interim): when a child dies unexpectedly, the
|
||||||
supervisor logs the death and leaves the surviving children
|
supervisor logs the death and leaves the surviving children
|
||||||
running. The bundle stays up; whatever the dead daemon served
|
running. The gateway stays up; whatever the dead daemon served
|
||||||
will start failing, surfacing in the agent's own error path.
|
will start failing, surfacing in the agent's own error path.
|
||||||
The supervisor itself exits only when (a) the operator/compose
|
The supervisor itself exits only when (a) the operator sends
|
||||||
sends SIGTERM/SIGINT, or (b) every child has died.
|
SIGTERM/SIGINT, or (b) every child has died.
|
||||||
|
|
||||||
Failure policy (eventual): on unexpected death, the supervisor
|
Failure policy (eventual): on unexpected death, the supervisor
|
||||||
restarts the daemon and emits a notification to the supervise
|
restarts the daemon and emits a notification to the supervise
|
||||||
sidecar so the operator sees the event. That lands in a later
|
daemon so the operator sees the event. That lands in a later
|
||||||
PR; the interim policy is "don't take the bundle down for one
|
PR; the interim policy is "don't take the gateway down for one
|
||||||
sick daemon."
|
sick daemon."
|
||||||
|
|
||||||
Daemon subset is env-driven. The compose renderer narrows it via
|
Daemon subset is env-driven via `BOT_BOTTLE_GATEWAY_DAEMONS=egress`
|
||||||
`BOT_BOTTLE_SIDECAR_DAEMONS=egress` for bottles that
|
for callers that don't use git-gate or supervise. Default: all
|
||||||
don't use git-gate or supervise. Default: all daemons.
|
daemons.
|
||||||
|
|
||||||
Stdlib-only by design — adding supervisord/s6/runit for four
|
Stdlib-only by design — adding supervisord/s6/runit for four
|
||||||
daemons is heavier than this script.
|
daemons is heavier than this script.
|
||||||
@@ -103,8 +103,8 @@ def _selected_daemons(
|
|||||||
env: dict[str, str],
|
env: dict[str, str],
|
||||||
all_daemons: Sequence[_DaemonSpec] | None = None,
|
all_daemons: Sequence[_DaemonSpec] | None = None,
|
||||||
) -> tuple[_DaemonSpec, ...]:
|
) -> tuple[_DaemonSpec, ...]:
|
||||||
"""Filter the daemon set by the BOT_BOTTLE_SIDECAR_DAEMONS env
|
"""Filter the daemon set by the BOT_BOTTLE_GATEWAY_DAEMONS env
|
||||||
var. Unknown names in the list are ignored — the renderer is the
|
var. Unknown names in the list are ignored — the caller is the
|
||||||
source of truth for which daemons are wired.
|
source of truth for which daemons are wired.
|
||||||
|
|
||||||
`all_daemons` defaults to `_DAEMONS` resolved at call time (not
|
`all_daemons` defaults to `_DAEMONS` resolved at call time (not
|
||||||
@@ -112,7 +112,7 @@ def _selected_daemons(
|
|||||||
`_DAEMONS` and have the new value take effect."""
|
`_DAEMONS` and have the new value take effect."""
|
||||||
if all_daemons is None:
|
if all_daemons is None:
|
||||||
all_daemons = _DAEMONS
|
all_daemons = _DAEMONS
|
||||||
raw = env.get("BOT_BOTTLE_SIDECAR_DAEMONS", "").strip()
|
raw = env.get("BOT_BOTTLE_GATEWAY_DAEMONS", "").strip()
|
||||||
if not raw:
|
if not raw:
|
||||||
return tuple(all_daemons)
|
return tuple(all_daemons)
|
||||||
wanted = {n.strip() for n in raw.split(",") if n.strip()}
|
wanted = {n.strip() for n in raw.split(",") if n.strip()}
|
||||||
@@ -120,7 +120,7 @@ def _selected_daemons(
|
|||||||
|
|
||||||
|
|
||||||
def _log(msg: str) -> None:
|
def _log(msg: str) -> None:
|
||||||
sys.stdout.write(f"sidecar-init: {msg}\n")
|
sys.stdout.write(f"gateway-init: {msg}\n")
|
||||||
sys.stdout.flush()
|
sys.stdout.flush()
|
||||||
|
|
||||||
|
|
||||||
+13
-15
@@ -1,6 +1,6 @@
|
|||||||
"""Per-agent git-gate (PRD 0008).
|
"""Per-agent git-gate (PRD 0008).
|
||||||
|
|
||||||
A third per-agent sidecar that fronts the bottle's declared git
|
A third per-agent daemon that fronts the bottle's declared git
|
||||||
upstreams as a transparent mirror. Each `bottle.git` entry maps to
|
upstreams as a transparent mirror. Each `bottle.git` entry maps to
|
||||||
a bare repo on the gate; `git daemon` serves the bare repos over
|
a bare repo on the gate; `git daemon` serves the bare repos over
|
||||||
`git://<gate>/<name>.git`. Two hooks make the mirror bidirectional:
|
`git://<gate>/<name>.git`. Two hooks make the mirror bidirectional:
|
||||||
@@ -15,7 +15,7 @@ a bare repo on the gate; `git daemon` serves the bare repos over
|
|||||||
|
|
||||||
The agent never sees the upstream credential under either path.
|
The agent never sees the upstream credential under either path.
|
||||||
|
|
||||||
Why a separate sidecar (not folded into egress or ssh-gate): the
|
Why a separate daemon (not folded into egress or ssh-gate): the
|
||||||
gate is the only one of the three that holds upstream push
|
gate is the only one of the three that holds upstream push
|
||||||
credentials. Mixing it with egress would put push creds in the
|
credentials. Mixing it with egress would put push creds in the
|
||||||
same blast radius as internet-facing TLS interception; mixing it
|
same blast radius as internet-facing TLS interception; mixing it
|
||||||
@@ -23,14 +23,13 @@ with ssh-gate would force ssh-gate above L4 and into git-protocol
|
|||||||
land. See `docs/prds/0008-git-gate.md`.
|
land. See `docs/prds/0008-git-gate.md`.
|
||||||
|
|
||||||
This module defines the abstract gate (`GitGate`) and its plan
|
This module defines the abstract gate (`GitGate`) and its plan
|
||||||
dataclass (`GitGatePlan`). The sidecar's start/stop lifecycle is
|
dataclass (`GitGatePlan`). The gateway's start/stop lifecycle is
|
||||||
backend-specific and lives on concrete subclasses (see
|
backend-specific and lives on concrete subclasses (see
|
||||||
`bot_bottle/backend/docker/git_gate.py`)."""
|
`bot_bottle/backend/docker/git_gate.py`)."""
|
||||||
|
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import dataclasses
|
|
||||||
from abc import ABC
|
from abc import ABC
|
||||||
from dataclasses import dataclass
|
from dataclasses import dataclass
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
@@ -47,12 +46,14 @@ from .git_gate_render import (
|
|||||||
git_gate_known_hosts_line,
|
git_gate_known_hosts_line,
|
||||||
git_gate_render_access_hook,
|
git_gate_render_access_hook,
|
||||||
git_gate_render_entrypoint,
|
git_gate_render_entrypoint,
|
||||||
|
git_gate_render_provision,
|
||||||
git_gate_render_gitconfig,
|
git_gate_render_gitconfig,
|
||||||
git_gate_render_hook,
|
git_gate_render_hook,
|
||||||
git_gate_upstreams_for_bottle,
|
git_gate_upstreams_for_bottle,
|
||||||
_gitconfig_validate_value,
|
_gitconfig_validate_value,
|
||||||
)
|
)
|
||||||
from .git_gate_provision import (
|
from .git_gate_provision import (
|
||||||
|
provision_git_gate_dynamic_keys,
|
||||||
revoke_git_gate_provisioned_keys,
|
revoke_git_gate_provisioned_keys,
|
||||||
_provision_dynamic_key,
|
_provision_dynamic_key,
|
||||||
_resolve_identity_file,
|
_resolve_identity_file,
|
||||||
@@ -82,9 +83,10 @@ class GitGatePlan:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class GitGate(ABC):
|
class GitGate(ABC):
|
||||||
"""The per-agent git-gate. Encapsulates the host-side prepare
|
"""The per-agent git-gate. Encapsulates the host-side prepare
|
||||||
(upstream lift + entrypoint/hook render); the sidecar's
|
(upstream lift + entrypoint/hook render); the gateway's
|
||||||
start/stop lifecycle is backend-specific and lives on concrete
|
start/stop lifecycle is backend-specific and lives on concrete
|
||||||
subclasses."""
|
subclasses."""
|
||||||
|
|
||||||
@@ -93,20 +95,14 @@ class GitGate(ABC):
|
|||||||
entrypoint, pre-receive hook, and access-hook scripts (mode
|
entrypoint, pre-receive hook, and access-hook scripts (mode
|
||||||
600) under `stage_dir`. Pure host-side, no docker subprocess.
|
600) under `stage_dir`. Pure host-side, no docker subprocess.
|
||||||
|
|
||||||
For `gitea` key entries, also generates and registers
|
For `gitea` key entries, the returned upstream intentionally
|
||||||
a fresh deploy key via the forge API and writes the private key
|
has an empty identity file. Backend launch fills that in after
|
||||||
+ key ID to `stage_dir`.
|
the operator confirms the preflight.
|
||||||
|
|
||||||
Returned plan is incomplete: the launch step must fill
|
Returned plan is incomplete: the launch step must fill
|
||||||
`internal_network` / `egress_network` via `dataclasses.replace`
|
`internal_network` / `egress_network` via `dataclasses.replace`
|
||||||
before passing the plan to `.start`."""
|
before passing the plan to `.start`."""
|
||||||
upstreams_list = list(git_gate_upstreams_for_bottle(bottle))
|
upstreams = git_gate_upstreams_for_bottle(bottle)
|
||||||
for i, entry in enumerate(bottle.git):
|
|
||||||
upstreams_list[i] = dataclasses.replace(
|
|
||||||
upstreams_list[i],
|
|
||||||
identity_file=_resolve_identity_file(entry, slug, stage_dir),
|
|
||||||
)
|
|
||||||
upstreams = tuple(upstreams_list)
|
|
||||||
entrypoint = stage_dir / "git_gate_entrypoint.sh"
|
entrypoint = stage_dir / "git_gate_entrypoint.sh"
|
||||||
entrypoint.write_text(git_gate_render_entrypoint(upstreams))
|
entrypoint.write_text(git_gate_render_entrypoint(upstreams))
|
||||||
entrypoint.chmod(0o600)
|
entrypoint.chmod(0o600)
|
||||||
@@ -160,8 +156,10 @@ __all__ = [
|
|||||||
"git_gate_render_gitconfig",
|
"git_gate_render_gitconfig",
|
||||||
"git_gate_known_hosts_line",
|
"git_gate_known_hosts_line",
|
||||||
"git_gate_render_entrypoint",
|
"git_gate_render_entrypoint",
|
||||||
|
"git_gate_render_provision",
|
||||||
"git_gate_render_hook",
|
"git_gate_render_hook",
|
||||||
"git_gate_render_access_hook",
|
"git_gate_render_access_hook",
|
||||||
|
"provision_git_gate_dynamic_keys",
|
||||||
"revoke_git_gate_provisioned_keys",
|
"revoke_git_gate_provisioned_keys",
|
||||||
"_gitconfig_validate_value",
|
"_gitconfig_validate_value",
|
||||||
"_provision_dynamic_key",
|
"_provision_dynamic_key",
|
||||||
|
|||||||
@@ -0,0 +1,268 @@
|
|||||||
|
"""Preflight host-key population for git-gate upstreams (issue #333).
|
||||||
|
|
||||||
|
When a git-gate repo entry lacks a `host_key`, this module either:
|
||||||
|
- headless: dies with a clear config error.
|
||||||
|
- interactive: fetches the key via ssh-keyscan, prompts the operator to
|
||||||
|
confirm, and optionally persists it to the bottle config file on disk.
|
||||||
|
|
||||||
|
Public entry point: `preflight_host_keys(manifest, headless=..., home_md=...)`.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import dataclasses
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import cast
|
||||||
|
|
||||||
|
from .log import die, info
|
||||||
|
from .manifest import Manifest
|
||||||
|
from .yaml_subset import YamlSubsetError, parse_frontmatter, serialize_yaml_subset
|
||||||
|
|
||||||
|
|
||||||
|
# Preferred key types, most secure first.
|
||||||
|
_KEY_TYPE_PREFERENCE = (
|
||||||
|
"ssh-ed25519",
|
||||||
|
"ecdsa-sha2-nistp256",
|
||||||
|
"ecdsa-sha2-nistp384",
|
||||||
|
"ecdsa-sha2-nistp521",
|
||||||
|
"ssh-rsa",
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def fetch_host_key(host: str, port: str) -> str:
|
||||||
|
"""Return an SSH public key for `host`:`port` via ssh-keyscan.
|
||||||
|
|
||||||
|
Returns the key in `<type> <base64-data>` format (the host prefix is
|
||||||
|
stripped so the result can be stored in `host_key` and later formatted
|
||||||
|
into a known_hosts line by `git_gate_known_hosts_line`).
|
||||||
|
|
||||||
|
Prefers ed25519 > ecdsa > rsa; falls back to the first key type
|
||||||
|
returned if none of the preferred types are present.
|
||||||
|
|
||||||
|
Raises `RuntimeError` on subprocess failure, timeout, or no result.
|
||||||
|
Uses only the Python stdlib (subprocess)."""
|
||||||
|
args = ["ssh-keyscan"]
|
||||||
|
if port and port != "22":
|
||||||
|
args += ["-p", port]
|
||||||
|
args.append(host)
|
||||||
|
try:
|
||||||
|
result = subprocess.run(
|
||||||
|
args, capture_output=True, text=True, timeout=15, check=False,
|
||||||
|
)
|
||||||
|
except OSError as e:
|
||||||
|
raise RuntimeError(
|
||||||
|
f"ssh-keyscan: could not launch for {host}:{port}: {e}"
|
||||||
|
) from e
|
||||||
|
except subprocess.TimeoutExpired as e:
|
||||||
|
raise RuntimeError(f"ssh-keyscan timed out for {host}:{port}") from e
|
||||||
|
|
||||||
|
# known_hosts format: "[host]:port type data" or "host type data"
|
||||||
|
# Strip the host/port prefix; collect "type -> type data" by type.
|
||||||
|
found: dict[str, str] = {}
|
||||||
|
for line in result.stdout.splitlines():
|
||||||
|
line = line.strip()
|
||||||
|
if not line or line.startswith("#"):
|
||||||
|
continue
|
||||||
|
parts = line.split(None, 2)
|
||||||
|
if len(parts) == 3 and parts[1] not in found:
|
||||||
|
found[parts[1]] = f"{parts[1]} {parts[2]}"
|
||||||
|
|
||||||
|
for preferred in _KEY_TYPE_PREFERENCE:
|
||||||
|
if preferred in found:
|
||||||
|
return found[preferred]
|
||||||
|
if found:
|
||||||
|
return next(iter(found.values()))
|
||||||
|
|
||||||
|
raise RuntimeError(
|
||||||
|
f"ssh-keyscan returned no host key for {host}:{port}."
|
||||||
|
+ (f" stderr: {result.stderr.strip()!r}" if result.stderr.strip() else "")
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# Frontmatter editing
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
def add_host_key_to_frontmatter(file_text: str, repo_name: str, host_key: str) -> str:
|
||||||
|
"""Return an updated copy of `file_text` with `host_key` set on the
|
||||||
|
named repo entry in the YAML frontmatter.
|
||||||
|
|
||||||
|
Parses the frontmatter into a dict, sets the key, and re-serializes.
|
||||||
|
Returns the original text unchanged when: the file has no frontmatter,
|
||||||
|
the git-gate.repos.<repo_name> entry is absent or already has a
|
||||||
|
host_key, or the frontmatter cannot be parsed."""
|
||||||
|
try:
|
||||||
|
fm, body = parse_frontmatter(file_text)
|
||||||
|
except YamlSubsetError:
|
||||||
|
return file_text
|
||||||
|
|
||||||
|
git_gate = fm.get("git-gate")
|
||||||
|
if not isinstance(git_gate, dict):
|
||||||
|
return file_text
|
||||||
|
repos = git_gate.get("repos")
|
||||||
|
if not isinstance(repos, dict):
|
||||||
|
return file_text
|
||||||
|
repo = repos.get(repo_name)
|
||||||
|
if not isinstance(repo, dict):
|
||||||
|
return file_text
|
||||||
|
if repo.get("host_key"):
|
||||||
|
return file_text
|
||||||
|
|
||||||
|
cast(dict[str, object], repo)["host_key"] = host_key
|
||||||
|
return f"---\n{serialize_yaml_subset(fm)}---\n{body}"
|
||||||
|
|
||||||
|
|
||||||
|
def find_repo_bottle_file(bottles_dir: Path, repo_name: str) -> Path | None:
|
||||||
|
"""Return the first `bottles_dir/*.md` that declares `repo_name` without
|
||||||
|
a `host_key`, without modifying anything. Returns None if not found."""
|
||||||
|
if not bottles_dir.is_dir():
|
||||||
|
return None
|
||||||
|
for path in sorted(bottles_dir.glob("*.md")):
|
||||||
|
try:
|
||||||
|
text = path.read_text(encoding="utf-8")
|
||||||
|
fm, _ = parse_frontmatter(text)
|
||||||
|
except (OSError, UnicodeDecodeError, YamlSubsetError):
|
||||||
|
continue
|
||||||
|
git_gate = fm.get("git-gate")
|
||||||
|
if not isinstance(git_gate, dict):
|
||||||
|
continue
|
||||||
|
repos = git_gate.get("repos")
|
||||||
|
if not isinstance(repos, dict):
|
||||||
|
continue
|
||||||
|
repo = repos.get(repo_name)
|
||||||
|
if not isinstance(repo, dict) or repo.get("host_key"):
|
||||||
|
continue
|
||||||
|
return path
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
|
def find_and_update_bottle_file(
|
||||||
|
bottles_dir: Path, repo_name: str, host_key: str,
|
||||||
|
) -> bool:
|
||||||
|
"""Write `host_key` into the bottle file returned by `find_repo_bottle_file`.
|
||||||
|
|
||||||
|
Returns True on success, False when no suitable file is found or the
|
||||||
|
write fails."""
|
||||||
|
path = find_repo_bottle_file(bottles_dir, repo_name)
|
||||||
|
if path is None:
|
||||||
|
return False
|
||||||
|
try:
|
||||||
|
text = path.read_text(encoding="utf-8")
|
||||||
|
except (OSError, UnicodeDecodeError):
|
||||||
|
return False
|
||||||
|
updated = add_host_key_to_frontmatter(text, repo_name, host_key)
|
||||||
|
if updated == text:
|
||||||
|
return False
|
||||||
|
path.write_text(updated, encoding="utf-8")
|
||||||
|
info(f"wrote host_key for {repo_name!r} to {path}")
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# Interactive prompt helper
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
def prompt_tty(message: str) -> str:
|
||||||
|
"""Write `message` to stderr and read a line from /dev/tty (or stdin)."""
|
||||||
|
sys.stderr.write(message)
|
||||||
|
sys.stderr.flush()
|
||||||
|
try:
|
||||||
|
with open("/dev/tty", "r", encoding="utf-8") as tty:
|
||||||
|
return tty.readline().rstrip("\n")
|
||||||
|
except OSError:
|
||||||
|
return sys.stdin.readline().rstrip("\n")
|
||||||
|
|
||||||
|
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# Public API
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
def preflight_host_keys(
|
||||||
|
manifest: Manifest,
|
||||||
|
*,
|
||||||
|
headless: bool,
|
||||||
|
home_md: Path | None,
|
||||||
|
) -> Manifest:
|
||||||
|
"""Ensure every git-gate repo entry has a `host_key` configured.
|
||||||
|
|
||||||
|
For entries whose `KnownHostKey` is empty:
|
||||||
|
- headless: calls `die()` with a clear message naming the repos.
|
||||||
|
- interactive: fetches the key via ssh-keyscan, shows it to the
|
||||||
|
operator, and requests confirmation. If accepted, optionally
|
||||||
|
persists it to the bottle config file on disk; the key is always
|
||||||
|
applied in memory for this launch regardless of the persistence
|
||||||
|
choice. Aborted confirmation calls `die()`.
|
||||||
|
|
||||||
|
Returns a (possibly updated) Manifest. If all entries already have
|
||||||
|
host keys the original manifest is returned unchanged."""
|
||||||
|
bottle = manifest.bottle
|
||||||
|
missing = [e for e in bottle.git if not e.KnownHostKey]
|
||||||
|
if not missing:
|
||||||
|
return manifest
|
||||||
|
|
||||||
|
if headless:
|
||||||
|
names = ", ".join(repr(e.Name) for e in missing)
|
||||||
|
die(
|
||||||
|
f"git-gate: no host_key configured for repo(s) {names}. "
|
||||||
|
f"Add host_key to each bottle git-gate.repos entry, or run "
|
||||||
|
f"interactively once to have it fetched and saved automatically."
|
||||||
|
)
|
||||||
|
|
||||||
|
bottles_dir = (home_md / "bottles") if home_md is not None else None
|
||||||
|
updated_entries = list(bottle.git)
|
||||||
|
|
||||||
|
for entry in missing:
|
||||||
|
host = entry.UpstreamHost
|
||||||
|
port = entry.UpstreamPort
|
||||||
|
label = f"git-gate.repos[{entry.Name!r}]"
|
||||||
|
|
||||||
|
info(f"{label}: no host_key configured; fetching from {host}:{port}")
|
||||||
|
try:
|
||||||
|
key = fetch_host_key(host, port)
|
||||||
|
except RuntimeError as e:
|
||||||
|
die(f"git-gate: {label}: {e}")
|
||||||
|
|
||||||
|
sys.stderr.write(f"\ngit-gate: host key for {label}:\n {key}\n\n")
|
||||||
|
confirm = prompt_tty("Is this host key correct? [y/N] ")
|
||||||
|
if confirm.strip().lower() not in ("y", "yes"):
|
||||||
|
die(f"git-gate: {label}: host key not confirmed; aborting launch")
|
||||||
|
|
||||||
|
if bottles_dir is not None:
|
||||||
|
target_file = find_repo_bottle_file(bottles_dir, entry.Name)
|
||||||
|
if target_file is not None:
|
||||||
|
save = prompt_tty(
|
||||||
|
f"Save host_key for {entry.Name!r} to {target_file}? [y/N] "
|
||||||
|
)
|
||||||
|
if save.strip().lower() in ("y", "yes"):
|
||||||
|
ok = find_and_update_bottle_file(bottles_dir, entry.Name, key)
|
||||||
|
if not ok:
|
||||||
|
sys.stderr.write(
|
||||||
|
f"git-gate: {label}: could not write to {target_file}; "
|
||||||
|
f"host_key kept in memory for this session only\n"
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
sys.stderr.write(
|
||||||
|
f"git-gate: {label}: no bottle config file found for "
|
||||||
|
f"{entry.Name!r}; host_key kept in memory for this session only\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
idx = next(i for i, e in enumerate(updated_entries) if e.Name == entry.Name)
|
||||||
|
updated_entries[idx] = dataclasses.replace(entry, KnownHostKey=key)
|
||||||
|
|
||||||
|
updated_bottle = dataclasses.replace(bottle, git=tuple(updated_entries))
|
||||||
|
return dataclasses.replace(manifest, bottle=updated_bottle)
|
||||||
|
|
||||||
|
|
||||||
|
__all__ = [
|
||||||
|
"fetch_host_key",
|
||||||
|
"preflight_host_keys",
|
||||||
|
"add_host_key_to_frontmatter",
|
||||||
|
"find_repo_bottle_file",
|
||||||
|
"find_and_update_bottle_file",
|
||||||
|
"prompt_tty",
|
||||||
|
]
|
||||||
@@ -9,10 +9,17 @@ imported (`deploy_key_provisioner`) to keep its cost off the host path.
|
|||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
import dataclasses
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
from typing import TYPE_CHECKING
|
||||||
|
|
||||||
|
from .errors import MissingEnvVarError
|
||||||
from .log import info
|
from .log import info
|
||||||
from .manifest import ManifestBottle, ManifestGitEntry
|
from .manifest import ManifestBottle, ManifestGitEntry
|
||||||
|
from .git_gate_render import GitGateUpstream
|
||||||
|
|
||||||
|
if TYPE_CHECKING:
|
||||||
|
from .git_gate import GitGatePlan
|
||||||
|
|
||||||
def _provision_dynamic_key(
|
def _provision_dynamic_key(
|
||||||
entry: ManifestGitEntry,
|
entry: ManifestGitEntry,
|
||||||
@@ -28,9 +35,10 @@ def _provision_dynamic_key(
|
|||||||
pk = entry.Key
|
pk = entry.Key
|
||||||
token = os.environ.get(pk.forge_token_env)
|
token = os.environ.get(pk.forge_token_env)
|
||||||
if token is None:
|
if token is None:
|
||||||
raise RuntimeError(
|
raise MissingEnvVarError(
|
||||||
|
pk.forge_token_env,
|
||||||
f"git-gate.repos[{entry.Name!r}] key.forge_token_env"
|
f"git-gate.repos[{entry.Name!r}] key.forge_token_env"
|
||||||
f" = {pk.forge_token_env!r}: env var is not set"
|
f" = {pk.forge_token_env!r}: env var is not set",
|
||||||
)
|
)
|
||||||
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
||||||
provisioner = get_provisioner(pk.provider, token, api_url)
|
provisioner = get_provisioner(pk.provider, token, api_url)
|
||||||
@@ -72,10 +80,11 @@ def revoke_git_gate_provisioned_keys(bottle: ManifestBottle, stage_dir: Path) ->
|
|||||||
key_id = id_file.read_text().strip()
|
key_id = id_file.read_text().strip()
|
||||||
token = os.environ.get(pk.forge_token_env)
|
token = os.environ.get(pk.forge_token_env)
|
||||||
if token is None:
|
if token is None:
|
||||||
raise RuntimeError(
|
raise MissingEnvVarError(
|
||||||
|
pk.forge_token_env,
|
||||||
f"git-gate.repos[{entry.Name!r}] key.forge_token_env"
|
f"git-gate.repos[{entry.Name!r}] key.forge_token_env"
|
||||||
f" = {pk.forge_token_env!r}: env var is not set;"
|
f" = {pk.forge_token_env!r}: env var is not set;"
|
||||||
f" cannot revoke deploy key {key_id}"
|
f" cannot revoke deploy key {key_id}",
|
||||||
)
|
)
|
||||||
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
api_url = pk.api_url or f"https://{entry.UpstreamHost}"
|
||||||
provisioner = get_provisioner(pk.provider, token, api_url)
|
provisioner = get_provisioner(pk.provider, token, api_url)
|
||||||
@@ -95,8 +104,45 @@ def _resolve_identity_file(entry: ManifestGitEntry, slug: str, stage_dir: Path)
|
|||||||
return entry.IdentityFile
|
return entry.IdentityFile
|
||||||
|
|
||||||
|
|
||||||
|
def provision_git_gate_dynamic_keys(
|
||||||
|
bottle: ManifestBottle,
|
||||||
|
plan: "GitGatePlan",
|
||||||
|
stage_dir: Path,
|
||||||
|
) -> "GitGatePlan":
|
||||||
|
"""Provision dynamic git-gate keys and return an updated plan.
|
||||||
|
|
||||||
|
This runs during backend launch, after the operator confirms the
|
||||||
|
preflight. Plan preparation intentionally stays side-effect-light:
|
||||||
|
dry-runs and aborted launches must not create remote deploy keys.
|
||||||
|
"""
|
||||||
|
if not plan.upstreams:
|
||||||
|
return plan
|
||||||
|
|
||||||
|
upstreams_by_name: dict[str, GitGateUpstream] = {
|
||||||
|
upstream.name: upstream for upstream in plan.upstreams
|
||||||
|
}
|
||||||
|
updated: list[GitGateUpstream] = []
|
||||||
|
for entry in bottle.git:
|
||||||
|
upstream = upstreams_by_name.get(entry.Name)
|
||||||
|
if upstream is None:
|
||||||
|
continue
|
||||||
|
if entry.Key.provider == "gitea":
|
||||||
|
identity_file = _provision_dynamic_key(entry, plan.slug, stage_dir)
|
||||||
|
upstream = dataclasses.replace(upstream, identity_file=identity_file)
|
||||||
|
updated.append(upstream)
|
||||||
|
|
||||||
|
if len(updated) != len(plan.upstreams):
|
||||||
|
updated_names = {u.name for u in updated}
|
||||||
|
for upstream in plan.upstreams:
|
||||||
|
if upstream.name not in updated_names:
|
||||||
|
updated.append(upstream)
|
||||||
|
|
||||||
|
return dataclasses.replace(plan, upstreams=tuple(updated))
|
||||||
|
|
||||||
|
|
||||||
__all__ = [
|
__all__ = [
|
||||||
"revoke_git_gate_provisioned_keys",
|
"revoke_git_gate_provisioned_keys",
|
||||||
|
"provision_git_gate_dynamic_keys",
|
||||||
"_provision_dynamic_key",
|
"_provision_dynamic_key",
|
||||||
"_resolve_identity_file",
|
"_resolve_identity_file",
|
||||||
]
|
]
|
||||||
|
|||||||
+111
-71
@@ -1,7 +1,7 @@
|
|||||||
"""Pure host-side rendering for the per-agent git-gate (PRD 0008).
|
"""Pure host-side rendering for the per-agent git-gate (PRD 0008).
|
||||||
|
|
||||||
Builds the agent's `.gitconfig` insteadOf rewrites, the known_hosts
|
Builds the agent's `.gitconfig` insteadOf rewrites, the known_hosts
|
||||||
line, and the entrypoint / pre-receive / access-hook scripts the sidecar
|
line, and the entrypoint / pre-receive / access-hook scripts the gateway
|
||||||
runs. No docker or forge calls — exposed for tests and reuse across
|
runs. No docker or forge calls — exposed for tests and reuse across
|
||||||
backends. Split out of `git_gate.py` so the control surface (`GitGate`)
|
backends. Split out of `git_gate.py` so the control surface (`GitGate`)
|
||||||
and the deploy-key lifecycle (`git_gate_provision`) each read on their
|
and the deploy-key lifecycle (`git_gate_provision`) each read on their
|
||||||
@@ -9,13 +9,14 @@ own; `git_gate` re-exports these names for API stability."""
|
|||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import re
|
||||||
import shlex
|
import shlex
|
||||||
from dataclasses import dataclass
|
from dataclasses import dataclass
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
from .manifest import ManifestBottle, ManifestGitEntry
|
from .manifest import ManifestBottle, ManifestGitEntry
|
||||||
|
|
||||||
# Short network alias for git-gate inside the sidecar bundle. The
|
# Short network alias for git-gate inside the gateway. The
|
||||||
# agent's `.gitconfig` insteadOf rewrites resolve through this name.
|
# agent's `.gitconfig` insteadOf rewrites resolve through this name.
|
||||||
GIT_GATE_HOSTNAME = "git-gate"
|
GIT_GATE_HOSTNAME = "git-gate"
|
||||||
# Shared timeout (seconds) for all git-gate subprocess and CGI calls:
|
# Shared timeout (seconds) for all git-gate subprocess and CGI calls:
|
||||||
@@ -37,7 +38,7 @@ class GitGateUpstream:
|
|||||||
KnownHostKey string from the manifest; the gate's start step
|
KnownHostKey string from the manifest; the gate's start step
|
||||||
materialises it into a known_hosts file if non-empty.
|
materialises it into a known_hosts file if non-empty.
|
||||||
|
|
||||||
the gate credential paths inside the running sidecar."""
|
the gate credential paths inside the running gateway."""
|
||||||
|
|
||||||
name: str
|
name: str
|
||||||
upstream_url: str
|
upstream_url: str
|
||||||
@@ -76,14 +77,14 @@ def git_gate_render_gitconfig(
|
|||||||
entries: tuple[ManifestGitEntry, ...], gate_host: str, *, scheme: str = "git",
|
entries: tuple[ManifestGitEntry, ...], gate_host: str, *, scheme: str = "git",
|
||||||
) -> str:
|
) -> str:
|
||||||
"""Render the agent's ~/.gitconfig content for git-gate
|
"""Render the agent's ~/.gitconfig content for git-gate
|
||||||
`insteadOf` rewrites. Pure host-side, no docker / smolvm;
|
`insteadOf` rewrites. Pure host-side, no docker / VM;
|
||||||
exposed for tests + reuse across backends.
|
exposed for tests + reuse across backends.
|
||||||
|
|
||||||
`gate_host` is the part of the URL between `<scheme>://` and the
|
`gate_host` is the part of the URL between `<scheme>://` and the
|
||||||
repo path — backends differ here:
|
repo path — backends differ here:
|
||||||
- docker: `git-gate` (the short network alias)
|
- docker: `git-gate` (the short network alias)
|
||||||
- smolmachines: `<bundle_ip>:<port>` (no DNS in the
|
- firecracker: `<bundle_ip>:<port>` (no DNS on the
|
||||||
TSI-allowlisted guest)
|
point-to-point TAP link)
|
||||||
|
|
||||||
Empty `entries` returns an empty string so callers can no-op
|
Empty `entries` returns an empty string so callers can no-op
|
||||||
cleanly without conditional formatting at the call site."""
|
cleanly without conditional formatting at the call site."""
|
||||||
@@ -125,22 +126,18 @@ def git_gate_known_hosts_line(host: str, port: str, key: str) -> str:
|
|||||||
return f"{target} {key}\n"
|
return f"{target} {key}\n"
|
||||||
|
|
||||||
|
|
||||||
def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
|
def _git_gate_init_repo_fn(repo_root: str, creds_dir: str) -> list[str]:
|
||||||
"""Posix-sh entrypoint. One `init_repo` call per upstream, then
|
"""The `init_repo` shell function, parameterized by the bare-repo root
|
||||||
`exec git daemon`. The function reads
|
and the per-bottle creds dir. Single source of the credential-wiring
|
||||||
`/git-gate/creds/<name>-{key,known_hosts}` (bind-mounted into
|
logic, shared by the single-tenant daemon entrypoint (`/git`,
|
||||||
the bundle by the renderer) and wires them into each bare repo's
|
`/git-gate/creds`) and the consolidated per-bottle provisioning
|
||||||
config; the access-hook + pre-receive hook pick those paths up
|
(`/git/<bottle_id>`, `/git-gate/creds/<bottle_id>`)."""
|
||||||
at fetch / push time."""
|
return [
|
||||||
lines = [
|
|
||||||
"#!/bin/sh",
|
|
||||||
"set -eu",
|
|
||||||
"",
|
|
||||||
"init_repo() {",
|
"init_repo() {",
|
||||||
" name=$1",
|
" name=$1",
|
||||||
" upstream_url=$2",
|
" upstream_url=$2",
|
||||||
" keyfile=/git-gate/creds/${name}-key",
|
f" keyfile={creds_dir}/${{name}}-key",
|
||||||
" hostsfile=/git-gate/creds/${name}-known_hosts",
|
f" hostsfile={creds_dir}/${{name}}-known_hosts",
|
||||||
"",
|
"",
|
||||||
# `|| true`: PRD 0018 chunk 3+ bind-mounts these RO from the
|
# `|| true`: PRD 0018 chunk 3+ bind-mounts these RO from the
|
||||||
# host, so chmod-syscalls fail with EROFS. The files already
|
# host, so chmod-syscalls fail with EROFS. The files already
|
||||||
@@ -153,14 +150,14 @@ def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
|
|||||||
" chmod 600 \"$hostsfile\" 2>/dev/null || true",
|
" chmod 600 \"$hostsfile\" 2>/dev/null || true",
|
||||||
" fi",
|
" fi",
|
||||||
"",
|
"",
|
||||||
" repo=/git/${name}.git",
|
f" repo={repo_root}/${{name}}.git",
|
||||||
" if [ ! -d \"$repo\" ]; then",
|
" if [ ! -d \"$repo\" ]; then",
|
||||||
" git init --bare \"$repo\" >/dev/null",
|
" git init --bare \"$repo\" >/dev/null",
|
||||||
# --mirror=fetch sets remote.origin.fetch = +refs/*:refs/* so",
|
# --mirror=fetch sets remote.origin.fetch = +refs/*:refs/* so a later
|
||||||
# a later `git fetch origin` mirrors the upstream's full ref",
|
# `git fetch origin` mirrors the upstream's full ref graph (heads,
|
||||||
# graph (heads, tags, notes) into the bare repo at canonical",
|
# tags, notes) into the bare repo at canonical paths. It does NOT set
|
||||||
# paths. It does NOT set remote.origin.mirror=true, so an",
|
# remote.origin.mirror=true, so an explicit `git push origin
|
||||||
# explicit `git push origin <ref>:<ref>` still pushes one ref.",
|
# <ref>:<ref>` still pushes one ref.
|
||||||
" git -C \"$repo\" remote add --mirror=fetch origin \"$upstream_url\"",
|
" git -C \"$repo\" remote add --mirror=fetch origin \"$upstream_url\"",
|
||||||
" fi",
|
" fi",
|
||||||
" git -C \"$repo\" config git-gate.identityFile \"$keyfile\"",
|
" git -C \"$repo\" config git-gate.identityFile \"$keyfile\"",
|
||||||
@@ -170,9 +167,19 @@ def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
|
|||||||
" git -C \"$repo\" config http.receivepack true",
|
" git -C \"$repo\" config http.receivepack true",
|
||||||
" install -m 755 /etc/git-gate/pre-receive \"$repo/hooks/pre-receive\"",
|
" install -m 755 /etc/git-gate/pre-receive \"$repo/hooks/pre-receive\"",
|
||||||
"}",
|
"}",
|
||||||
"",
|
|
||||||
"mkdir -p /git",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
|
||||||
|
"""Posix-sh entrypoint. One `init_repo` call per upstream, then
|
||||||
|
`exec git daemon`. The function reads
|
||||||
|
`/git-gate/creds/<name>-{key,known_hosts}` (bind-mounted into
|
||||||
|
the bundle by the renderer) and wires them into each bare repo's
|
||||||
|
config; the access-hook + pre-receive hook pick those paths up
|
||||||
|
at fetch / push time."""
|
||||||
|
lines = ["#!/bin/sh", "set -eu", ""]
|
||||||
|
lines += _git_gate_init_repo_fn("/git", "/git-gate/creds")
|
||||||
|
lines += ["", "mkdir -p /git"]
|
||||||
for u in upstreams:
|
for u in upstreams:
|
||||||
lines.append(f"init_repo {shlex.quote(u.name)} {shlex.quote(u.upstream_url)}")
|
lines.append(f"init_repo {shlex.quote(u.name)} {shlex.quote(u.upstream_url)}")
|
||||||
lines.extend([
|
lines.extend([
|
||||||
@@ -190,6 +197,35 @@ def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
|
|||||||
return "\n".join(lines) + "\n"
|
return "\n".join(lines) + "\n"
|
||||||
|
|
||||||
|
|
||||||
|
# A bottle id namespaces the consolidated gateway's repo + creds dirs; it is
|
||||||
|
# embedded unquoted in the provisioning script, so restrict it to a shell- and
|
||||||
|
# path-safe alphabet (registry ids are token_hex — this is defense in depth).
|
||||||
|
_SAFE_BOTTLE_ID = re.compile(r"[A-Za-z0-9_-]+")
|
||||||
|
|
||||||
|
|
||||||
|
def git_gate_render_provision(
|
||||||
|
bottle_id: str, upstreams: tuple[GitGateUpstream, ...],
|
||||||
|
) -> str:
|
||||||
|
"""Posix-sh script that provisions ONE bottle's bare repos into the
|
||||||
|
consolidated gateway (PRD 0070), under `/git/<bottle_id>/` with creds
|
||||||
|
read from `/git-gate/creds/<bottle_id>/`. Init-only — no `git daemon`,
|
||||||
|
since the shared gateway already serves every bottle; run inside the
|
||||||
|
running gateway when the bottle is registered.
|
||||||
|
|
||||||
|
Isolating each bottle's repo root and creds dir by id is what keeps one
|
||||||
|
bottle's push credentials out of another's repos on the shared gateway."""
|
||||||
|
if not _SAFE_BOTTLE_ID.fullmatch(bottle_id):
|
||||||
|
raise ValueError(f"git-gate: unsafe bottle id {bottle_id!r}")
|
||||||
|
repo_root = f"/git/{bottle_id}"
|
||||||
|
creds_dir = f"/git-gate/creds/{bottle_id}"
|
||||||
|
lines = ["#!/bin/sh", "set -eu", ""]
|
||||||
|
lines += _git_gate_init_repo_fn(repo_root, creds_dir)
|
||||||
|
lines += ["", f"mkdir -p {shlex.quote(repo_root)}"]
|
||||||
|
for u in upstreams:
|
||||||
|
lines.append(f"init_repo {shlex.quote(u.name)} {shlex.quote(u.upstream_url)}")
|
||||||
|
return "\n".join(lines) + "\n"
|
||||||
|
|
||||||
|
|
||||||
def git_gate_render_hook() -> str:
|
def git_gate_render_hook() -> str:
|
||||||
"""The shared pre-receive hook: gitleaks-scan all incoming refs,
|
"""The shared pre-receive hook: gitleaks-scan all incoming refs,
|
||||||
then forward each accepted ref to the real upstream (`origin`)
|
then forward each accepted ref to the real upstream (`origin`)
|
||||||
@@ -228,19 +264,22 @@ supervise_gitleaks_allow() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
proposal_id=$(
|
proposal_id=$(
|
||||||
GITLEAKS_ALLOW_REF="$ref" python3 - "$report_file" <<'PY'
|
PYTHONPATH="/app${PYTHONPATH:+:$PYTHONPATH}" GITLEAKS_ALLOW_REF="$ref" python3 - "$report_file" <<'PY'
|
||||||
import datetime
|
import datetime
|
||||||
import hashlib
|
import hashlib
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
import sys
|
import sys
|
||||||
import uuid
|
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
|
try:
|
||||||
|
import supervise as _sv
|
||||||
|
except ImportError:
|
||||||
|
from bot_bottle import supervise as _sv
|
||||||
|
|
||||||
report_path = Path(sys.argv[1])
|
report_path = Path(sys.argv[1])
|
||||||
queue_dir = os.environ.get("SUPERVISE_QUEUE_DIR", "")
|
|
||||||
slug = os.environ.get("SUPERVISE_BOTTLE_SLUG", "")
|
slug = os.environ.get("SUPERVISE_BOTTLE_SLUG", "")
|
||||||
if not queue_dir or not slug:
|
if not slug:
|
||||||
sys.exit(2)
|
sys.exit(2)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
@@ -277,31 +316,19 @@ for i, finding in enumerate(raw, 1):
|
|||||||
])
|
])
|
||||||
|
|
||||||
payload = "\n".join(lines).rstrip() + "\n"
|
payload = "\n".join(lines).rstrip() + "\n"
|
||||||
proposal_id = str(uuid.uuid4())
|
proposal = _sv.Proposal.new(
|
||||||
proposal = {
|
bottle_slug=slug,
|
||||||
"id": proposal_id,
|
tool=_sv.TOOL_GITLEAKS_ALLOW,
|
||||||
"bottle_slug": slug,
|
proposed_file=payload,
|
||||||
"tool": "gitleaks-allow",
|
justification=(
|
||||||
"proposed_file": payload,
|
|
||||||
"justification": (
|
|
||||||
"git-gate found gitleaks findings hidden by # gitleaks:allow; "
|
"git-gate found gitleaks findings hidden by # gitleaks:allow; "
|
||||||
"approve only for dummy test fixtures or confirmed false positives"
|
"approve only for dummy test fixtures or confirmed false positives"
|
||||||
),
|
),
|
||||||
"arrival_timestamp": datetime.datetime.now(
|
current_file_hash=hashlib.sha256(payload.encode("utf-8")).hexdigest(),
|
||||||
datetime.timezone.utc
|
now=datetime.datetime.now(datetime.timezone.utc),
|
||||||
).isoformat(),
|
)
|
||||||
"current_file_hash": hashlib.sha256(payload.encode("utf-8")).hexdigest(),
|
_sv.write_proposal(proposal)
|
||||||
}
|
print(proposal.id)
|
||||||
queue = Path(queue_dir)
|
|
||||||
queue.mkdir(parents=True, exist_ok=True)
|
|
||||||
path = queue / f"{proposal_id}.proposal.json"
|
|
||||||
tmp = path.with_suffix(path.suffix + ".tmp")
|
|
||||||
with tmp.open("w", encoding="utf-8") as f:
|
|
||||||
json.dump(proposal, f, indent=2)
|
|
||||||
f.write("\n")
|
|
||||||
os.chmod(tmp, 0o600)
|
|
||||||
os.replace(tmp, path)
|
|
||||||
print(proposal_id)
|
|
||||||
PY
|
PY
|
||||||
)
|
)
|
||||||
rc=$?
|
rc=$?
|
||||||
@@ -314,8 +341,7 @@ PY
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
queue_dir=${SUPERVISE_QUEUE_DIR:-}
|
slug=${SUPERVISE_BOTTLE_SLUG:-}
|
||||||
response_file="$queue_dir/${proposal_id}.response.json"
|
|
||||||
timeout=${SUPERVISE_GITLEAKS_ALLOW_TIMEOUT_SECONDS:-300}
|
timeout=${SUPERVISE_GITLEAKS_ALLOW_TIMEOUT_SECONDS:-300}
|
||||||
case "$timeout" in
|
case "$timeout" in
|
||||||
''|*[!0-9]*)
|
''|*[!0-9]*)
|
||||||
@@ -327,26 +353,41 @@ PY
|
|||||||
echo "git-gate: approve with './cli.py supervise' to continue this push" >&2
|
echo "git-gate: approve with './cli.py supervise' to continue this push" >&2
|
||||||
waited=0
|
waited=0
|
||||||
while [ "$waited" -lt "$timeout" ]; do
|
while [ "$waited" -lt "$timeout" ]; do
|
||||||
if [ -f "$response_file" ]; then
|
status=$(PYTHONPATH="/app${PYTHONPATH:+:$PYTHONPATH}" python3 - "$slug" "$proposal_id" <<'PY'
|
||||||
status=$(python3 - "$response_file" <<'PY'
|
|
||||||
import json
|
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
try:
|
try:
|
||||||
with open(sys.argv[1], encoding="utf-8") as f:
|
import supervise as _sv
|
||||||
raw = json.load(f)
|
except ImportError:
|
||||||
except (OSError, json.JSONDecodeError):
|
from bot_bottle import supervise as _sv
|
||||||
sys.exit(1)
|
|
||||||
status = raw.get("status")
|
slug = sys.argv[1]
|
||||||
if not isinstance(status, str):
|
try:
|
||||||
sys.exit(1)
|
response = _sv.read_response(slug, sys.argv[2])
|
||||||
print(status)
|
except FileNotFoundError:
|
||||||
|
sys.exit(2)
|
||||||
|
print(response.status)
|
||||||
PY
|
PY
|
||||||
) || status=""
|
)
|
||||||
|
rc=$?
|
||||||
|
if [ "$rc" -eq 2 ]; then
|
||||||
|
status=""
|
||||||
|
elif [ "$rc" -ne 0 ]; then
|
||||||
|
status="invalid"
|
||||||
|
fi
|
||||||
|
if [ -n "$status" ]; then
|
||||||
case "$status" in
|
case "$status" in
|
||||||
approved|modified)
|
approved|modified)
|
||||||
mkdir -p "$queue_dir/processed"
|
PYTHONPATH="/app${PYTHONPATH:+:$PYTHONPATH}" python3 - "$slug" "$proposal_id" <<'PY' || true
|
||||||
mv -f "$queue_dir/${proposal_id}.proposal.json" "$queue_dir/processed/" 2>/dev/null || true
|
import sys
|
||||||
mv -f "$queue_dir/${proposal_id}.response.json" "$queue_dir/processed/" 2>/dev/null || true
|
|
||||||
|
try:
|
||||||
|
import supervise as _sv
|
||||||
|
except ImportError:
|
||||||
|
from bot_bottle import supervise as _sv
|
||||||
|
|
||||||
|
_sv.archive_proposal(sys.argv[1], sys.argv[2])
|
||||||
|
PY
|
||||||
echo "git-gate: supervisor approved # gitleaks:allow for $ref" >&2
|
echo "git-gate: supervisor approved # gitleaks:allow for $ref" >&2
|
||||||
return 0
|
return 0
|
||||||
;;
|
;;
|
||||||
@@ -499,4 +540,3 @@ if ! git -C "$repo_dir" rev-parse --verify HEAD >/dev/null 2>&1; then
|
|||||||
fi
|
fi
|
||||||
exit 0
|
exit 0
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|||||||
@@ -1,10 +1,20 @@
|
|||||||
"""Tiny smart-HTTP wrapper for git-gate repos.
|
"""Tiny smart-HTTP wrapper for git-gate repos.
|
||||||
|
|
||||||
Used by the smolmachines backend where `git://` push traffic over the
|
Used where `git://` push traffic over a host-published Docker port can
|
||||||
host-published Docker port can hang before receive-pack reaches hooks.
|
hang before receive-pack reaches hooks (e.g. the firecracker backend,
|
||||||
The wrapper serves the same `/git/*.git` bare repos through
|
where the guest reaches the gateway over the point-to-point TAP). The
|
||||||
|
wrapper serves the same `/git/*.git` bare repos through
|
||||||
`git http-backend`, so pre-receive and upstream forwarding remain the
|
`git http-backend`, so pre-receive and upstream forwarding remain the
|
||||||
git-gate enforcement point.
|
git-gate enforcement point.
|
||||||
|
|
||||||
|
Consolidated (PRD 0070): when `BOT_BOTTLE_ORCHESTRATOR_URL` is set, one
|
||||||
|
shared gateway serves every bottle, and each request is served from the
|
||||||
|
calling bottle's repo namespace (`<root>/<bottle_id>`), attributed from
|
||||||
|
the unspoofable source IP via the orchestrator. Per-repo credentials +
|
||||||
|
hooks scope by repo directory, so isolating the *root* per bottle isolates
|
||||||
|
its creds too. Unattributed clients fail closed (404). Unset → the legacy
|
||||||
|
per-bottle single-tenant flat root, unchanged — a transitional path that
|
||||||
|
gets stripped out once every backend runs the consolidated gateway.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
@@ -12,15 +22,93 @@ from __future__ import annotations
|
|||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
import typing
|
||||||
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
|
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from urllib.parse import urlsplit
|
from urllib.parse import urlsplit
|
||||||
|
|
||||||
from .git_gate import GIT_GATE_TIMEOUT_SECS
|
# policy_resolver ships flat alongside this file in the gateway
|
||||||
|
# image (see Dockerfile.gateway); the bot_bottle.* fallback is the
|
||||||
|
# host-side / test path. Mirrors egress_addon's import shape.
|
||||||
|
try:
|
||||||
|
from policy_resolver import ( # type: ignore[import-not-found]
|
||||||
|
PolicyResolveError,
|
||||||
|
PolicyResolver,
|
||||||
|
)
|
||||||
|
except ImportError: # pragma: no cover - host-side path
|
||||||
|
from bot_bottle.policy_resolver import PolicyResolveError, PolicyResolver
|
||||||
|
|
||||||
|
|
||||||
DEFAULT_PORT = 9420
|
DEFAULT_PORT = 9420
|
||||||
|
|
||||||
|
# Consolidated (multi-tenant) mode: when this points at the per-host
|
||||||
|
# orchestrator's control plane, the backend serves each request from the
|
||||||
|
# *calling* bottle's repo namespace, selected by source IP, instead of a
|
||||||
|
# single flat repo root. Unset → legacy per-bottle single-tenant mode
|
||||||
|
# (unchanged). Same env the egress addon reads, so one orchestrator setting
|
||||||
|
# flips the whole shared gateway multi-tenant.
|
||||||
|
ORCHESTRATOR_URL_ENV = "BOT_BOTTLE_ORCHESTRATOR_URL"
|
||||||
|
|
||||||
|
# App-layer identity token (defense-in-depth over the source-IP invariant);
|
||||||
|
# the agent injects it, the backend reads it for attribution and never
|
||||||
|
# forwards it to `git http-backend`. Mirrors egress_addon.IDENTITY_HEADER
|
||||||
|
# (duplicated, not imported: egress_addon pulls in mitmproxy).
|
||||||
|
IDENTITY_HEADER = "x-bot-bottle-identity"
|
||||||
|
|
||||||
|
# Default flat repo root (single-tenant, and the base under which
|
||||||
|
# consolidated mode nests each sandbox's namespace).
|
||||||
|
DEFAULT_REPO_ROOT = "/git"
|
||||||
|
|
||||||
|
|
||||||
|
class ResolverLike(typing.Protocol):
|
||||||
|
"""Structural type for the resolver `resolve_sandbox_root` needs — just
|
||||||
|
`resolve_bottle_id`. A Protocol so tests can pass a fake without
|
||||||
|
importing PolicyResolver (mirrors egress_addon_core.PolicyResolverLike)."""
|
||||||
|
|
||||||
|
def resolve_bottle_id(
|
||||||
|
self, source_ip: str, identity_token: str = ...,
|
||||||
|
) -> "str | None": ...
|
||||||
|
|
||||||
|
|
||||||
|
def resolve_sandbox_root(
|
||||||
|
resolver: "ResolverLike | None",
|
||||||
|
base_root: Path,
|
||||||
|
source_ip: str,
|
||||||
|
identity_token: str = "",
|
||||||
|
) -> Path | None:
|
||||||
|
"""The per-sandbox repo root to serve this request from, or None to
|
||||||
|
deny (404).
|
||||||
|
|
||||||
|
Single-tenant (`resolver is None`): the flat `base_root`, unchanged.
|
||||||
|
NOTE: this legacy per-bottle single-tenant path is transitional — it
|
||||||
|
will be stripped out once every backend runs the consolidated gateway
|
||||||
|
(PRD 0070), leaving only the source-IP-attributed path below.
|
||||||
|
|
||||||
|
Consolidated: `base_root/<bottle_id>`, where the sandbox is attributed
|
||||||
|
from the source IP via the orchestrator. Fail-closed — an unattributed
|
||||||
|
client, a resolver error, or a namespace that would escape `base_root`
|
||||||
|
all deny, so one sandbox can never reach another's repos."""
|
||||||
|
if resolver is None:
|
||||||
|
return base_root
|
||||||
|
try:
|
||||||
|
bottle_id = resolver.resolve_bottle_id(source_ip, identity_token)
|
||||||
|
except PolicyResolveError:
|
||||||
|
return None # orchestrator unreachable/errored → deny
|
||||||
|
if not bottle_id:
|
||||||
|
return None # unattributed → deny
|
||||||
|
base = base_root.resolve()
|
||||||
|
namespace = (base / bottle_id).resolve()
|
||||||
|
if base not in namespace.parents:
|
||||||
|
return None # bottle_id tried to escape the root → deny
|
||||||
|
return namespace
|
||||||
|
|
||||||
|
# Mirrors git_gate_render.GIT_GATE_TIMEOUT_SECS. Duplicated rather than
|
||||||
|
# imported: this module ships as a flat top-level sibling in the gateway
|
||||||
|
# bundle image (see Dockerfile.gateway), not as part of the bot_bottle
|
||||||
|
# package, so `bot_bottle.git_gate` and its dependency chain aren't
|
||||||
|
# available at runtime.
|
||||||
|
GIT_GATE_TIMEOUT_SECS = 15
|
||||||
|
|
||||||
# Bound memory use while still allowing ordinary git push packfiles.
|
# Bound memory use while still allowing ordinary git push packfiles.
|
||||||
MAX_BODY_BYTES = 100 * 1024 * 1024
|
MAX_BODY_BYTES = 100 * 1024 * 1024
|
||||||
|
|
||||||
@@ -34,10 +122,25 @@ class GitHttpHandler(BaseHTTPRequestHandler):
|
|||||||
def do_POST(self) -> None:
|
def do_POST(self) -> None:
|
||||||
self._run_backend()
|
self._run_backend()
|
||||||
|
|
||||||
|
def _sandbox_root(self) -> Path | None:
|
||||||
|
"""This request's per-sandbox repo root, or None to deny. Single-tenant
|
||||||
|
unless the server was started with a resolver (consolidated mode), in
|
||||||
|
which case the root is the calling sandbox's source-IP-selected
|
||||||
|
namespace. `GIT_PROJECT_ROOT` keeps git's own env-var name."""
|
||||||
|
base = Path(os.environ.get("GIT_PROJECT_ROOT", DEFAULT_REPO_ROOT))
|
||||||
|
resolver = getattr(self.server, "policy_resolver", None)
|
||||||
|
token = self.headers.get(IDENTITY_HEADER, "")
|
||||||
|
return resolve_sandbox_root(resolver, base, self.client_address[0], token)
|
||||||
|
|
||||||
def _run_backend(self) -> None:
|
def _run_backend(self) -> None:
|
||||||
|
sandbox_root = self._sandbox_root()
|
||||||
|
if sandbox_root is None:
|
||||||
|
# Unattributed / resolver error: deny before touching any repo.
|
||||||
|
self.send_error(404)
|
||||||
|
return
|
||||||
parsed = urlsplit(self.path)
|
parsed = urlsplit(self.path)
|
||||||
if self._is_upload_pack(parsed.path, parsed.query):
|
if self._is_upload_pack(parsed.path, parsed.query):
|
||||||
repo_dir = self._repo_dir(parsed.path)
|
repo_dir = self._repo_dir(sandbox_root, parsed.path)
|
||||||
if repo_dir is None:
|
if repo_dir is None:
|
||||||
self.send_error(404)
|
self.send_error(404)
|
||||||
return
|
return
|
||||||
@@ -71,7 +174,7 @@ class GitHttpHandler(BaseHTTPRequestHandler):
|
|||||||
return
|
return
|
||||||
env = os.environ.copy()
|
env = os.environ.copy()
|
||||||
env.update({
|
env.update({
|
||||||
"GIT_PROJECT_ROOT": os.environ.get("GIT_PROJECT_ROOT", "/git"),
|
"GIT_PROJECT_ROOT": str(sandbox_root),
|
||||||
"GIT_HTTP_EXPORT_ALL": "1",
|
"GIT_HTTP_EXPORT_ALL": "1",
|
||||||
"REQUEST_METHOD": self.command,
|
"REQUEST_METHOD": self.command,
|
||||||
"PATH_INFO": parsed.path,
|
"PATH_INFO": parsed.path,
|
||||||
@@ -85,6 +188,14 @@ class GitHttpHandler(BaseHTTPRequestHandler):
|
|||||||
"SERVER_PORT": str(self.server.server_port), # type: ignore
|
"SERVER_PORT": str(self.server.server_port), # type: ignore
|
||||||
"SERVER_PROTOCOL": self.request_version,
|
"SERVER_PROTOCOL": self.request_version,
|
||||||
})
|
})
|
||||||
|
# Consolidated mode: attribute the gitleaks-allow supervise proposal
|
||||||
|
# (written by receive-pack's pre-receive hook, a child of the CGI we
|
||||||
|
# spawn below) to the calling bottle. The namespaced root is
|
||||||
|
# `<base>/<bottle_id>`, so its final component is the bottle id — the
|
||||||
|
# same per-bottle key egress uses. Single-tenant leaves the hook's
|
||||||
|
# container-stamped SUPERVISE_BOTTLE_SLUG untouched.
|
||||||
|
if getattr(self.server, "policy_resolver", None) is not None:
|
||||||
|
env["SUPERVISE_BOTTLE_SLUG"] = sandbox_root.name
|
||||||
for header, variable in (
|
for header, variable in (
|
||||||
("accept", "HTTP_ACCEPT"),
|
("accept", "HTTP_ACCEPT"),
|
||||||
("content-encoding", "HTTP_CONTENT_ENCODING"),
|
("content-encoding", "HTTP_CONTENT_ENCODING"),
|
||||||
@@ -117,8 +228,8 @@ class GitHttpHandler(BaseHTTPRequestHandler):
|
|||||||
)
|
)
|
||||||
self._write_cgi_response(proc.stdout)
|
self._write_cgi_response(proc.stdout)
|
||||||
|
|
||||||
def _repo_dir(self, path: str) -> Path | None:
|
def _repo_dir(self, sandbox_root: Path, path: str) -> Path | None:
|
||||||
root = Path(os.environ.get("GIT_PROJECT_ROOT", "/git")).resolve()
|
root = sandbox_root.resolve()
|
||||||
relative = path.lstrip("/").split(".git", 1)[0] + ".git"
|
relative = path.lstrip("/").split(".git", 1)[0] + ".git"
|
||||||
candidate = (root / relative).resolve()
|
candidate = (root / relative).resolve()
|
||||||
if root not in (candidate, *candidate.parents):
|
if root not in (candidate, *candidate.parents):
|
||||||
@@ -175,7 +286,13 @@ class GitHttpHandler(BaseHTTPRequestHandler):
|
|||||||
def main() -> int:
|
def main() -> int:
|
||||||
port = int(os.environ.get("GIT_HTTP_PORT", str(DEFAULT_PORT)))
|
port = int(os.environ.get("GIT_HTTP_PORT", str(DEFAULT_PORT)))
|
||||||
server = ThreadingHTTPServer(("0.0.0.0", port), GitHttpHandler)
|
server = ThreadingHTTPServer(("0.0.0.0", port), GitHttpHandler)
|
||||||
sys.stdout.write(f"git-http listening on 0.0.0.0:{port}\n")
|
orch_url = os.environ.get(ORCHESTRATOR_URL_ENV, "").strip()
|
||||||
|
# Consolidated mode: resolve each request's sandbox namespace by source
|
||||||
|
# IP. Absent → single-tenant (flat repo root); behaviour unchanged.
|
||||||
|
resolver = PolicyResolver(orch_url) if orch_url else None
|
||||||
|
server.policy_resolver = resolver # type: ignore[attr-defined]
|
||||||
|
mode = "multi-tenant" if orch_url else "single-tenant"
|
||||||
|
sys.stdout.write(f"git-http listening on 0.0.0.0:{port} ({mode})\n")
|
||||||
sys.stdout.flush()
|
sys.stdout.flush()
|
||||||
server.serve_forever()
|
server.serve_forever()
|
||||||
return 0
|
return 0
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user