d4b27ebf1f
Codex review: the /31 TAP doesn't make source IP unspoofable, and the app-layer token was returned by launch but never delivered or enforced, so a spoofed source could select a victim bottle's policy/tokens. Make the token mandatory and deliver it on each attributed plane (anti-spoof landed separately as the network boundary). Enforcement (control plane): - `Orchestrator.resolve` now requires a matching (source_ip, identity_token) pair (constant-time) — no source-IP-only fallback. `/resolve` fail-closes (403) on a missing/empty/mismatched token. Delivery, per plane (the token is `token_urlsafe`, safe in a URL): - egress: proxy credentials (`HTTPS_PROXY=http://bottle:<token>@gw`). The addon reads `Proxy-Authorization` — from the request (HTTP) or captured at the CONNECT for HTTPS tunnels (keyed by client conn, cleared on disconnect) — validates, and strips it (+ the legacy header) before upstream. - git-http: a URL-scoped `http.<gate>/.extraHeader: x-bot-bottle-identity` in the agent's git config (only over the http transport). - supervise: `mcp add --header x-bot-bottle-identity: <token>` (claude + codex); the server reads the header and passes it to resolve. Wiring: thread `ctx.identity_token` onto the firecracker + docker plans and into the agent env/config at launch. Verified on a KVM host: egress with the correct proxy-cred token returns 200 (HTTP and HTTPS/CONNECT), and no-token / wrong-token return 403; a real `cli.py start --backend=firecracker` launch provisions git config + the supervise MCP header and reaches the agent session, all under mandatory enforcement. Fixed a `claude mcp add` arg-order bug (--header must follow the positional name/url) found by that launch. Transparent proxy for tools that ignore proxy env is deferred to a follow-up (see thread); anti-spoof + host firewall remain the fail-closed boundary. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01WBMWTEtQdJ4W5UrWuLHCck
85 lines
3.4 KiB
Python
85 lines
3.4 KiB
Python
"""Agent-only compose for the consolidated docker backend (PRD 0070).
|
|
|
|
The per-bottle model rendered a compose project with the agent *and* a
|
|
gateway on two per-bottle networks. In the consolidated model the
|
|
per-bottle companion containers are gone — one shared gateway serves every bottle — so this renders
|
|
just the agent, attached to the **external shared gateway network** with the
|
|
pinned source IP the orchestrator allocated, and pointed at the gateway's
|
|
address for egress (and, around the proxy, for git-http / supervise).
|
|
|
|
Pure: it takes the launch-time `LaunchContext` values (gateway address,
|
|
source IP, network) and the prepared plan, and returns a compose dict — no
|
|
docker, so it's testable in isolation.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import Any
|
|
|
|
from ...egress import egress_agent_env_entries
|
|
from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH
|
|
from .bottle_plan import DockerBottlePlan
|
|
from .egress import EGRESS_PORT
|
|
|
|
|
|
def consolidated_agent_compose(
|
|
plan: DockerBottlePlan,
|
|
*,
|
|
gateway_ip: str,
|
|
source_ip: str,
|
|
network: str,
|
|
) -> dict[str, Any]:
|
|
"""A compose spec with only the agent service, on the external gateway
|
|
network at `source_ip`, proxying egress through `gateway_ip`."""
|
|
# Deliver the identity token as egress proxy credentials — the gateway
|
|
# reads Proxy-Authorization, validates the (source_ip, token) pair, and
|
|
# strips it before upstream. git-http/supervise get it via their own
|
|
# headers (git config extraHeader / MCP header).
|
|
token = getattr(plan, "identity_token", "")
|
|
cred = f"bottle:{token}@" if token else ""
|
|
proxy_url = f"http://{cred}{gateway_ip}:{EGRESS_PORT}"
|
|
# git-http + supervise live on the gateway too and must NOT go through the
|
|
# egress proxy — the agent reaches them directly by the gateway address.
|
|
no_proxy = f"localhost,127.0.0.1,{gateway_ip}"
|
|
env: list[str] = [
|
|
f"HTTPS_PROXY={proxy_url}",
|
|
f"HTTP_PROXY={proxy_url}",
|
|
f"https_proxy={proxy_url}",
|
|
f"http_proxy={proxy_url}",
|
|
f"NO_PROXY={no_proxy}",
|
|
f"no_proxy={no_proxy}",
|
|
f"NODE_EXTRA_CA_CERTS={AGENT_CA_PATH}",
|
|
f"SSL_CERT_FILE={AGENT_CA_BUNDLE}",
|
|
f"REQUESTS_CA_BUNDLE={AGENT_CA_BUNDLE}",
|
|
]
|
|
for name, value in sorted(plan.agent_provision.guest_env.items()):
|
|
env.append(f"{name}={value}")
|
|
# Forwarded vars: bare name → inherits from the compose-up process env so
|
|
# the secret value never lands on argv or in the compose file.
|
|
for name in sorted(plan.forwarded_env.keys()):
|
|
env.append(name)
|
|
env.extend(egress_agent_env_entries(plan.egress_plan))
|
|
|
|
service: dict[str, Any] = {
|
|
"image": plan.image,
|
|
"container_name": plan.container_name,
|
|
"command": ["sleep", "infinity"],
|
|
# Pinned address on the shared gateway network — the orchestrator
|
|
# registered this IP, and the gateway attributes the bottle by it.
|
|
"networks": {network: {"ipv4_address": source_ip}},
|
|
"environment": env,
|
|
}
|
|
if plan.use_runsc:
|
|
service["runtime"] = "runsc"
|
|
|
|
return {
|
|
"name": f"bot-bottle-{plan.slug}",
|
|
"services": {"agent": service},
|
|
# The gateway network is created + owned by the orchestrator; compose
|
|
# attaches to it (external) and must not create or destroy it.
|
|
"networks": {network: {"external": True}},
|
|
}
|
|
|
|
|
|
__all__ = ["consolidated_agent_compose"]
|