diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml index 76b0d317..90251610 100644 --- a/.github/workflows/release-canary.yml +++ b/.github/workflows/release-canary.yml @@ -91,6 +91,10 @@ jobs: fi - name: Start gateway + env: + # Use OPENSHELL_GATEWAY_HOST when supported (CLI >= next release), + # fall back to the explicit --gateway-host flag for older CLIs. + OPENSHELL_GATEWAY_HOST: host.docker.internal run: openshell gateway start --gateway-host host.docker.internal - name: Run canary test diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml index ff51540e..61a545d5 100644 --- a/.github/workflows/release-dev.yml +++ b/.github/workflows/release-dev.yml @@ -70,7 +70,7 @@ jobs: tag-ghcr-dev: name: Tag GHCR Images as Dev - needs: [build-gateway, build-cluster, e2e] + needs: [build-gateway, build-cluster] runs-on: build-amd64 timeout-minutes: 10 steps: diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index cda74d1e..84a66818 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -177,7 +177,7 @@ jobs: publish-python: name: Publish Python - needs: [build-python-wheels] + needs: [build-python-wheels, e2e] runs-on: [self-hosted, nv] timeout-minutes: 10 env: diff --git a/crates/openshell-bootstrap/src/lib.rs b/crates/openshell-bootstrap/src/lib.rs index bf6599b4..2da77f47 100644 --- a/crates/openshell-bootstrap/src/lib.rs +++ b/crates/openshell-bootstrap/src/lib.rs @@ -92,8 +92,8 @@ pub struct DeployOptions { /// Override the gateway host advertised in cluster metadata and passed to /// the server. When set, the metadata will use this host instead of /// `127.0.0.1` and the container will receive `SSH_GATEWAY_HOST`. - /// Useful in CI where `127.0.0.1` is not reachable from the test runner - /// (e.g., `host.docker.internal`). + /// Needed whenever the client cannot reach the Docker host at 127.0.0.1 + /// — CI containers, WSL, remote Docker hosts, etc. pub gateway_host: Option, /// Disable TLS entirely — the server listens on plaintext HTTP. pub disable_tls: bool, diff --git a/crates/openshell-cli/src/bootstrap.rs b/crates/openshell-cli/src/bootstrap.rs index ca81404f..294995f1 100644 --- a/crates/openshell-cli/src/bootstrap.rs +++ b/crates/openshell-cli/src/bootstrap.rs @@ -162,6 +162,16 @@ pub async fn run_bootstrap( { options = options.with_registry_token(token); } + // Read gateway host override from environment. Needed whenever the + // client cannot reach the Docker host at 127.0.0.1 — CI containers, + // WSL, remote Docker hosts, etc. The explicit `--gateway-host` flag + // is only on `gateway start`; this env var covers the auto-bootstrap + // path triggered by `sandbox create`. + if let Ok(host) = std::env::var("OPENSHELL_GATEWAY_HOST") + && !host.trim().is_empty() + { + options = options.with_gateway_host(host); + } options = options.with_gpu(gpu); let handle = deploy_gateway_with_panel(options, &gateway_name, location).await?; diff --git a/crates/openshell-cli/src/main.rs b/crates/openshell-cli/src/main.rs index 7c379c2b..0099e477 100644 --- a/crates/openshell-cli/src/main.rs +++ b/crates/openshell-cli/src/main.rs @@ -731,10 +731,11 @@ enum GatewayCommands { /// Override the gateway host written into cluster metadata. /// - /// By default, local clusters advertise 127.0.0.1. In environments - /// where the test runner cannot reach 127.0.0.1 on the Docker host - /// (e.g., CI containers), set this to a reachable hostname such as - /// `host.docker.internal`. + /// By default, local clusters advertise 127.0.0.1. Set this when + /// the client cannot reach the Docker host at 127.0.0.1 — for + /// example in CI containers, WSL, or when Docker runs on a + /// remote host. Common values: `host.docker.internal`, a LAN IP, + /// or a hostname. #[arg(long)] gateway_host: Option, diff --git a/examples/policy-advisor/README.md b/examples/policy-advisor/README.md index 9dbfcb0b..a90f0a72 100644 --- a/examples/policy-advisor/README.md +++ b/examples/policy-advisor/README.md @@ -47,7 +47,7 @@ the script progresses through each gate. | 4 | The Oracle | `api.github.com:443` | Concurrent with 5 and 6 | | 5 | The Jester | `icanhazdadjoke.com:443` | Concurrent with 4 and 6 | | 6 | The Sphinx | `catfact.ninja:443` | Concurrent with 4 and 5 | -| 7 | The Vault | `gitlab-master.nvidia.com:443` | Internal IP -- mapper adds `allowed_ips` | +| 7 | The Vault | `internal.corp.example.com:443` | Internal IP -- mapper adds `allowed_ips` | Gates 1-3 run sequentially so you can observe the single-approval flow. Gate 3 uses `curl` to hit `ifconfig.me:80` -- a different endpoint that only @@ -123,7 +123,7 @@ Gate 3 uses `curl` to reach `ifconfig.me:80`. You'll see a new rule for When Gates 4-6 start, all three denials arrive together. Press `A` to approve all pending recommendations at once. -Gate 7 requires `allowed_ips` because `gitlab-master.nvidia.com` resolves to a +Gate 7 requires `allowed_ips` because `internal.corp.example.com` resolves to a private IP. The mapper detects this automatically and includes the resolved IPs in the proposed rule. diff --git a/examples/policy-advisor/ctf.py b/examples/policy-advisor/ctf.py index d62c4504..5974268f 100644 --- a/examples/policy-advisor/ctf.py +++ b/examples/policy-advisor/ctf.py @@ -155,9 +155,9 @@ def log(level: str, msg: str, **kv: object) -> None: { "num": 7, "name": "The Vault", - "host": "gitlab-master.nvidia.com", + "host": "internal.corp.example.com", "port": 443, - "url": "https://gitlab-master.nvidia.com/", + "url": "https://internal.corp.example.com/", "method": "GET", "headers": {"User-Agent": "openshell-ctf"}, "body": None,