Containerise agent-server and apps#4
Merged
Merged
Conversation
appx now creates, supervises, and routes to the agent-server outer container itself (container mode), so a fresh boot brings the whole stack up with no manual `docker run`. - internal/containerruntime: Supervisor interface + docker-CLI impl + fake CommandRunner. EnsureRunning (absent->create / stopped->start / running-> noop, then poll GET / until healthy); Recreate is explicit-only; spec drift never auto-recreates. ContainerSpec.RunArgs transcribes the proven run-outer.sh flag set verbatim (no --privileged/--cap-add/--fuse/ no-new-privileges; loopback-only publishes). BuildSpec, LoadOrCreateToken (0600), DetectBin, BridgeGateway. - cmd/appx/main.go: APPX_AGENT_CONTAINER wiring; EnsureRunning before reconcile with per-class remediation; token mandatory + persisted 0600 + injected into container env and proxy clients; --recreate-agent-container; egress bound on the docker bridge gateway with HTTPS_PROXY/NODE_USE_ENV_ PROXY/--add-host; container-mode NO_PROXY bypasses image registries; APPX_AGENT_ENV_PASSTHROUGH forwards extra secrets by name. - internal/egress: configurable bind addr for the CONNECT proxy + internal listener; scoped DNS-wildcard allowlist matching; bedrock-runtime.*. amazonaws.com:443 in DefaultAllowlist. - deploy: container-mode branches in system-setup.sh/tools-install.sh/ bootstrap.sh (skip appx-agent user + agent-server.service, install seccomp to /etc/appx, build/pull pinned outer image, docker access); ship the seccomp profile under deploy/builder-container/. - scripts/smoke-deploy.sh: deterministic NO-LLM cross-service gate exercising the appx proxy (38/38 green). - docs/plans/phase_9_plan.md: Stage 3 results + deviations; staging renumbered (Stage 4 productionize, Stage 5 hardening). Findings recorded: HTTPS_PROXY is honoured by podman (registry pulls needed a NO_PROXY bypass); appRunning TCP-dial false-positives after outer restart via docker-proxy; Bedrock Settings-UI key is an upstream Pi apiKey->bearerToken gap (env-var workaround via passthrough + bedrock-runtime allowlist).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Switch from systemd to containerised approach for hosting appx on a remote server
See
docs/plans/phase_9_plan.mdfor details