|
|
8d789524e8
|
feat: container backend — ephemeral right-sized shell containers
Third session backend: per-session ephemeral containers.
SSH session → container spawns → operator works → disconnect → destroyed.
Container runtime abstraction:
Docker, Podman, Nerdctl via CLI execution (auto-detect)
No libdocker dependency — any OCI-compliant runtime
Container config ([container] section):
image, pull_policy, mounts, env, memory/cpu limits
ephemeral (destroy on exit), hardened (drop caps)
read_only_rootfs, network mode, user override
Handler: SessionBackend enum now has three variants:
Local(PtyBridge) — spawn local shell
Proxy(UpstreamSession) — forward to remote SSH host
Container(ContainerSession) — spawn ephemeral container
Priority: proxy > container > local PTY
Curated base images (images/):
minimal — bash, coreutils, curl, jq, ssh (~50MB)
k8s-ops — + kubectl, helm (~120MB)
net-ops — + nmap, dig, traceroute, tcpdump (~90MB)
dev — + git, make, gcc, python3 (~250MB)
The container IS the access boundary:
if it's not in the image, the operator can't run it.
SessionHandler hooks fire in all three modes.
6.5MB binary, 0 substrate deps, 1197 lines bascule-core.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
2026-04-04 23:23:39 -04:00 |
|
