Tyler King
8d789524e8
Third session backend: per-session ephemeral containers. SSH session → container spawns → operator works → disconnect → destroyed. Container runtime abstraction: Docker, Podman, Nerdctl via CLI execution (auto-detect) No libdocker dependency — any OCI-compliant runtime Container config ([container] section): image, pull_policy, mounts, env, memory/cpu limits ephemeral (destroy on exit), hardened (drop caps) read_only_rootfs, network mode, user override Handler: SessionBackend enum now has three variants: Local(PtyBridge) — spawn local shell Proxy(UpstreamSession) — forward to remote SSH host Container(ContainerSession) — spawn ephemeral container Priority: proxy > container > local PTY Curated base images (images/): minimal — bash, coreutils, curl, jq, ssh (~50MB) k8s-ops — + kubectl, helm (~120MB) net-ops — + nmap, dig, traceroute, tcpdump (~90MB) dev — + git, make, gcc, python3 (~250MB) The container IS the access boundary: if it's not in the image, the operator can't run it. SessionHandler hooks fire in all three modes. 6.5MB binary, 0 substrate deps, 1197 lines bascule-core. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
12 lines
350 B
Docker
12 lines
350 B
Docker
FROM bascule-shell:minimal
|
|
|
|
USER root
|
|
|
|
RUN curl -fsSLo /usr/local/bin/kubectl \
|
|
"https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
|
|
&& chmod +x /usr/local/bin/kubectl
|
|
|
|
RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
|
|
|
|
USER operator
|
|
CMD ["/bin/bash"]
|