Skip to content

Preserve interception for offline Docker agents#1841

Open
xeophon wants to merge 4 commits into
mainfrom
docker-interception-only
Open

Preserve interception for offline Docker agents#1841
xeophon wants to merge 4 commits into
mainfrom
docker-interception-only

Conversation

@xeophon

@xeophon xeophon commented Jun 23, 2026

Copy link
Copy Markdown
Member

Overview

Makes Docker's existing network_access = false setting preserve the interception channel automatically. Trusted setup retains ordinary network access; agent execution can reach only the rollout's host-side interception port.

Details

  • Uses the existing boolean network_access setting rather than introducing a separate interception mode.
  • Introduces a setup-to-execution network sealing boundary shared through the runtime interface.
  • Targets rootful Docker Engine on Linux with host iptables and nsenter access.
  • Exposes the interception server on loopback and Docker's bridge gateway, then rewrites the harness endpoint to host.docker.internal.
  • Installs an immutable OUTPUT allowlist inside the agent's network namespace: the exact interception address and port plus local loopback are accepted, Docker DNS and all other traffic are rejected, IPv6 is disabled, and NET_ADMIN/NET_RAW are dropped.
  • Avoids a public tunnel, relay container, and global host-firewall state; the policy disappears with the container's network namespace.
  • Rejects unsupported MCP tool servers and colocated user simulators before agent execution.
  • Documents the offline Docker behavior and Linux host requirements.

Note

Preserve interception for offline Docker agents running with network_access=false

  • Adds network_access: bool = True to DockerConfig; when false, the container runs on the Docker bridge network with NET_ADMIN/NET_RAW capabilities dropped and IPv6 disabled.
  • Introduces DockerRuntime.seal_agent_network() which installs a VF-AGENT iptables chain inside the container's network namespace, restricting agent egress to the interception server only; the endpoint is rewritten to http://host.docker.internal:<port>.
  • Updates InterceptionServer to bind on multiple host addresses (loopback + Docker bridge gateway) so offline agents can reach it via the bridge.
  • Adds early ValueError failures in Rollout.run when offline Docker mode is combined with MCP tool servers or a colocated user simulator.
  • Risk: requires Linux root, iptables, and nsenter on the host when network_access=false; IPv4-only firewall rules mean IPv6 egress is disabled entirely.

Macroscope summarized 83c11a6.

@xeophon xeophon marked this pull request as draft June 23, 2026 14:07

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 07e5e51513

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread verifiers/v1/runtimes/docker.py Outdated
@macroscopeapp

macroscopeapp Bot commented Jun 23, 2026

Copy link
Copy Markdown

Approvability

Verdict: Needs human review

This PR introduces a new feature (offline Docker agents) with network namespace manipulation, iptables firewall rules, and root privilege requirements. New capabilities with security/isolation implications warrant human review.

You can customize Macroscope's approvability policy. Learn more.

@xeophon xeophon changed the title Add interception-only Docker networking Preserve interception for offline Docker agents Jun 25, 2026
Comment thread verifiers/v1/runtimes/docker.py Outdated
@xeophon xeophon marked this pull request as ready for review June 25, 2026 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant