Preserve interception for offline Docker agents#1841
Open
xeophon wants to merge 4 commits into
Open
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 07e5e51513
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
ApprovabilityVerdict: Needs human review This PR introduces a new feature (offline Docker agents) with network namespace manipulation, iptables firewall rules, and root privilege requirements. New capabilities with security/isolation implications warrant human review. You can customize Macroscope's approvability policy. Learn more. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Makes Docker's existing
network_access = falsesetting preserve the interception channel automatically. Trusted setup retains ordinary network access; agent execution can reach only the rollout's host-side interception port.Details
network_accesssetting rather than introducing a separate interception mode.iptablesandnsenteraccess.host.docker.internal.OUTPUTallowlist inside the agent's network namespace: the exact interception address and port plus local loopback are accepted, Docker DNS and all other traffic are rejected, IPv6 is disabled, andNET_ADMIN/NET_RAWare dropped.Note
Preserve interception for offline Docker agents running with
network_access=falsenetwork_access: bool = TruetoDockerConfig; when false, the container runs on the Docker bridge network withNET_ADMIN/NET_RAWcapabilities dropped and IPv6 disabled.DockerRuntime.seal_agent_network()which installs aVF-AGENTiptables chain inside the container's network namespace, restricting agent egress to the interception server only; the endpoint is rewritten tohttp://host.docker.internal:<port>.InterceptionServerto bind on multiple host addresses (loopback + Docker bridge gateway) so offline agents can reach it via the bridge.ValueErrorfailures inRollout.runwhen offline Docker mode is combined with MCP tool servers or a colocated user simulator.iptables, andnsenteron the host whennetwork_access=false; IPv4-only firewall rules mean IPv6 egress is disabled entirely.Macroscope summarized 83c11a6.