Open
Conversation
The Docker daemon needs its own proxy config (systemd service override) to pull images through the mitmproxy allowlist. The override is written during cloud-init's write_files stage so it is already in place when the docker.io package starts the daemon for the first time. Also adds Docker Hub endpoints (registry, auth, R2 blob storage) to the default allowlist. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Verifies that the Docker daemon proxy config and Docker Hub allowlist rules work end-to-end: pulls and runs hello-world inside the VM through mitmproxy. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
cloud.debian.org serves checksums directly but 302-redirects large files (qcow2) to offloader hosts at Umea University (*.ftp.acc.umu.se). Add all four known offloaders (commented out by default) so nested VM image downloads work through the proxy when uncommented. Also note in CLAUDE.md that HACKING.md prerequisites must be installed before running the e2e tests, and cross-reference the allowlist rules from HACKING.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
docker.io and its dependencies add significant install time under TCG emulation — 300s was not enough. The vm user is already in the docker group via usermod in runcmd, so sudo is unnecessary. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Eliminates the dual-source antipattern where network access was governed by both TRUSTED_DOMAINS in filter.py and rules in allowlist.txt. All access is now controlled by a single file. Expands domain wildcards (e.g. .*\.debian\.org) into specific hostnames since allowlist.txt doesn't support domain wildcards. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add vm user to docker and kvm groups via cloud-init user definition instead of runcmd usermod (cleaner, runs at user creation time) - Add releases.astral.sh to allowlist (uv binary downloads moved from GitHub release assets to Astral's own CDN) - KVM group membership enables hardware acceleration for nested VMs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add vm user to docker and kvm groups via cloud-init (removes redundant usermod in runcmd; enables KVM acceleration in nested VMs) - Set stream_large_bodies=1m on mitmdump to prevent OOM when proxying large downloads (e.g. 223MB Claude Code binary) - Add releases.astral.sh to allowlist (uv now downloads binaries from there instead of directly from GitHub releases) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Also fix some issues around memory usage from mitmdump!