dave/storkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity

storkit: done 360_story_run_storkit_container_under_gvisor_runsc_runtime

Browse Source
This commit is contained in:
dave
2026-03-23 11:45:47 +00:00
parent edf47601c4
commit 86102f8ad6
1 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.storkit/work/1_backlog/360_story_run_storkit_container_under_gvisor_runsc_runtime.md
View File

@@ -1,21 +0,0 @@
---
name: "Run storkit container under gVisor (runsc) runtime"
---
# Story 360: Run storkit container under gVisor (runsc) runtime
## User Story
As a storkit operator, I want the container to run under gVisor so that even if a malicious codebase escapes the container's process namespace, it cannot make raw syscalls to the host kernel.
## Acceptance Criteria
- [ ] docker-compose.yml specifies runtime: runsc
- [ ] PTY-based agent spawning (Claude Code via PTY) works correctly under runsc
- [ ] rebuild_and_restart (exec() replacement) works correctly under runsc
- [ ] Rust compilation inside the container completes successfully under runsc
- [ ] Document host setup requirement: runsc must be installed and registered in /etc/docker/daemon.json
## Out of Scope
- TBD