feat: Distribute bssh-server binary alongside bssh via import workflow#11136
feat: Distribute bssh-server binary alongside bssh via import workflow#11136
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Extends the automated bssh import workflow to also vendor bssh-server release artifacts, and updates the agent’s session container mounts so the new server binary (and manpage) can be made available inside containers once imported.
Changes:
- Update
.github/workflows/import-bssh.ymlto download/move bothbsshandbssh-serverbinaries foraarch64/x86_64, and to includebssh-server.1when present. - Update
src/ai/backend/agent/agent.pyto mountbssh-server.{arch}.bininto session containers at/opt/kernel/bssh-server(andbssh-server.1into the manpage directory) withskip_missing=True.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/ai/backend/agent/agent.py |
Adds mounts for bssh-server binary/manpage into session containers. |
.github/workflows/import-bssh.yml |
Generalizes the import workflow to fetch/commit both bssh and bssh-server artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| mount_static_binary("all-smi.1", "/usr/local/share/man/man1/all-smi.1", skip_missing=True) | ||
| mount_static_binary(f"bssh.{arch}.bin", "/usr/local/bin/bssh") | ||
| mount_static_binary("bssh.1", "/usr/local/share/man/man1/bssh.1", skip_missing=True) | ||
| mount_static_binary( | ||
| f"bssh-server.{arch}.bin", "/opt/kernel/bssh-server", skip_missing=True | ||
| ) | ||
| mount_static_binary( | ||
| "bssh-server.1", "/usr/local/share/man/man1/bssh-server.1", skip_missing=True | ||
| ) |
There was a problem hiding this comment.
skip_missing=True in mount_static_binary() currently only suppresses the FileNotFoundError, but it still appends a bind mount even when the source path does not exist. For Docker/K8s agents this will still fail container startup when bssh-server.{arch}.bin is absent, which defeats the backward-compat intent mentioned in the PR description. Consider changing mount_static_binary() to return early (no mount) when skip_missing is set and resolved_path does not exist, or otherwise ensure the mount source is created as a placeholder before mounting.
| mount_static_binary("all-smi.1", "/usr/local/share/man/man1/all-smi.1", skip_missing=True) | |
| mount_static_binary(f"bssh.{arch}.bin", "/usr/local/bin/bssh") | |
| mount_static_binary("bssh.1", "/usr/local/share/man/man1/bssh.1", skip_missing=True) | |
| mount_static_binary( | |
| f"bssh-server.{arch}.bin", "/opt/kernel/bssh-server", skip_missing=True | |
| ) | |
| mount_static_binary( | |
| "bssh-server.1", "/usr/local/share/man/man1/bssh-server.1", skip_missing=True | |
| ) | |
| if self.resolve_krunner_filepath("runner/all-smi.1").exists(): | |
| mount_static_binary("all-smi.1", "/usr/local/share/man/man1/all-smi.1", skip_missing=True) | |
| mount_static_binary(f"bssh.{arch}.bin", "/usr/local/bin/bssh") | |
| if self.resolve_krunner_filepath("runner/bssh.1").exists(): | |
| mount_static_binary("bssh.1", "/usr/local/share/man/man1/bssh.1", skip_missing=True) | |
| if self.resolve_krunner_filepath(f"runner/bssh-server.{arch}.bin").exists(): | |
| mount_static_binary( | |
| f"bssh-server.{arch}.bin", "/opt/kernel/bssh-server", skip_missing=True | |
| ) | |
| if self.resolve_krunner_filepath("runner/bssh-server.1").exists(): | |
| mount_static_binary( | |
| "bssh-server.1", "/usr/local/share/man/man1/bssh-server.1", skip_missing=True | |
| ) |
| ls -la "${TARGET_DIR}/${TOOL}.${ARCH}.bin" | ||
| done | ||
| done | ||
| # Move manpages (only bssh currently ships a manpage) |
There was a problem hiding this comment.
The comment says “only bssh currently ships a manpage”, but the loop now also handles bssh-server.1. Consider updating the comment to reflect the actual behavior (e.g., move manpages if present) to avoid future confusion.
| # Move manpages (only bssh currently ships a manpage) | |
| # Move manpages if present |
- Extend `.github/workflows/import-bssh.yml` to also download, extract,
and commit `bssh-server-linux-{aarch64,x86_64}-musl` binaries so that
the newly released bssh v2.0.x server component is available under
`src/ai/backend/runner/` whenever bssh client updates land.
- Mount the bssh-server binary into session containers at
`/opt/kernel/bssh-server` (and the manpage under
`/usr/local/share/man/man1/`) so that it can be exercised for
stability/performance testing. dropbear remains the default SSH server
used by krunner; switching over is a separate follow-up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pants-pinned ruff 0.14.0 collapses the mount line since it fits within the 100-char limit, while ruff 0.14.6 (local install) kept it wrapped. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
eda8bc4 to
0c6cdbc
Compare
Summary
.github/workflows/import-bssh.ymlso that the automated bssh import workflow also downloads and commitsbssh-server-linux-{aarch64,x86_64}-muslbinaries whenever a new bssh release is cut. The existing bssh client flow is preserved; a single loop now handles both tools.src/ai/backend/agent/agent.pyso the agent mountsbssh-server.{arch}.bininto session containers at/opt/kernel/bssh-server(and the manpage at/usr/local/share/man/man1/) withskip_missing=True, so that the binary becomes accessible inside sessions once the import workflow imports it without breaking existing agents that don't have it yet.Rationale
The
bsshupstream project released v2.0.x with a newbssh-server— a Rust-based SSH server for containers supporting SFTP/SCP, PTY/shell, password/pubkey auth, and audit logging. We want to make it available in session containers alongside the existing dropbear-based SSH server for stability and performance evaluation before any decision to replace dropbear is made.As documented in recent upload-performance measurements (
dogbowl, 2026-04-16), dropbear is a single-threaded SSH server that caps SFTP throughput at ~75 MB/s (CPU-bound on 1 core), while OpenSSH on the same container setup reaches ~95 MB/s.bssh-serverbuilt withrusshis expected to close this gap while keeping the lightweight image footprint. Landing the binary first lets us benchmark it empirically before touching krunner'sintrinsic.py.Test plan
import-bsshworkflow run (manual dispatch) downloads bothbsshandbssh-serverarchives foraarch64andx86_64, extracts the binaries, and creates a PR withbssh.{arch}.bin,bssh-server.{arch}.binundersrc/ai/backend/runner/./opt/kernel/bssh-server(viadocker exec ... ls -la /opt/kernel/).Follow-ups (not in this PR)
bssh-serverintosrc/ai/backend/kernel/intrinsic.pyas an alternative (flag-driven) SSH server, once it has been manually validated.bssh-serveror OpenSSH depending on empirical measurements.🤖 Generated with Claude Code