feat: Distribute bssh-server binary alongside bssh via import workflow#11136
Open
feat: Distribute bssh-server binary alongside bssh via import workflow#11136
Conversation
github-actions
bot
added
size:M
Yaminyam
added a commit
that referenced
this pull request
Apr 16, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Extends the automated bssh import workflow to also vendor bssh-server release artifacts, and updates the agent’s session container mounts so the new server binary (and manpage) can be made available inside containers once imported.
Changes:
- Update
.github/workflows/import-bssh.ymlto download/move bothbsshandbssh-serverbinaries foraarch64/x86_64, and to includebssh-server.1when present. - Update
src/ai/backend/agent/agent.pyto mountbssh-server.{arch}.bininto session containers at/opt/kernel/bssh-server(andbssh-server.1into the manpage directory) withskip_missing=True.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/ai/backend/agent/agent.py |
Adds mounts for bssh-server binary/manpage into session containers. |
.github/workflows/import-bssh.yml |
Generalizes the import workflow to fetch/commit both bssh and bssh-server artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
641
to
+649
| mount_static_binary("all-smi.1", "/usr/local/share/man/man1/all-smi.1", skip_missing=True) | ||
| mount_static_binary(f"bssh.{arch}.bin", "/usr/local/bin/bssh") | ||
| mount_static_binary("bssh.1", "/usr/local/share/man/man1/bssh.1", skip_missing=True) | ||
| mount_static_binary( | ||
| f"bssh-server.{arch}.bin", "/opt/kernel/bssh-server", skip_missing=True | ||
| ) | ||
| mount_static_binary( | ||
| "bssh-server.1", "/usr/local/share/man/man1/bssh-server.1", skip_missing=True | ||
| ) |
There was a problem hiding this comment.
skip_missing=True in mount_static_binary() currently only suppresses the FileNotFoundError, but it still appends a bind mount even when the source path does not exist. For Docker/K8s agents this will still fail container startup when bssh-server.{arch}.bin is absent, which defeats the backward-compat intent mentioned in the PR description. Consider changing mount_static_binary() to return early (no mount) when skip_missing is set and resolved_path does not exist, or otherwise ensure the mount source is created as a placeholder before mounting.
Suggested change
| mount_static_binary("all-smi.1", "/usr/local/share/man/man1/all-smi.1", skip_missing=True) | |
| mount_static_binary(f"bssh.{arch}.bin", "/usr/local/bin/bssh") | |
| mount_static_binary("bssh.1", "/usr/local/share/man/man1/bssh.1", skip_missing=True) | |
| mount_static_binary( | |
| f"bssh-server.{arch}.bin", "/opt/kernel/bssh-server", skip_missing=True | |
| ) | |
| mount_static_binary( | |
| "bssh-server.1", "/usr/local/share/man/man1/bssh-server.1", skip_missing=True | |
| ) | |
| if self.resolve_krunner_filepath("runner/all-smi.1").exists(): | |
| mount_static_binary("all-smi.1", "/usr/local/share/man/man1/all-smi.1", skip_missing=True) | |
| mount_static_binary(f"bssh.{arch}.bin", "/usr/local/bin/bssh") | |
| if self.resolve_krunner_filepath("runner/bssh.1").exists(): | |
| mount_static_binary("bssh.1", "/usr/local/share/man/man1/bssh.1", skip_missing=True) | |
| if self.resolve_krunner_filepath(f"runner/bssh-server.{arch}.bin").exists(): | |
| mount_static_binary( | |
| f"bssh-server.{arch}.bin", "/opt/kernel/bssh-server", skip_missing=True | |
| ) | |
| if self.resolve_krunner_filepath("runner/bssh-server.1").exists(): | |
| mount_static_binary( | |
| "bssh-server.1", "/usr/local/share/man/man1/bssh-server.1", skip_missing=True | |
| ) |
| ls -la "${TARGET_DIR}/${TOOL}.${ARCH}.bin" | ||
| done | ||
| done | ||
| # Move manpages (only bssh currently ships a manpage) |
There was a problem hiding this comment.
The comment says “only bssh currently ships a manpage”, but the loop now also handles bssh-server.1. Consider updating the comment to reflect the actual behavior (e.g., move manpages if present) to avoid future confusion.
Suggested change
| # Move manpages (only bssh currently ships a manpage) | |
| # Move manpages if present |
- Extend `.github/workflows/import-bssh.yml` to also download, extract,
and commit `bssh-server-linux-{aarch64,x86_64}-musl` binaries so that
the newly released bssh v2.0.x server component is available under
`src/ai/backend/runner/` whenever bssh client updates land.
- Mount the bssh-server binary into session containers at
`/opt/kernel/bssh-server` (and the manpage under
`/usr/local/share/man/man1/`) so that it can be exercised for
stability/performance testing. dropbear remains the default SSH server
used by krunner; switching over is a separate follow-up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pants-pinned ruff 0.14.0 collapses the mount line since it fits within the 100-char limit, while ruff 0.14.6 (local install) kept it wrapped. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Yaminyam
force-pushed
the
deps/add-bssh-server-binary
branch
from
eda8bc4 to
0c6cdbc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/import-bssh.ymlso that the automated bssh import workflow also downloads and commitsbssh-server-linux-{aarch64,x86_64}-muslbinaries whenever a new bssh release is cut. The existing bssh client flow is preserved; a single loop now handles both tools.src/ai/backend/agent/agent.pyso the agent mountsbssh-server.{arch}.bininto session containers at/opt/kernel/bssh-server(and the manpage at/usr/local/share/man/man1/) withskip_missing=True, so that the binary becomes accessible inside sessions once the import workflow imports it without breaking existing agents that don't have it yet.Rationale
The
bsshupstream project released v2.0.x with a newbssh-server— a Rust-based SSH server for containers supporting SFTP/SCP, PTY/shell, password/pubkey auth, and audit logging. We want to make it available in session containers alongside the existing dropbear-based SSH server for stability and performance evaluation before any decision to replace dropbear is made.As documented in recent upload-performance measurements (
dogbowl, 2026-04-16), dropbear is a single-threaded SSH server that caps SFTP throughput at ~75 MB/s (CPU-bound on 1 core), while OpenSSH on the same container setup reaches ~95 MB/s.bssh-serverbuilt withrusshis expected to close this gap while keeping the lightweight image footprint. Landing the binary first lets us benchmark it empirically before touching krunner'sintrinsic.py.Test plan
import-bsshworkflow run (manual dispatch) downloads bothbsshandbssh-serverarchives foraarch64andx86_64, extracts the binaries, and creates a PR withbssh.{arch}.bin,bssh-server.{arch}.binundersrc/ai/backend/runner/./opt/kernel/bssh-server(viadocker exec ... ls -la /opt/kernel/).Follow-ups (not in this PR)
bssh-serverintosrc/ai/backend/kernel/intrinsic.pyas an alternative (flag-driven) SSH server, once it has been manually validated.bssh-serveror OpenSSH depending on empirical measurements.🤖 Generated with Claude Code