Skip to content

perf(harbor): pre-bake claude-code into the main image#15

Open
shehabyasser-scale wants to merge 2 commits into
harbor-3-compiler-fixesfrom
harbor-3-compiler-prebake-claude
Open

perf(harbor): pre-bake claude-code into the main image#15
shehabyasser-scale wants to merge 2 commits into
harbor-3-compiler-fixesfrom
harbor-3-compiler-prebake-claude

Conversation

@shehabyasser-scale

@shehabyasser-scale shehabyasser-scale commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Stacked on #9. Kills an infra failure class found running live optimization trials on local docker: harbor installs claude-code at trial start via the bootstrap as the agent user, and on slow container networks that download runs ~10-17 min, blowing the default 360s agent-setup budget (observed: 1 AgentSetupTimeoutError, then 8 NonZeroAgentExitCodeError from concurrent-download resets in one 10-trial job; the failures cost no tokens but killed 8/10 trials).

Measured, not assumed (2026-07-03, three container experiments):

Scenario Bootstrap time
Cold install (today's behavior) 625-1043s
Pre-baked as root, re-run as agent 1043s (no help; per-user install)
Pre-baked as agent, re-run as agent 253s (fits the 360s default budget)

So the layer installs as the agent user (the one harbor execs the installer as). Honest trade-offs, documented in the template comment: not a no-op (delta update); a stale image (newer claude-code release) degrades gracefully to the full download; || true keeps offline compiles working; other optimizer agents ignore the layer.

Render test added. 9 pass.

🤖 Generated with Claude Code

Greptile Summary

Pre-bakes the claude-code CLI into the main Harbor Docker image as the agent user, reducing per-trial bootstrap time from ~625–1043 s to ~250 s and reliably fitting within the default 360 s agent-setup budget. A matching test verifies the key assertions in the rendered Dockerfile.

  • Dockerfile.main.j2: adds a single RUN su - agent -c "curl -fsSL … | bash -s --" || true layer so the install lands in the agent user's home directory (matching what harbor's bootstrap does at trial time); || true keeps offline image builds non-fatal and is explicitly documented.
  • test_harbor_build.py: adds test_main_dockerfile_prebakes_claude_code which reads the compiled Dockerfile and asserts the host domain, script name, user switch, and silent-failure guard are all present.

Confidence Score: 5/5

Safe to merge — the change is additive, the fallback path is explicitly handled with || true, and the test suite covers all four key properties of the new Dockerfile layer.

The Dockerfile change is a single, well-scoped RUN layer that installs claude-code as the correct user, fails gracefully in offline environments, and degrades to the existing full-download behavior when the pre-baked install is absent or stale. The new test reads the compiled output and asserts on the host domain, script name, user switch, and silent-failure guard. No logic in the existing build path is altered.

No files require special attention.

Important Files Changed

Filename Overview
vero/src/vero/harbor/build/templates/Dockerfile.main.j2 Adds a pre-bake RUN layer that installs claude-code as the agent user via the official bootstrap script; `
vero/tests/test_harbor_build.py New test reads the compiled Dockerfile and asserts on the official host, script name, agent user switch, and silent-failure guard — all four key properties of the new layer.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant CI as CI Build
    participant Docker as Docker Build
    participant Img as Main Image
    participant Harbor as Harbor Runtime
    participant BS as Bootstrap Script

    CI->>Docker: docker build
    Docker->>Docker: apt-get install curl git ca-certificates
    Docker->>Docker: pip install vero[harbor]
    Docker->>Docker: useradd -m agent
    Docker->>BS: "su - agent -c curl bootstrap.sh | bash"
    alt network available
        BS-->>Img: claude-code in /home/agent (~250s)
    else error or offline
        BS-->>Img: "skip via || true, no claude-code"
    end
    CI-->>Img: image ready

    Harbor->>Img: start trial
    Img->>BS: re-run bootstrap as agent user
    alt claude-code pre-baked
        BS-->>Harbor: fast delta update ~250s fits 360s budget
    else not pre-baked
        BS-->>Harbor: full download ~625-1043s may exceed budget
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant CI as CI Build
    participant Docker as Docker Build
    participant Img as Main Image
    participant Harbor as Harbor Runtime
    participant BS as Bootstrap Script

    CI->>Docker: docker build
    Docker->>Docker: apt-get install curl git ca-certificates
    Docker->>Docker: pip install vero[harbor]
    Docker->>Docker: useradd -m agent
    Docker->>BS: "su - agent -c curl bootstrap.sh | bash"
    alt network available
        BS-->>Img: claude-code in /home/agent (~250s)
    else error or offline
        BS-->>Img: "skip via || true, no claude-code"
    end
    CI-->>Img: image ready

    Harbor->>Img: start trial
    Img->>BS: re-run bootstrap as agent user
    alt claude-code pre-baked
        BS-->>Harbor: fast delta update ~250s fits 360s budget
    else not pre-baked
        BS-->>Harbor: full download ~625-1043s may exceed budget
    end
Loading

Reviews (2): Last reviewed commit: "test(harbor): pin the claude-code bootst..." | Re-trigger Greptile

Harbor installs the optimizer agent at trial start by piping the
claude-code bootstrap as the de-privileged agent user; on slow container
networks that download takes ~10-17 min, blowing the default 360s
agent-setup budget (observed live: 1 AgentSetupTimeoutError, then 8
NonZeroAgentExitCodeError from concurrent-download resets across a
10-trial job).

Pre-installing for the agent user at image build time makes the
per-trial bootstrap re-run a delta update: measured 253s vs 625s cold
(2026-07-03), inside the default setup budget. Trade-offs, measured and
documented in the template comment:

- Not a no-op: the bootstrap still verifies/re-downloads a delta; a
  stale image (newer claude-code release) degrades gracefully to the
  full download.
- Build-time network failure skips the layer (|| true) so offline
  compiles keep working.
- The layer is claude-code-specific; other optimizer agents simply
  ignore it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread vero/tests/test_harbor_build.py
Greptile on #15: asserting only 'bootstrap.sh' would not catch an
accidental domain change; pin downloads.claude.ai.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant