Skip to content

feat(docker): trace an app in another container via a phantom sidecar#10

Merged
epli2 merged 1 commit into
mainfrom
claude/php-5-3-compat-c9xr6h
Jul 14, 2026
Merged

feat(docker): trace an app in another container via a phantom sidecar#10
epli2 merged 1 commit into
mainfrom
claude/php-5-3-compat-c9xr6h

Conversation

@epli2

@epli2 epli2 commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add --bind <ADDR> to phantom run (default 127.0.0.1, unchanged behavior). --bind 0.0.0.0 makes the MITM proxy reachable from other Docker containers on the same network, so phantom can trace an app it doesn't spawn — the target container just needs HTTP_PROXY/HTTPS_PROXY pointing at the phantom sidecar service. Same "manual" proxy-configuration mode phantom already supported on a single host, now crossing a Docker network boundary. phantom mcp sessions are unaffected — they keep binding loopback only.
  • The MITM CA certificate is now written to <data_dir>/ca.pem on every phantom run (previously only ever written to a PID-scoped temp file, and only when phantom spawned a PHP child for curl.cainfo injection), so it can be bind-mounted into the target container's trust store for HTTPS capture.
  • New examples/docker-sidecar/ with a runnable compose.yaml and a README covering the per-client/language CA-trust mechanics (there's no single env var every HTTP client honors).
  • New tests/proxy_bind_integration.rs verifying --bind 0.0.0.0 still proxies correctly and ca.pem gets exported.

Scope: HTTP_PROXY-sidecar only. Transparent iptables/eBPF interception and cross-container ldpreload tracing are both out of scope — possible future work.

Not verified end-to-end: no Docker daemon was available in the environment this was authored in, so examples/docker-sidecar/compose.yaml was only checked with docker compose config (no daemon required). Please confirm docker compose up --build works end-to-end before relying on it.

Test plan

  • cargo fmt --all -- --check
  • cargo clippy --workspace --all-targets --all-features -- -D warnings
  • cargo build --workspace --all-targets --all-features
  • cargo test --workspace --all-targets --all-features (all green, including the new proxy_bind_integration test and the full pre-existing suite)
  • docker compose up --build in examples/docker-sidecar/ — needs a real Docker daemon, not verified here

🤖 Generated with Claude Code


Generated by Claude Code

…om sidecar

Add --bind <ADDR> (default 127.0.0.1, unchanged behavior) so the MITM
proxy can also listen on 0.0.0.0, making it reachable from other Docker
containers on the same network. phantom itself never spawns the target
process in this mode — a separately-managed app container is configured
with HTTP_PROXY/HTTPS_PROXY pointing at the phantom sidecar service, the
same "manual" pattern phantom already supported on a single host, now
crossing a Docker network boundary. Applies to `phantom run` only; `phantom
mcp` sessions keep binding loopback only.

The MITM CA certificate is now written to <data_dir>/ca.pem on every
`phantom run` (previously only ever written to a PID-scoped temp file,
and only when phantom spawned a PHP child for curl.cainfo injection) so
it can be bind-mounted into another container's trust store for HTTPS
capture.

Add examples/docker-sidecar/ with a runnable compose.yaml and a README
covering the per-client/language CA-trust mechanics (there's no single
env var every HTTP client honors) — explicitly flagged as unverified
end-to-end in this environment (no Docker daemon available here);
`docker compose config` confirmed the compose file's structure only.

Rebuilt against the subcommand-based CLI restructuring (`phantom run`/
`list`/`get`/.../`mcp`) so this now targets src/cli.rs's RunArgs and
src/commands/run.rs instead of the old flat main.rs.

Scope: HTTP_PROXY-sidecar only, agreed with the user up front — transparent
iptables/eBPF interception and cross-container ldpreload tracing are both
out of scope, left as possible future work.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01GbCUVmJxDEWtgJpE9drzga
@epli2
epli2 merged commit 0ec91b3 into main Jul 14, 2026
3 checks passed
@epli2
epli2 deleted the claude/php-5-3-compat-c9xr6h branch July 14, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants