Skip to content

rmoff/harbor-vertex-patch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
apply.sh
apply.sh
 
 
claude_code.py
claude_code.py
 
 

Repository files navigation

Harbor + Vertex AI: Setup Guide

Vanilla Harbor has no Vertex AI support. This patch adds it.

What it does

Replaces claude_code.py in the installed Harbor package and patches docker-compose-base.yaml:

  • Vertex AI env var passthrough: CLAUDE_CODE_USE_VERTEX, ANTHROPIC_VERTEX_PROJECT_ID, CLOUD_ML_REGION
  • ADC credential upload: Automatically copies your local Google Cloud credentials into the Docker container
  • iptables REJECT rule: Blocks connections to the GCP metadata server (169.254.169.254) so the native binary's auth probes fail instantly instead of timing out for ~300s per API call
  • NET_ADMIN capability: Added to docker-compose-base.yaml (required for iptables)
  • --dangerously-skip-permissions: Replaces --permission-mode=bypassPermissions

Quick start

1. Install Harbor

uv tool install harbor

2. Apply the Vertex AI patch

cd ~/work/harbor
bash vertex-patch/apply.sh

3. Set up Google Cloud credentials

# Authenticate (creates ~/.config/gcloud/application_default_credentials.json)
gcloud auth application-default login

# Or point to an existing service account key:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json

4. Set environment variables

export CLAUDE_CODE_USE_VERTEX=1
export ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project
export CLOUD_ML_REGION=us-east5  # or "global"

5. Run

harbor run \
    -a claude-code \
    -m "claude-sonnet-4-6" \
    -p "tasks/your-task" \
    -n 1 \
    --force-build

Use --force-build the first time (or after upgrading Harbor) to rebuild Docker images.

Re-applying after Harbor upgrades

uv tool upgrade harbor overwrites the patched files. Re-run the script:

uv tool upgrade harbor
bash vertex-patch/apply.sh

What changes vs vanilla Harbor

Aspect Vanilla Patched
Claude Code install Native binary (Bun) Native binary + iptables REJECT
Metadata server probe Times out (~300s/call) Rejected instantly (0s)
Vertex AI support None Full (env vars, ADC upload, model name)
Bedrock support Yes Yes (unchanged)
Docker capabilities Default NET_ADMIN added
Permissions flag --permission-mode=bypassPermissions --dangerously-skip-permissions
FORCE_AUTO_BACKGROUND_TASKS Set to 1 Removed
ENABLE_BACKGROUND_TASKS Set to 1 Removed

How the iptables fix works

The native Claude Code binary bundles the Bun runtime, which has a ~75s socket connect timeout. When running in Docker, the Google/AWS/Azure auth libraries probe the GCP metadata server (169.254.169.254:80) on every API call. This endpoint doesn't exist in Docker, so each probe times out. With 4 retries, that's ~300s of dead time per API call.

The iptables rule (iptables -A OUTPUT -d 169.254.169.254 -j REJECT) makes these connections fail instantly with ECONNREFUSED instead of timing out. The auth libraries then fall through to the ADC credentials file without delay.

This is safe: 169.254.169.254 only exists on GCP VMs. In Docker, it's unreachable anyway -- this just makes the failure instant instead of slow.

Tested with

  • Harbor 0.3.0
  • Claude Code 2.1.96 (native binary)
  • Vertex AI, region global, project claude-code-prod
  • macOS host (Darwin 24.6.0)
  • Task: a-minimal-no-skills (ubuntu:24.04 base) -- 2:03 wall time, 12 steps, max gap 16s, zero metadata server delays

About

Vertex AI support patch for Harbor's Claude Code agent

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages