[awf] ARC/DinD: agent entrypoint clobbers HOME/USER/LOGNAME and rejects Alpine chroot hosts

[lpcox]

Problem

On ARC/DinD (Kubernetes) runners, AWF v0.75.4 requires six distinct workflow-level workarounds to run Copilot in chroot mode. Key AWF-specific failures: (1) chroot rejects Alpine/musl DinD hosts — capsh not found and /bin/sh: No such file or directory because AWF assumes glibc; (2) entrypoint.sh clobbers HOME/USER/LOGNAME to AWF container values after capsh, ignoring engine.env overrides, causing Copilot to fail writing ~/.copilot/state; (3) runner-installed binaries (copilot) are invisible in chroot because AWF bind-mounts the DinD daemon's /usr, not the runner's /usr.

Context

Source issue: github/gh-aw#34896

Reproduction: ARC EKS scale-set, docker:dind (Alpine), DOCKER_HOST=(localhost/redacted) sandbox.agent.id: awf`, chroot mode.

Root Cause

containers/agent/entrypoint.sh applies the identity triple (HOME/USER/LOGNAME) from the AWF container environment before capsh's user-switch, so engine.env values are overridden. Chroot probe assumes glibc host and does not fall back for musl/Alpine DinD images.

Proposed Solution

• Fix containers/agent/entrypoint.sh: apply HOME/USER/LOGNAME from engine.env AFTER capsh user-switch, not before.
• Publish a glibc-based companion DinD image (ghcr.io/github/gh-aw-firewall/dind-ubuntu:latest) with docker-ce, libcap2-bin, and Node.js pre-installed; document as the recommended ARC DinD base.
• Add an awf.chroot.binaries_source_path option to src/docker-manager.ts so runner-side binaries (copilot) can be overlaid alongside the daemon-side /usr mount without a pre-run copy step.

Generated by Firewall Issue Dispatcher · sonnet46 2.5M · ◷

[github-actions]

👋 Hello! I noticed this issue may be closely related to a recently closed issue:

• [awf] ARC/DinD: remaining workarounds needed for zero-config chroot mode on Kubernetes runners #4399 — [awf] ARC/DinD: remaining workarounds needed for zero-config chroot mode on Kubernetes runners (closed as completed on June 5, 2026)

Why they appear similar:

Both issues reference the same upstream source (gh-aw#34896) and describe the same three core problems:

1. HOME/USER/LOGNAME clobbering — [awf] ARC/DinD: remaining workarounds needed for zero-config chroot mode on Kubernetes runners #4399 Gap 1 tracks the exact same entrypoint.sh identity override issue
2. Runner binaries not visible in chroot — [awf] ARC/DinD: remaining workarounds needed for zero-config chroot mode on Kubernetes runners #4399 Gap 3 describes the same DinD /usr mount problem
3. The Alpine/musl + capsh not found failure appears related to the broader ARC/DinD compatibility gaps tracked in [awf] ARC/DinD: remaining workarounds needed for zero-config chroot mode on Kubernetes runners #4399

Since #4399 was closed just 4 days ago as "completed," this new issue may be reporting:

• A regression introduced during those fixes
• Problems that were only partially resolved in [awf] ARC/DinD: remaining workarounds needed for zero-config chroot mode on Kubernetes runners #4399

It might be worth cross-referencing the PRs listed in #4399 (#2839, #2843, #3218, #3554, #3852, #3914, #4026) to determine whether the Alpine/glibc gap and the identity override fix were included in those changes.

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #4567 · sonnet46 881.2K · ◷