Skip to content

Bug: --enable-chroot ignores --agent-image preset and fails with packaged binary #458

Closed
#459
Closed
Bug: --enable-chroot ignores --agent-image preset and fails with packaged binary#458
#459
@Mossaka

Description

@Mossaka
Mossaka
opened on Feb 2, 2026

Summary

When using --enable-chroot with --agent-image act, AWF v0.13.0 fails with:

unable to prepare context: path "/snapshot/gh-aw-firewall/containers/agent" not found

Root Cause

In docker-manager.ts, the agent image selection logic prioritizes chroot mode over GHCR preset images:

if (config.enableChroot) {
    // BUG: ALWAYS builds locally, ignoring --agent-image act
    agentService.build = {
      context: path.join(projectRoot, 'containers/agent'),
      dockerfile: 'Dockerfile.minimal',
      ...
    };
} else if (useGHCR && isPreset) {
    // NEVER REACHED when enableChroot is true
    agentService.image = \`\${registry}/\${imageName}:\${tag}\`;
}

When --enable-chroot is specified, the code always tries to build locally from Dockerfile.minimal, completely ignoring the --agent-image act preset. This fails because:

  1. The AWF binary is packaged with pkg (creates /snapshot/... paths)
  2. The containers/agent/ directory doesn't exist in the packaged binary
  3. Docker can't find the build context

Expected Behavior

When using preset images (default or act) with --enable-chroot, AWF should use the pre-built GHCR images since they already include the necessary minimal setup for chroot mode.

Reproduction

# Download v0.13.0 release binary
# Run with --enable-chroot and --agent-image act
sudo -E awf --enable-chroot --agent-image act --allow-domains github.com -- echo "test"
# Error: unable to prepare context: path "/snapshot/gh-aw-firewall/containers/agent" not found

Proposed Fix

Change the logic to prioritize GHCR preset images:

const agentImage = config.agentImage || 'default';
const isPreset = agentImage === 'default' || agentImage === 'act';

if (useGHCR && isPreset) {
    // Use pre-built GHCR image for preset images (works in chroot mode too)
    const imageName = agentImage === 'act' ? 'agent-act' : 'agent';
    agentService.image = \`\${registry}/\${imageName}:\${tag}\`;
} else if (config.buildLocal || config.enableChroot) {
    // Build locally when --build-local OR --enable-chroot with custom image
    agentService.build = {
      context: path.join(projectRoot, 'containers/agent'),
      dockerfile: config.enableChroot ? 'Dockerfile.minimal' : 'Dockerfile',
      ...
    };
} else {
    // Custom image specified
    agentService.image = agentImage;
}

Environment

  • AWF version: v0.13.0
  • gh-aw version: v0.37.0
  • Platform: Linux (GitHub Actions runner)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions