Skip to content

fix: skip /etc bind mounts when sysroot-stage is active (arc-dind)#5732

Merged
lpcox merged 2 commits into
mainfrom
fix/skip-etc-mounts-with-sysroot
Jun 30, 2026
Merged

fix: skip /etc bind mounts when sysroot-stage is active (arc-dind)#5732
lpcox merged 2 commits into
mainfrom
fix/skip-etc-mounts-with-sysroot

Conversation

@lpcox

@lpcox lpcox commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Problem

On ARC/DinD runners with split filesystem, the agent container fails to start with OCI runtime mount errors. The Docker daemon cannot see the runner's filesystem paths, so bind mounts sourced from the runner fail.

Three categories of broken mounts were identified:

  1. /etc file mounts (e.g., /etc/ld.so.cache:/host/etc/ld.so.cache:ro) — daemon can't find these on its Alpine-based root
  2. Chroot hosts file (/tmp/awf-*/chroot-*/hosts:/host/etc/hosts:ro) — written to runner's /tmp which daemon can't see
  3. All workDir-based and home-based mounts (initSignalDir, agentLogsPath, sessionStatePath, chroot-home, ~/.cache, etc.) — sourced from runner's unshared /tmp/awf-* or /home/runner/

Fix

When isSysrootEnabled(config) is true (i.e., runner.topology: arc-dind), the sysroot named volume at /host already provides a complete glibc filesystem from the build-tools image. These fixes skip or filter mounts the daemon cannot resolve:

  1. buildEtcMounts() returns [] — sysroot volume has /etc
  2. generateHostsFileMount() is skipped — sysroot volume has /etc/hosts; domains resolve via DNS at runtime
  3. Compose generator filters bind mounts whose source starts with config.workDir or whose source starts with effectiveHome targeting /host/home/... — the sysroot volume provides writable home directories

Mounts that are kept:

  • /tmp:/tmp:rw (daemon's own /tmp)
  • Workspace (${GITHUB_WORKSPACE}:...) — ARC shares workspace with daemon
  • Kernel VFS (/sys, /dev)
  • /dev/null credential-hiding overlays
  • Custom --mount flags (typically under shared /tmp/gh-aw/)
  • sysroot:/host:rw named volume

Testing

  • All 3387 tests pass
  • Added tests for sysroot gating in etc-mounts.test.ts and compose-generator.test.ts
  • TypeScript compiles cleanly

Context

Iterative fix discovered during ARC/DinD canary testing. Each run revealed the next mount failure after the previous was fixed:

  • Run 28472890469: /etc/ld.so.cache mount error
  • Run 28476477775: /tmp/awf-*/chroot-*/hosts mount error
  • Next expected: initSignalDir, agentLogsPath, home mounts (addressed proactively)

When runnerTopology is 'arc-dind', the sysroot-stage container already
provides a complete /etc from the build-tools image. Bind-mounting the
host's /etc files on top fails on split-fs because the Docker daemon
cannot resolve runner filesystem paths (e.g., /etc/ld.so.cache doesn't
exist on the Alpine-based DinD daemon).

Return an empty array from buildEtcMounts() when isSysrootEnabled() is
true, since the sysroot volume already has all needed /etc content.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 20:30
@github-actions

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.64% 98.68% 📈 +0.04%
Statements 98.56% 98.60% 📈 +0.04%
Functions 99.55% 99.55% ➡️ +0.00%
Branches 94.52% 94.53% 📈 +0.01%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/services/agent-volumes/etc-mounts.ts 98.2% → 98.3% (+0.09%) 98.2% → 98.3% (+0.09%)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes ARC/DinD (split filesystem) agent startup failures by preventing AWF from attempting host /etc bind mounts when the sysroot-stage mechanism is active, since the sysroot volume already contains a complete /etc and split-fs daemons can’t reliably bind the runner’s /etc paths.

Changes:

  • Skip /etc bind mounts entirely when runnerTopology enables sysroot-stage (arc-dind).
  • Add unit tests covering arc-dind, standard, and undefined topology behavior for buildEtcMounts().
Show a summary per file
File Description
src/services/agent-volumes/etc-mounts.ts Returns [] from buildEtcMounts() when sysroot-stage is enabled to avoid broken /etc overlays on ARC/DinD split-fs.
src/services/agent-volumes/etc-mounts.test.ts Adds test coverage validating that only arc-dind produces an empty mount list, while other topologies keep existing /etc mounts.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread src/services/agent-volumes/etc-mounts.test.ts Outdated
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

Contribution guidelines review complete for PR #5732: the PR includes tests for the code change, has a clear description with related context, keeps files in the appropriate src/ service/test locations, and does not appear to need documentation updates.

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
GH check ✅ PASS
File status ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5732 · 52.3 AIC · ⊞ 6.1K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

Test Result
GitHub MCP ✅ Connected (listed PRs successfully)
HTTP Connectivity ❌ Pre-step data unavailable (template not resolved)
File Write/Read ❌ Pre-step data unavailable (template not resolved)

PR: fix: skip /etc bind mounts when sysroot-stage is active (arc-dind)
Author: @lpcox

Overall: FAIL — MCP connectivity confirmed, but pre-computed step outputs (SMOKE_HTTP_CODE, SMOKE_FILE_PATH, SMOKE_FILE_CONTENT) were not resolved before agent execution.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox
MCP PRs:

  • fix: skip /etc bind mounts when sysroot-stage is active (arc-dind): ✅
  • fix: correctly recover runner tool on PATH (after sudo w/ secure_path). remove incorrect reading from GITHUB_PATH: ✅
    GitHub.com connectivity: ✅
    File I/O test: ✅
    BYOK inference test: ✅
    Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
    ✅ PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox
GitHub MCP Testing: ✅
GitHub.com Connectivity: ✅
File Write/Read: ✅
BYOK Inference: ✅
Running direct BYOK mode (OIDC→Entra) via api-proxy→Foundry (o4-mini-aw)
PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Gemini Smoke Test Results: PASS. Titles: 1. fix: escape $d as $$d in sysroot-stage compose command, 2. fix: pass host-gateway IP to iptables-init container for NAT bypass. Connectivity: OK. File: OK.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK Test Results

MCP Test: ✅ Last 2 merged PRs retrieved
GitHub.com: ✅ HTTP 200
File I/O: ✅ Write/read test passed
BYOK Inference: ✅ Direct BYOK mode active

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com. PASS

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Chroot Smoke Test Results

Runtime Host Version Chroot Version Match?
Python 3.12.13 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ NOT all tests passed — Python and Node.js versions differ between host and chroot environments. Go matches correctly.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Status Detail
Module Loading otel.js loads cleanly; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
Test Suite 59 passed, 0 failed (2 suites: otel.test.js, otel-fanout.test.js)
Env Var Forwarding api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
Token Tracker Integration onUsage callback present in token-tracker-http.js (lines 283, 324)
OTEL Diagnostics No container running (unit-test context); fallback path writes to /var/log/api-proxy/otel.jsonl when no OTLP endpoint is set — expected behavior

All scenarios pass. OTEL tracing integration is healthy.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔥 Smoke Test Results — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

Overall: PASS@lpcox

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Merged PRs:

  • fix: escape $d as $$d in sysroot-stage compose command
  • docs: sync schemas and specs with source changes

Checks:

  • PR list review: ❌ (required safeinputs-gh wrapper missing; gh auth unavailable)
  • Playwright GitHub title: ✅
  • File write/read: ✅
  • Discussion comment: ✅
  • Build (npm ci && npm run build): ✅

Overall: FAIL

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

Check Result
Redis PING ❌ Timeout — host.docker.internal unreachable
PostgreSQL pg_isready ❌ No response on port 5432
PostgreSQL SELECT 1 ❌ Timeout — connection failed

Overall: FAIL

host.docker.internal is not resolvable/reachable from this runner (not running inside a Docker container).

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5732 · 52.5 AIC · ⊞ 7.8K ·
Add label ready-for-aw to run again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants