fix: skip /etc bind mounts when sysroot-stage is active (arc-dind)#5732
Conversation
When runnerTopology is 'arc-dind', the sysroot-stage container already provides a complete /etc from the build-tools image. Bind-mounting the host's /etc files on top fails on split-fs because the Docker daemon cannot resolve runner filesystem paths (e.g., /etc/ld.so.cache doesn't exist on the Alpine-based DinD daemon). Return an empty array from buildEtcMounts() when isSysrootEnabled() is true, since the sysroot volume already has all needed /etc content. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (2 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This pull request fixes ARC/DinD (split filesystem) agent startup failures by preventing AWF from attempting host /etc bind mounts when the sysroot-stage mechanism is active, since the sysroot volume already contains a complete /etc and split-fs daemons can’t reliably bind the runner’s /etc paths.
Changes:
- Skip
/etcbind mounts entirely whenrunnerTopologyenables sysroot-stage (arc-dind). - Add unit tests covering
arc-dind,standard, andundefinedtopology behavior forbuildEtcMounts().
Show a summary per file
| File | Description |
|---|---|
src/services/agent-volumes/etc-mounts.ts |
Returns [] from buildEtcMounts() when sysroot-stage is enabled to avoid broken /etc overlays on ARC/DinD split-fs. |
src/services/agent-volumes/etc-mounts.test.ts |
Adds test coverage validating that only arc-dind produces an empty mount list, while other topologies keep existing /etc mounts. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
- Review effort level: Low
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
✅ Copilot review passed with no inline comments. @lpcox Add the |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Contribution Check completed successfully! Contribution guidelines review complete for PR #5732: the PR includes tests for the code change, has a clear description with related context, keeps files in the appropriate src/ service/test locations, and does not appear to need documentation updates. |
|
🚀 Security Guard has started processing this pull request |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
✅ Smoke Claude passed |
|
✅ Build Test Suite completed successfully! |
|
🔌 Smoke Services — All services reachable! ✅ |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
Smoke Test: Claude Engine Validation
Overall result: PASS
|
🔬 Smoke Test Results
PR: fix: skip /etc bind mounts when sysroot-stage is active (arc-dind) Overall: FAIL — MCP connectivity confirmed, but pre-computed step outputs (
|
|
@lpcox
|
|
@lpcox
|
|
Gemini Smoke Test Results: PASS. Titles: 1. fix: escape Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
✅ Smoke Copilot BYOK Test Results MCP Test: ✅ Last 2 merged PRs retrieved Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com. PASS ✓
|
🔍 Chroot Smoke Test Results
Overall: ❌ NOT all tests passed — Python and Node.js versions differ between host and chroot environments. Go matches correctly.
|
🔥 Smoke Test: API Proxy OpenTelemetry Tracing
All scenarios pass. OTEL tracing integration is healthy.
|
🔥 Smoke Test Results — Auth mode: PAT (COPILOT_GITHUB_TOKEN)
Overall: PASS — @lpcox
|
|
Merged PRs:
Checks:
Overall: FAIL
|
Smoke Test: Services Connectivity
Overall: FAIL
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Problem
On ARC/DinD runners with split filesystem, the agent container fails to start with OCI runtime mount errors. The Docker daemon cannot see the runner's filesystem paths, so bind mounts sourced from the runner fail.
Three categories of broken mounts were identified:
/etcfile mounts (e.g.,/etc/ld.so.cache:/host/etc/ld.so.cache:ro) — daemon can't find these on its Alpine-based root/tmp/awf-*/chroot-*/hosts:/host/etc/hosts:ro) — written to runner's/tmpwhich daemon can't seeinitSignalDir,agentLogsPath,sessionStatePath,chroot-home,~/.cache, etc.) — sourced from runner's unshared/tmp/awf-*or/home/runner/Fix
When
isSysrootEnabled(config)is true (i.e.,runner.topology: arc-dind), the sysroot named volume at/hostalready provides a complete glibc filesystem from the build-tools image. These fixes skip or filter mounts the daemon cannot resolve:buildEtcMounts()returns[]— sysroot volume has/etcgenerateHostsFileMount()is skipped — sysroot volume has/etc/hosts; domains resolve via DNS at runtimeconfig.workDiror whose source starts witheffectiveHometargeting/host/home/...— the sysroot volume provides writable home directoriesMounts that are kept:
/tmp:/tmp:rw(daemon's own/tmp)${GITHUB_WORKSPACE}:...) — ARC shares workspace with daemon/sys,/dev)/dev/nullcredential-hiding overlays--mountflags (typically under shared/tmp/gh-aw/)sysroot:/host:rwnamed volumeTesting
etc-mounts.test.tsandcompose-generator.test.tsContext
Iterative fix discovered during ARC/DinD canary testing. Each run revealed the next mount failure after the previous was fixed:
/etc/ld.so.cachemount error/tmp/awf-*/chroot-*/hostsmount errorinitSignalDir,agentLogsPath, home mounts (addressed proactively)