Skip to content

fix: chmod squid logs inside container before compose down#5817

Merged
lpcox merged 3 commits into
mainfrom
copilot/fix-artifact-permission-repair
Jul 2, 2026
Merged

fix: chmod squid logs inside container before compose down#5817
lpcox merged 3 commits into
mainfrom
copilot/fix-artifact-permission-repair

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

On ARC/DinD runners, squid log files are written as UID 13 (proxy user). After docker compose down, the runner user (UID 1001) can't chmod them from the host, and the docker-based rootless repair (fixArtifactPermissionsForRootless) also fails — the path-prefix translation isn't applied to its bind-mount, and the squid image may be unavailable after --pull never. Result: awf logs summary returns EACCES and firewall logs are silently dropped from artifacts.

Changes

  • src/container-stop.ts: Add fixSquidLogPermissionsBeforeShutdown() — runs docker exec --user root awf-squid chmod -R a+rX /var/log/squid immediately before runComposeDown(). Executing as root inside the still-running container bypasses all host-side permission constraints and is independent of path translation or image availability. Fully tolerant: swallows errors if the container isn't running.

  • src/container-stop.test.ts: Update existing stopContainers tests to account for the chmod call being first in the sequence; add dedicated tests for fixSquidLogPermissionsBeforeShutdown covering both success and container-unavailable cases.

stopContainers(workDir, keepContainers=false):
  1. docker exec --user root awf-squid chmod -R a+rX /var/log/squid  ← new
  2. docker compose down -v -t 1

Copilot AI changed the title [WIP] Fix rootless artifact permission repair failure on ARC/DinD topology fix: chmod squid logs inside container before compose down Jul 2, 2026
Copilot finished work on behalf of lpcox July 2, 2026 14:46
Copilot AI requested a review from lpcox July 2, 2026 14:46
@lpcox lpcox marked this pull request as ready for review July 2, 2026 14:48
Copilot AI review requested due to automatic review settings July 2, 2026 14:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses an ARC/DinD rootless-runner failure mode where Squid’s bind-mounted log files are left owned by UID 13 (proxy) after shutdown, causing awf logs summary (and artifact collection) to hit EACCES and drop firewall logs.

Changes:

  • Add a pre-shutdown step that docker execs into the running Squid container as root to chmod -R a+rX /var/log/squid before docker compose down.
  • Wire the new chmod step into stopContainers() so it runs before shutdown when --keep-containers is not set.
  • Update and extend unit tests to account for the new call ordering and to cover success/failure tolerance of the chmod helper.
Show a summary per file
File Description
src/container-stop.ts Adds fixSquidLogPermissionsBeforeShutdown() and calls it before runComposeDown() to ensure Squid logs remain readable after shutdown.
src/container-stop.test.ts Updates stopContainers tests for the new pre-shutdown chmod call and adds focused tests for the new helper.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines +21 to 26
it('should run pre-shutdown chmod and docker compose down when keepContainers is false', async () => {
// 1. docker exec --user root awf-squid chmod (pre-shutdown)
mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any);
// 2. docker compose down
mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any);

Comment thread src/container-stop.ts Outdated
Comment on lines +41 to +45
await execa(
'docker',
['exec', '--user', 'root', SQUID_CONTAINER_NAME, 'chmod', '-R', 'a+rX', '/var/log/squid'],
{ env: getLocalDockerEnv(), reject: false },
);
…hmod

- Add beforeEach(jest.clearAllMocks()) to stopContainers describe block
  for proper test isolation between cases
- Check result.exitCode in fixSquidLogPermissionsBeforeShutdown and log
  at debug level when non-zero, making failures diagnosable without
  changing the tolerant behavior

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.64% 98.66% 📈 +0.02%
Statements 98.53% 98.55% 📈 +0.02%
Functions 99.56% 99.56% ➡️ +0.00%
Branches 94.51% 94.42% 📉 -0.09%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/container-stop.ts 100.0% → 95.7% (-4.35%) 100.0% → 95.7% (-4.35%)
src/workdir-setup.ts 93.0% → 94.8% (+1.74%) 93.0% → 94.8% (+1.74%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

✅ BYOK Inference: Working (agent processing prompt)
✅ API-Proxy Sidecar: Connected to api.githubcopilot.com
✅ Credential Isolation: Placeholder injected in agent

Status: PASS
Mode: Direct BYOK via COPILOT_PROVIDER_API_KEY
Route: agent → api-proxy → api.githubcopilot.com

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✅ GitHub MCP connectivity (pre-fetched)
✅ github.com connectivity
✅ File write/read test
✅ BYOK inference path
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

@lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: GitHub Actions Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@lpcox

Smoke Test - Copilot BYOK (Direct) Mode:

  • GitHub MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File I/O test: ✅
  • BYOK inference test: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5817 · 54.4 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

PR: fix: add test isolation and log non-zero exit codes in pre-shutdown chmod
Author: @lpcox

Test Result
GitHub.com connectivity (HTTP) ✅ 200 OK
GitHub MCP connectivity ✅ safeoutputs bridge reachable
Pre-computed file write/read ❌ template vars unresolved
Pre-fetched PR data ❌ template vars unresolved

Overall: FAIL — smoke-data step outputs were not injected (template variables unresolved).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Result
MCP Connectivity ❌ (MCP tools unavailable in agent context)
GitHub.com HTTP ✅ 200
File Write/Read ❌ (pre-step template vars not expanded)

Overall: FAIL
CC @lpcox
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • fix(ci): postprocess install-step swap must tolerate trailing --rootless flag ✅
  • fix: detect and expose system CA bundle for RHEL/Amazon Linux in chroot ✅
  • GitHub PR query ✅
  • Playwright title check ✅
  • File write/read ✅
  • Discussion lookup/comment ✅
  • npm ci && npm run build ✅
    Overall status: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5817 · 48.4 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ❌ (No MCP tools in declaration)
  • GitHub.com Connectivity: ❌ (HTTP 000)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading ✅ Pass otel.js loads successfully, isEnabled: true. Exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + test helpers.
2. Test Suite ✅ Pass 59/59 tests passed across otel.test.js and otel-fanout.test.js (2 suites).
3. Env Var Forwarding ⚠️ Pending src/services/api-proxy-service.ts does not yet forward OTEL_EXPORTER_OTLP_ENDPOINT / GITHUB_AW_OTEL_TRACE_ID — expected during development.
4. Token Tracker Integration ✅ Pass token-tracker-http.js has onUsage callback — OTEL hook point confirmed present.
5. OTEL Diagnostics ⚠️ Expected No otel.jsonl span file produced during this validation run — spans require an active api-proxy inference session to emit.

Overall: All pass or expected-pending. Core OTEL infrastructure (otel.js, exporters, serialization, 59 tests) is solid. Env var forwarding from host service config to container is the one remaining gap (Scenario 3), consistent with active development.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: rootless artifact permission repair fails on ARC/DinD topology

3 participants