fix: chmod squid logs inside container before compose down#5817
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses an ARC/DinD rootless-runner failure mode where Squid’s bind-mounted log files are left owned by UID 13 (proxy) after shutdown, causing awf logs summary (and artifact collection) to hit EACCES and drop firewall logs.
Changes:
- Add a pre-shutdown step that
docker execs into the running Squid container as root tochmod -R a+rX /var/log/squidbeforedocker compose down. - Wire the new chmod step into
stopContainers()so it runs before shutdown when--keep-containersis not set. - Update and extend unit tests to account for the new call ordering and to cover success/failure tolerance of the chmod helper.
Show a summary per file
| File | Description |
|---|---|
| src/container-stop.ts | Adds fixSquidLogPermissionsBeforeShutdown() and calls it before runComposeDown() to ensure Squid logs remain readable after shutdown. |
| src/container-stop.test.ts | Updates stopContainers tests for the new pre-shutdown chmod call and adds focused tests for the new helper. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
- Review effort level: Low
| it('should run pre-shutdown chmod and docker compose down when keepContainers is false', async () => { | ||
| // 1. docker exec --user root awf-squid chmod (pre-shutdown) | ||
| mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any); | ||
| // 2. docker compose down | ||
| mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any); | ||
|
|
| await execa( | ||
| 'docker', | ||
| ['exec', '--user', 'root', SQUID_CONTAINER_NAME, 'chmod', '-R', 'a+rX', '/var/log/squid'], | ||
| { env: getLocalDockerEnv(), reject: false }, | ||
| ); |
…hmod - Add beforeEach(jest.clearAllMocks()) to stopContainers describe block for proper test isolation between cases - Check result.exitCode in fixSquidLogPermissionsBeforeShutdown and log at debug level when non-zero, making failures diagnosable without changing the tolerant behavior Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
✅ Copilot review passed with no inline comments. @copilot Add the |
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 98.64% | 98.66% | 📈 +0.02% |
| Statements | 98.53% | 98.55% | 📈 +0.02% |
| Functions | 99.56% | 99.56% | ➡️ +0.00% |
| Branches | 94.51% | 94.42% | 📉 -0.09% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/container-stop.ts |
100.0% → 95.7% (-4.35%) | 100.0% → 95.7% (-4.35%) |
src/workdir-setup.ts |
93.0% → 94.8% (+1.74%) | 93.0% → 94.8% (+1.74%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
🔌 Smoke Services — All services reachable! ✅ |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Build Test Suite completed successfully! |
|
🚀 Security Guard has started processing this pull request |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
✅ Smoke Claude passed |
Smoke Test: Copilot BYOK (Direct) Mode✅ BYOK Inference: Working (agent processing prompt) Status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
✅ GitHub MCP connectivity (pre-fetched) Overall: PASS
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: GitHub Actions Services Connectivity
Overall: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Smoke Test - Copilot BYOK (Direct) Mode:
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Claude Engine Validation
Overall Result: PASS ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔬 Smoke Test ResultsPR: fix: add test isolation and log non-zero exit codes in pre-shutdown chmod
Overall: FAIL — smoke-data step outputs were not injected (template variables unresolved). Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot PAT Auth
Overall: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Smoke Test Results
Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
📡 Smoke Test: API Proxy OpenTelemetry Tracing
Overall: All pass or expected-pending. Core OTEL infrastructure ( Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
On ARC/DinD runners, squid log files are written as UID 13 (
proxyuser). Afterdocker compose down, the runner user (UID 1001) can'tchmodthem from the host, and the docker-based rootless repair (fixArtifactPermissionsForRootless) also fails — the path-prefix translation isn't applied to its bind-mount, and the squid image may be unavailable after--pull never. Result:awf logs summaryreturns EACCES and firewall logs are silently dropped from artifacts.Changes
src/container-stop.ts: AddfixSquidLogPermissionsBeforeShutdown()— runsdocker exec --user root awf-squid chmod -R a+rX /var/log/squidimmediately beforerunComposeDown(). Executing as root inside the still-running container bypasses all host-side permission constraints and is independent of path translation or image availability. Fully tolerant: swallows errors if the container isn't running.src/container-stop.test.ts: Update existingstopContainerstests to account for the chmod call being first in the sequence; add dedicated tests forfixSquidLogPermissionsBeforeShutdowncovering both success and container-unavailable cases.