fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind)#5734
Conversation
The generated /etc/hosts file (chroot-*/hosts) is written to the runner's /tmp which the Docker daemon cannot see on split-fs ARC/DinD. Skip this mount when sysroot is active since the volume already provides /etc/hosts. DNS pre-resolution is traded off; domains resolve at runtime. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
On ARC/DinD with split filesystem, the Docker daemon cannot see: - Paths under AWF's workDir (/tmp/awf-*) on the runner's /tmp - Runner home directory paths mounted to /host/home/... These bind mounts fail with OCI runtime errors. When sysroot-stage is active, drop them at compose generation time: - workDir-based mounts (initSignalDir, logs, session state, chroot-home) - Home directory mounts targeting /host (sysroot volume provides these) The agent still gets: - /tmp:/tmp:rw (daemon's own /tmp) - Workspace (shared between runner and daemon on ARC) - Kernel VFS (/sys, /dev) - Credential-hiding /dev/null overlays - The sysroot named volume at /host with full glibc filesystem Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 98.64% | 98.68% | 📈 +0.04% |
| Statements | 98.56% | 98.58% | 📈 +0.02% |
| Functions | 99.55% | 99.55% | ➡️ +0.00% |
| Branches | 94.53% | 94.51% | 📉 -0.02% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/compose-generator.ts |
99.0% → 99.0% (+0.07%) | 99.0% → 98.1% (-0.83%) |
src/workdir-setup.ts |
92.7% → 94.5% (+1.82%) | 92.7% → 94.5% (+1.82%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
There was a problem hiding this comment.
Pull request overview
This PR is a follow-up ARC/DinD (“split filesystem”) fix that adjusts how AWF composes bind mounts when runnerTopology: 'arc-dind' (sysroot-stage active), aiming to avoid Docker daemon mount failures caused by runner-only paths.
Changes:
- Skip generating and bind-mounting a chroot
/etc/hostsfile when sysroot-stage is active. - Filter agent bind mounts in sysroot-stage mode to drop mounts likely sourced from runner-only paths (workDir and home).
- Add a unit test asserting workDir/home bind mounts are filtered while core mounts remain.
Show a summary per file
| File | Description |
|---|---|
| src/services/agent-volumes/volume-builder.ts | Skips generateHostsFileMount() when sysroot-stage is active. |
| src/compose-generator.ts | Adds sysroot-mode filtering logic for agent volumes entries. |
| src/compose-generator.test.ts | Adds a test covering the new sysroot-mode filtering behavior. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 2
- Review effort level: Low
Add parts.length < 2 check to avoid undefined target when a volume mount string lacks the expected ':' separator. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
✅ Copilot review passed with no inline comments. @lpcox Add the |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
🔌 Smoke Services — All services reachable! ✅ |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
✅ Smoke Claude passed |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Contribution Check completed successfully! Contribution guidelines review complete: PR #5734 follows the applicable CONTRIBUTING.md guidance. It includes a clear description, relevant context/reference, tests for the code change, and changes are organized under src/ with the test alongside existing coverage. |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
🚀 Security Guard has started processing this pull request |
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 98.64% | 98.68% | 📈 +0.04% |
| Statements | 98.56% | 98.57% | ➡️ +0.01% |
| Functions | 99.55% | 99.55% | ➡️ +0.00% |
| Branches | 94.53% | 94.48% | 📉 -0.05% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/compose-generator.ts |
99.0% → 99.0% (+0.08%) | 99.0% → 97.2% (-1.72%) |
src/workdir-setup.ts |
92.7% → 94.5% (+1.82%) | 92.7% → 94.5% (+1.82%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
|
✅ Smoke Gemini completed. All facets verified. 💎 |
Smoke Test: Claude Engine Validation
Overall result: PASS
|
🔥 Smoke Test: PAT Auth — PASS
Overall: PASS (connectivity tests verified independently; pre-step template outputs were unresolved) CC @lpcox — Auth mode: PAT (COPILOT_GITHUB_TOKEN)
|
|
@lpcox Smoke Test Results:
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall: PASS
|
Smoke Test: Copilot BYOK (Direct) Mode ✅✅ GitHub MCP connectivity verified Status: PASS — Running in direct BYOK mode via api-proxy sidecar
|
🤖 Smoke Test Results
Overall: PASS /cc @lpcox
|
|
Merged PRs:
Checks:
Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
🔬 Smoke Test: API Proxy OpenTelemetry Tracing
All scenarios pass. OTEL tracing integration is correctly implemented: module initializes, spans are created with GenAI semconv attributes, token usage flows via
|
|
fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind) ✅ GitHub MCP connectivity Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (o4-mini-aw) PASS
|
Smoke Test: GitHub Actions Services Connectivity
Overall: FAIL
|
Smoke Test Results: Gemini Engine
Last 2 merged PRs:
Overall status: PASS (with fallback) Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Problem
Follow-up to #5732. On ARC/DinD runners with split filesystem, additional bind mounts fail after the
/etcmounts fix:/tmp/awf-*/chroot-*/hosts:/host/etc/hosts:ro) — written to runner's/tmpwhich the Docker daemon can't seeinitSignalDir,agentLogsPath,sessionStatePath,chroot-home) — sourced from runner's unshared/tmp/awf-*~/.cache,~/.config, etc. targeting/host/home/...) — runner's home isn't visible to the daemonFix
Two commits:
1. Skip chroot hosts mount when sysroot active (
volume-builder.ts)/etc/hosts2. Filter workDir-based and home-based mounts in compose generator (
compose-generator.ts)config.workDir(runner's/tmp/awf-*)/host${effectiveHome}/...(sysroot provides writable home)/tmp:/tmp(daemon's own), workspace (ARC-shared), kernel VFS,/dev/nulloverlays, custom--mountflagsWhat remains after filtering
/tmp:/tmp:rw— daemon has its own/tmp${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw— shared between runner and daemon on ARC/sys:/host/sys:ro,/dev:/host/dev:ro— kernel VFS/dev/null:...credential-hiding overlays--mountflags (typically under shared/tmp/gh-aw/)sysroot:/host:rwnamed volume (provides full glibc filesystem)Testing
Context
Discovered during ARC/DinD canary testing (bbq-beets-four-nines/agentic-workflows-canary):
/tmp/awf-*/chroot-*/hostsmount error (after fix: skip /etc bind mounts when sysroot-stage is active (arc-dind) #5732 fixed/etcmounts)