feat: add sandbox.agent.runtime: gvisor for gVisor container runtime support#44796
Conversation
… AWF config emission Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
… log message Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds compiler support for running AWF agent containers with gVisor.
Changes:
- Adds
sandbox.agent.runtime: gvisorparsing, schema, and validation. - Installs and registers runsc before AWF execution.
- Passes the selected runtime through AWF configuration.
Show a summary per file
| File | Description |
|---|---|
.changeset/minor-gvisor-runtime-support.md |
Documents the feature. |
pkg/parser/schemas/main_workflow_schema.json |
Defines the runtime field. |
pkg/workflow/awf_config.go |
Emits the AWF runtime configuration. |
pkg/workflow/copilot_engine_installation.go |
Generates the gVisor installation step. |
pkg/workflow/firewall.go |
Adds runtime helpers. |
pkg/workflow/frontmatter_extraction_security.go |
Extracts runtime frontmatter. |
pkg/workflow/gvisor_test.go |
Tests compilation and validation behavior. |
pkg/workflow/nodejs.go |
Inserts gVisor setup into npm-engine workflows. |
pkg/workflow/sandbox.go |
Models agent runtime configuration. |
pkg/workflow/sandbox_validation.go |
Validates runtime combinations. |
pkg/workflow/strict_mode_sandbox_validation.go |
Adjusts strict-mode sudo handling. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 11/11 changed files
- Comments generated: 5
- Review effort level: Medium
| // gVisor installation requires root access (sudo install, sudo runsc install, | ||
| // sudo systemctl restart docker). It cannot be combined with sudo: false. | ||
| if agentConfig.NetworkIsolation { |
| if agent.SudoExplicitlyEnabled { | ||
| // Exception: sandbox.agent.runtime: gvisor requires root access for installation, | ||
| // so sudo: true is implicitly required and the deprecation warning is suppressed. | ||
| if agent.SudoExplicitlyEnabled && agent.Runtime != AgentRuntimeGVisor { |
| // gVisor must be installed and registered BEFORE AWF starts the agent container. | ||
| if isGVisorRuntime(workflowData) { | ||
| steps = append(steps, generateGVisorInstallStep()) | ||
| } |
| ` URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"`, | ||
| ` echo "Downloading runsc for ${ARCH}..."`, | ||
| ` curl -fsSL "${URL}/runsc" -o /tmp/runsc`, | ||
| ` curl -fsSL "${URL}/containerd-shim-runsc-v1" -o /tmp/containerd-shim-runsc-v1`, | ||
| ` sudo install -m 755 /tmp/runsc /usr/local/bin/runsc`, |
| agentRuntime := getAgentContainerRuntime(config.WorkflowData) | ||
| if awfImageTag != "" || isArcDindTopology(config.WorkflowData) || agentRuntime != "" { | ||
| container := &AWFContainerConfig{ | ||
| ImageTag: awfImageTag, | ||
| ImageTag: awfImageTag, | ||
| ContainerRuntime: agentRuntime, |
|
@copilot run pr-finisher skill |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. |
There was a problem hiding this comment.
Review: sandbox.agent.runtime: gvisor
The overall structure is solid — the compilation flow, validation, and test coverage are well thought out. Three issues need attention before merging:
Blocking:
- No binary integrity verification (line 355) —
runscandcontainerd-shim-runsc-v1are installed as root without SHA-512 checksum verification. The official GCS bucket publishes.sha512files alongside the binaries. This is a supply-chain risk.
Non-blocking but important:
2. Unpinned latest URL (line 352) — non-reproducible; a new gVisor release could silently break the workflow or introduce incompatibilities.
3. docker pull hello-world in verification (line 373) — makes an outbound Docker Hub call that may fail in environments with restricted network policies. Use a pre-cached image instead.
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 40.8 AIC · ⌖ 4.84 AIC · ⊞ 4.8K
| ` URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"`, | ||
| ` echo "Downloading runsc for ${ARCH}..."`, | ||
| ` curl -fsSL "${URL}/runsc" -o /tmp/runsc`, | ||
| ` curl -fsSL "${URL}/containerd-shim-runsc-v1" -o /tmp/containerd-shim-runsc-v1`, |
There was a problem hiding this comment.
Security: No integrity verification of downloaded binaries
The runsc and containerd-shim-runsc-v1 binaries are downloaded from storage.googleapis.com and immediately installed as root (sudo install -m 755) without verifying their authenticity. The official gVisor release page publishes SHA-512 checksums (runsc.sha512, containerd-shim-runsc-v1.sha512) at the same URL prefix.
This is a supply-chain risk: a MITM or compromised GCS bucket could deliver a malicious binary that runs as root inside the agent container.
Suggested fix:
curl -fsSL "${URL}/runsc" -o /tmp/runsc
curl -fsSL "${URL}/runsc.sha512" -o /tmp/runsc.sha512
sha512sum -c /tmp/runsc.sha512
curl -fsSL "${URL}/containerd-shim-runsc-v1" -o /tmp/containerd-shim-runsc-v1
curl -fsSL "${URL}/containerd-shim-runsc-v1.sha512" -o /tmp/containerd-shim-runsc-v1.sha512
sha512sum -c /tmp/containerd-shim-runsc-v1.sha512@copilot please address this.
| "", | ||
| ` echo "::group::Install gVisor (runsc)"`, | ||
| ` ARCH=$(uname -m)`, | ||
| ` URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"`, |
There was a problem hiding this comment.
Reliability: Unpinned latest release URL causes non-reproducible builds
releases/release/latest resolves to whatever is current at workflow run time. A new gVisor release could break the workflow silently (e.g., behavioural changes, removed flags, incompatible runtime version with the installed Docker/containerd).
Consider pinning to a specific release (e.g., release/20240101.0) or, at minimum, documenting the implicit policy here and testing against it in CI.
@copilot please address this.
| ` echo "::endgroup::"`, | ||
| "", | ||
| ` echo "::group::Verify gVisor works"`, | ||
| ` docker pull hello-world`, |
There was a problem hiding this comment.
Reliability: Verification step pulls from Docker Hub, which may be blocked by sandbox network policy
When sandbox.agent.runtime: gvisor is used with a restricted network (network.allowed not including registry-1.docker.io), docker pull hello-world will fail during the install step — before AWF even starts, so the AWF network isolation hasn't taken effect yet. But if the runner is already restricted at the host firewall level, this pulls from an unconfigured external endpoint.
Consider using docker run --rm --runtime=runsc busybox true (or any image guaranteed to be already present on GitHub-hosted runners) instead of pulling hello-world at verification time.
@copilot please address this.
🧪 Test Quality Sentinel Report
📊 Metrics (10 tests)
Test Classification
✅ Strengths
Verdict✅ PASSED. 0% implementation tests (threshold: ≤30%). No coding violations. Note on inflation ratio (6.5:1): The high line ratio is justified for this new feature because (1) comprehensive E2E compilation test with setup/teardown, (2) multiple validation scenarios (arc-dind, sudo constraints), and (3) all production lines are behavioral, not boilerplate. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
There was a problem hiding this comment.
REQUEST_CHANGES — 3 blocking issues in addition to those already flagged
The existing review comments already called out: unpinned latest download URL (supply chain risk), gVisor-only step injection via the npm path (CodexEngine uncovered), the open/blocked upstream dependency, and the sudo-scope confusion.
This pass adds three more that must be fixed before merge:
Critical / High:
systemctl restart dockeron GH-hosted runners — GitHub-hostedubuntu-*runners do not use systemd; this command will fail with a hard error, making the feature completely broken on the primary target environment. (line 367)- DockerHub pull in install step —
docker pull hello-worldis a live network call that will hit the 100-pull/6h anonymous quota on shared runners. Replace with a localrunsc --versioncheck. (line 374) - Unvalidated runtime string forwarded downstream — the YAML value is cast to
AgentRuntimeand emitted as-is into AWF config JSON with no allowlist check. Infrontmatter_extraction_security.goof all places, this should be aswitchagainst known constants. (line 272)
Lower-priority observations (non-blocking)
- Ignored
sudoparameter:generateGVisorInstallStepno longer accepts a parameter (correctly), but the test ingvisor_test.gowas written when it did — worth confirming tests still compile cleanly. - No docker-ready wait after restart: even with a portable restart command, a
until docker info; do sleep 1; doneloop is needed beforedocker info --formator anydocker runto avoid a race.
🔎 Code quality review by PR Code Quality Reviewer · 49.4 AIC · ⌖ 4.76 AIC · ⊞ 5.4K
Comment /review to run again
| ` # Docker's SIGHUP reload does NOT call setHostGatewayIP(), so`, | ||
| ` # --add-host host.docker.internal:host-gateway breaks for any`, | ||
| ` # container started after a reload-only config change.`, | ||
| ` sudo systemctl restart docker`, |
There was a problem hiding this comment.
systemctl restart docker will fail on GitHub-hosted runners: these runners do not use systemd, so this command errors with System has not been booted with systemd — making this feature non-functional on its primary target environment.
💡 Suggested fix
Use a portable restart + readiness wait:
# Portable full restart (not SIGHUP/reload) on both systemd and non-systemd runners
sudo service docker restart 2>/dev/null || sudo systemctl restart docker
# Wait for daemon to be ready
timeout 30 bash -c 'until docker info &>/dev/null; do sleep 1; done'service docker restart triggers a full daemon restart (not a SIGHUP reload), so the setHostGatewayIP() concern from the PR description still applies correctly here. The readiness loop also addresses the race condition where docker run immediately follows a restart.
| "", | ||
| ` echo "::group::Verify gVisor works"`, | ||
| ` docker pull hello-world`, | ||
| ` docker run --rm --runtime=runsc hello-world`, |
There was a problem hiding this comment.
docker pull hello-world / docker run hello-world in the install step will hit DockerHub rate limits or fail in air-gapped environments, breaking every gVisor-enabled workflow on shared runners that exhaust the anonymous pull quota (100 pulls/6 h per IP).
💡 Suggested fix
Verify gVisor using only local tools — no image pull needed:
# Confirm runsc binary is functional — no network required
runsc --version
runsc --help &>/dev/null && echo "runsc OK"If a container smoke-test is truly needed, use the Docker daemon's built-in hello-world-equivalent with a scratch image that can be baked into the runner, or skip it and rely on runsc --version + docker info --format '{{.Runtimes}}' to confirm registration.
| // Extract runtime (container runtime for the agent container) | ||
| if runtimeVal, hasRuntime := agentObj["runtime"]; hasRuntime { | ||
| if runtimeStr, ok := runtimeVal.(string); ok { | ||
| agentConfig.Runtime = AgentRuntime(runtimeStr) |
There was a problem hiding this comment.
Unvalidated runtime string is passed downstream without allowlist check: any arbitrary string from the workflow YAML is cast directly to AgentRuntime and forwarded as containerRuntime in the AWF config JSON. If AWF passes this value to Docker as --runtime=<value>, this is an injection vector.
💡 Suggested fix
Validate against the allowlist of known AgentRuntime constants before accepting the value:
if runtimeStr, ok := runtimeVal.(string); ok {
rt := AgentRuntime(runtimeStr)
switch rt {
case AgentRuntimeGVisor:
agentConfig.Runtime = rt
frontmatterExtractionSecurityLog.Printf("Extracted sandbox.agent.runtime: %s", runtimeStr)
default:
// Return a parse/validation error — unknown runtime
return nil, fmt.Errorf("sandbox.agent.runtime: unsupported value %q (supported: gvisor)", runtimeStr)
}
}This is particularly important in a file named frontmatter_extraction_security.go.
Design Decision Gate — ADR RequiredThis PR makes significant changes to core business logic (470 new lines in Draft ADR committed:
What to do next
Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision. Why ADRs MatterADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you. Michael Nygard ADR Format ReferenceAn ADR must contain these four sections to be considered complete:
All ADRs are stored in
|
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /tdd and /codebase-design — requesting changes on security and correctness issues.
📋 Key Themes & Highlights
Key Issues
- Supply-chain gap: The gVisor binaries are downloaded with
curl -fsSLbut no checksum verification, unlike the AWF install step which explicitly cites SHA256 verification as a supply-chain defence. This is the highest-priority issue since runsc runs undersudo. - Unpinned
latestversion: Usingrelease/latest/makes compiled workflows non-reproducible and fragile across gVisor releases. Should pin like AWF does. - Silent unknown runtime: An invalid
runtime: sometypois silently ignored (schema catches it, but the Go extractor doesn't). A defensive check at extraction time would make the system more robust. systemctlassumption: No validation that the runner has systemd. Thearc-dindguard is good, but generic self-hosted runners without systemd would hit an opaque mid-job failure.
Positive Highlights
- ✅ Excellent test coverage (329 lines) — install step content, step ordering, AWF config JSON emission, validation errors, end-to-end compilation all covered.
- ✅ The
systemctl restartvsreloaddistinction is well-documented with an explicit comment explaining thesetHostGatewayIP()breakage. - ✅ Clean separation:
isGVisorRuntime()helper keeps all callers from duplicating nil/disabled checks. - ✅ Suppressing the
sudo: truedeprecation warning for gVisor is the right UX call — documented clearly in the PR body and code. - ✅ Compile-time validation for arc-dind and sudo:false is exactly the right approach for safety.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 73 AIC · ⌖ 5.05 AIC · ⊞ 6.6K
Comment /matt to run again
| ` ARCH=$(uname -m)`, | ||
| ` URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"`, | ||
| ` echo "Downloading runsc for ${ARCH}..."`, | ||
| ` curl -fsSL "${URL}/runsc" -o /tmp/runsc`, |
There was a problem hiding this comment.
[/tdd] No checksum verification for downloaded binaries — a compromised or MITM-replaced runsc would execute with sudo.
The AWF install step explicitly calls out SHA256 verification as a supply-chain protection. The gVisor curl downloads have no equivalent check.
💡 Suggested fix
gVisor publishes signed checksums at ${URL}/runsc.sha512. Add verification before the sudo install:
curl -fsSL "${URL}/runsc" -o /tmp/runsc
curl -fsSL "${URL}/runsc.sha512" -o /tmp/runsc.sha512
sha512sum -c /tmp/runsc.sha512
curl -fsSL "${URL}/containerd-shim-runsc-v1" -o /tmp/containerd-shim-runsc-v1
curl -fsSL "${URL}/containerd-shim-runsc-v1.sha512" -o /tmp/containerd-shim-runsc-v1.sha512
sha512sum -c /tmp/containerd-shim-runsc-v1.sha512This mirrors the supply-chain protection described in generateAWFInstallationStep.
@copilot please address this.
| // Extract runtime (container runtime for the agent container) | ||
| if runtimeVal, hasRuntime := agentObj["runtime"]; hasRuntime { | ||
| if runtimeStr, ok := runtimeVal.(string); ok { | ||
| agentConfig.Runtime = AgentRuntime(runtimeStr) |
There was a problem hiding this comment.
[/codebase-design] Unknown runtime values are silently accepted — an invalid runtime: sometypo will produce no error and silently have no effect at runtime.
The JSON schema rejects unknown values via the enum, but the extraction layer performs no parallel check, so workflows bypassing schema validation (e.g., tests) could pass an invalid runtime undetected.
💡 Suggested fix
Add a check after extracting the value:
switch agentConfig.Runtime {
case AgentRuntimeGVisor, "":
// valid
default:
return nil, fmt.Errorf("sandbox.agent.runtime: unknown value %q; valid values: gvisor", runtimeStr)
}This makes the Go layer the authoritative validator rather than relying solely on the JSON schema.
@copilot please address this.
| ` # Docker's SIGHUP reload does NOT call setHostGatewayIP(), so`, | ||
| ` # --add-host host.docker.internal:host-gateway breaks for any`, | ||
| ` # container started after a reload-only config change.`, | ||
| ` sudo systemctl restart docker`, |
There was a problem hiding this comment.
[/tdd] systemctl restart docker will fail in workflows that don't run on systemd-based GitHub-hosted runners (e.g., container jobs, self-hosted runners without systemd). There's no test or validation guard for this runner requirement.
A failed Docker restart leaves the runner in a broken state mid-job rather than surfacing a clear compile-time or early-runtime error.
💡 Options
- Compile-time check: Add a
runner.os: linux(or similar) guard insandbox_validation.go, parallel to thearc-dindcheck. - Runtime fallback: Wrap the restart in a check:
if command -v systemctl &>/dev/null && systemctl is-system-running &>/dev/null; then sudo systemctl restart docker else echo "::error::gVisor requires systemd to restart Docker. Use a GitHub-hosted Linux runner." exit 1 fi
Option 1 is preferred — fail fast at compile time with a clear message.
@copilot please address this.
| "", | ||
| ` echo "::group::Install gVisor (runsc)"`, | ||
| ` ARCH=$(uname -m)`, | ||
| ` URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"`, |
There was a problem hiding this comment.
[/tdd] Downloading from latest rather than a pinned version makes this step non-reproducible and prone to silent breakage when gVisor releases incompatible changes.
Pinning to a specific release version (stored as a constant next to DefaultFirewallVersion) makes builds reproducible and avoids unexpected failures after upstream releases.
💡 Suggested approach
const defaultGVisorVersion = "20240520" // update as needed
// in sandbox.go or constants
const DefaultGVisorVersion = defaultGVisorVersionThen in the install step:
URL="(storage.googleapis.com/redacted)with GVISOR_VERSION injected at compile time from the constant, similar to how AWF version is handled.
@copilot please address this.
| engine: copilot | ||
| strict: false | ||
| network: | ||
| allowed: |
There was a problem hiding this comment.
[/tdd] TestGVisorStrictModeSudoTrueSuppressed asserts no new warnings are added but uses GetWarningCount() without verifying the method is not a stub returning 0. If GetWarningCount always returns 0, this test passes vacuously.
Consider also asserting that sudo:true WITHOUT runtime:gvisor does increment the warning count — this negative case makes the suppression logic meaningful rather than just checking the happy path.
💡 Suggested addition
// Baseline: sudo:true without gvisor should produce a warning
sandboxConfigWithoutGVisor := &SandboxConfig{
Agent: &AgentSandboxConfig{
ID: "awf",
SudoExplicitlyEnabled: true,
},
}
compilerBaseline := NewCompiler()
compilerBaseline.strictMode = false
_ = compilerBaseline.validateStrictSandboxCustomization(sandboxConfigWithoutGVisor)
assert.Greater(t, compilerBaseline.GetWarningCount(), 0, "sudo:true without gvisor must emit a warning")@copilot please address this.
…or path, gate containerRuntime by version Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
…false, no deprecation suppression Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Done. Four review threads addressed in commit
ADR also updated to reflect all of the above. |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
❌ Smoke Copilot Small failed. Please review the logs for details. |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke test
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "proxy.golang.org"See Network Configuration for more information.
|
|
Smoke Test Results (Gemini):
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
🧪 Smoke Test: Claude — Run 29116481336Core #1-12: 1️⃣✅ 2️⃣✅ 3️⃣✅ 4️⃣✅ 5️⃣✅ 6️⃣✅ 7️⃣✅ 8️⃣✅ 9️⃣✅ 🔟✅ 1️⃣1️⃣✅ 1️⃣2️⃣✅ PR Review #13-19: 13✅ 14✅ 15✅ 16✅ 17✅ 18 Overall: PARTIAL — all executed tests passed; #18 & #19 skipped. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 78.6 AIC · ⌖ 31.5 AIC · ⊞ 8.4K
Comment /smoke-claude to run again
| @@ -0,0 +1,52 @@ | |||
| # ADR-44796: Use gVisor (runsc) as an Optional Container Runtime for Agent Containers | |||
|
|
|||
| **Date**: 2026-07-10 | |||
There was a problem hiding this comment.
Smoke-test review: consider linking the referenced issue gh-aw-firewall#6093 for traceability once it lands.
|
|
||
| ### Context | ||
|
|
||
| Agent containers in gh-aw run under a standard Docker runtime backed by Linux cgroups and namespaces. This provides process-level isolation but leaves the host kernel's system call surface fully accessible to agent code. Any vulnerability in a system call handler can be exploited to escape the container. For higher-assurance workloads, operators need a runtime that interposes on all syscalls and runs them through a user-space kernel, substantially reducing the kernel attack surface exposed to untrusted agent code. The AWF daemon already supports `container.containerRuntime: "gvisor"` in its stdin config (gh-aw-firewall#6093), but the compiler had no way to emit that setting or install the runtime on the runner. This PR wires up the missing compiler side: a new `sandbox.agent.runtime` frontmatter field, an auto-generated pre-agent gVisor install step, and the AWF config JSON plumbing that passes `containerRuntime: "gvisor"` to AWF. |
There was a problem hiding this comment.
Smoke-test review: the AWFContainerRuntimeMinVersion placeholder (v0.28.0) should be tracked so it is updated when the firewall release ships.
|
PR: feat: add sandbox.agent.runtime: gvisor for gVisor container runtime support Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke validation ran successfully; inline notes are informational only.
Warning
Firewall blocked 5 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 91.6 AIC · ⌖ 4.67 AIC · ⊞ 19.8K
Comment /smoke-copilot to run again
Add label smoke to run again
|
@copilot please run the
|
AWF already supports
container.containerRuntime: "gvisor"in its stdin config (gh-aw-firewall#6093). This wires up the compiler side: a newsandbox.agent.runtimefrontmatter field, a pre-agent gVisor install step, and the AWF config JSON plumbing.New frontmatter field
Compiler changes
sandbox.go— NewAgentRuntimetype +Runtime AgentRuntimefield onAgentSandboxConfigfrontmatter_extraction_security.go— Extractssandbox.agent.runtimefrom YAMLawf_config.go— NewContainerRuntime stringonAWFContainerConfig; emitted as"containerRuntime":"gvisor"in the AWF stdin JSON when setfirewall.go—getAgentContainerRuntime()/isGVisorRuntime()helperscopilot_engine_installation.go—generateGVisorInstallStep(): downloadsrunsc+containerd-shim-runsc-v1fromstorage.googleapis.com/gvisor, installs to/usr/local/bin, runssudo runsc install, restarts Docker withsystemctl restart(notreload— the reload path skipssetHostGatewayIP()), verifies withdocker run --rm --runtime=runscnodejs.go— Injects gVisor step before the AWF install step inBuildNpmEngineInstallStepsWithAWFmain_workflow_schema.json— Addsruntimeenum field tosandbox.agentschemaCompile-time validation
Two incompatible combinations are rejected at compile time:
runtime: gvisor+runner.topology: arc-dindruntime: gvisor+sudo: false(default)sudo: truesudo: true's deprecation warning/error is suppressed whenruntime: gvisoris set — gVisor fundamentally requires root so the warning would be misleading.✨ PR Review Safe Output Test - Run 29116481336
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.