Skip to content

fix: drop workDir-adjacent chroot-home mount on split-fs sysroot#5857

Merged
lpcox merged 2 commits into
mainfrom
fix/split-fs-chroot-home-mount-filter
Jul 3, 2026
Merged

fix: drop workDir-adjacent chroot-home mount on split-fs sysroot#5857
lpcox merged 2 commits into
mainfrom
fix/split-fs-chroot-home-mount-filter

Conversation

@lpcox

@lpcox lpcox commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Problem

npm test is failing on main (Test Coverage workflow, Linux) in src/compose-generator.test.ts:

● generateDockerCompose › sysroot-stage service (runner.topology = arc-dind) › filters out workDir and home dot-directory bind mounts on split-fs
  Expected: false
  Received: true

Root cause

The sysroot bind-mount filter (filterAgentVolumesForSysroot in src/services/optional-services.ts) drops mounts sourced from the AWF workDir so the DinD daemon isn't handed paths it can't resolve on a split filesystem. But it only matched sources equal to workDir or under workDir/.

The empty-home mount is sourced from the sibling path ${workDir}-chroot-home (see src/services/agent-volumes/home-strategy.ts:18). That leading dash means it never matched workDir/, so it slipped through — leaving a bind mount (/tmp/awf-<ts>-chroot-home:/host<home>) the daemon cannot see. This is platform-independent and reproduces in CI.

Fix

Broaden the filter to drop any source starting with the workDir prefix. workDir is a unique /tmp/awf-<timestamp> path, so a prefix match safely covers the workDir itself, paths under it, and the -chroot-home sibling without risking unrelated mounts.

Verification

  • Added a regression test asserting the -chroot-home sibling is dropped.
  • npm test: 3434 passed (was 1 failing on main).
  • npm run build clean.

The sysroot bind-mount filter for arc-dind/split-fs only dropped sources equal
to workDir or under workDir/. The empty-home mount is sourced from the sibling
path ${workDir}-chroot-home, which slipped through and left a bind mount the
DinD daemon cannot resolve. Broaden the filter to drop any source with the
unique /tmp/awf-<ts> workDir prefix, covering the chroot-home sibling.

Fixes the failing compose-generator unit test 'filters out workDir and home
dot-directory bind mounts on split-fs'.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 04:21
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.59% 98.63% 📈 +0.04%
Statements 98.52% 98.55% 📈 +0.03%
Functions 99.43% 99.43% ➡️ +0.00%
Branches 94.32% 94.33% 📈 +0.01%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.0% → 94.8% (+1.74%) 93.0% → 94.8% (+1.74%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a regression in ARC/DinD split-filesystem mode where the sysroot-stage volume filtering failed to drop the empty-home bind mount sourced from the workDir-adjacent ${workDir}-chroot-home directory, causing generateDockerCompose tests to fail on main.

Changes:

  • Broadened the sysroot bind-mount source filtering logic to catch workDir-adjacent paths (like -chroot-home) in addition to workDir/… children.
  • Added a regression test covering the ${workDir}-chroot-home sibling bind mount being filtered out in split-fs mode.
Show a summary per file
File Description
src/services/optional-services.ts Adjusts sysroot-stage bind-mount filtering to drop workDir-adjacent sources that the DinD daemon can’t resolve on split filesystems.
src/compose-generator.test.ts Adds a regression test asserting the -chroot-home sibling bind mount is removed for runnerTopology: arc-dind.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +73 to 80
// Drop mounts sourced from AWF workDir (runner's unshared /tmp/awf-*).
// This includes the workDir itself, paths under it, and workDir-adjacent
// sibling paths such as the empty-home dir (`${workDir}-chroot-home`) — all
// are created by AWF under the runner's /tmp and are invisible to the daemon.
// workDir is a unique `/tmp/awf-<timestamp>` path, so a prefix match is safe.
if (source.startsWith(normalizedWorkDirPrefix)) {
return false;
}
@lpcox

lpcox commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot address review feedback

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@copilot address review feedback

Done in 9cf1028. Replaced the broad startsWith(normalizedWorkDirPrefix) with three explicit conditions: exact match (source === normalizedWorkDirPrefix), children under workDir/, and the known sibling pattern workDir- (for -chroot-home). This avoids inadvertently dropping unrelated mounts when --work-dir is set to a short or non-unique prefix.

Copilot finished work on behalf of lpcox July 3, 2026 05:14
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR follows the applicable CONTRIBUTING.md guidelines: clear description, regression test included, no documentation update needed for this internal bug fix, and files are organized under src/.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 2/2 changed files
  • Comments generated: 0 new
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5857 · 35.5 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Copilot BYOK Smoke Test ✅ PASS

  • ✅ GitHub.com connectivity (HTTP 200)
  • ✅ File write/read test
  • ✅ BYOK inference path (agent → api-proxy → api.githubcopilot.com)
  • ✅ Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY)

All tests passed. Agent successfully routed through api-proxy sidecar with credential injection.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • MCP connectivity: ✅
  • github.com connectivity: ✅
  • file write/read: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox
Smoke Test Results:

  • GitHub MCP Testing (pre-fetched):
${{ steps.smoke-data.outputs.SMOKE_PR_DATA }}
```✅
- GitHub Connectivity: ✅
- File I/O: ✅
- BYOK Inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: GitHub Actions Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this environment. Service containers are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth PASS

Test Result
GitHub MCP (PR #5832 fetched)
GitHub.com HTTP (pre-step passed)
File Write/Read (smoke-test-copilot-pat-28641478188.txt verified)

Overall: PASS - Auth mode: PAT (COPILOT_GITHUB_TOKEN)
PR author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

OTEL Smoke Test Results

Scenario Result Notes
Module Loading ✅ Pass otel.js loads; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + test helpers
Test Suite ✅ Pass 59 tests passed, 0 failed (suites: otel.test.js, otel-fanout.test.js)
Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID
Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js (lines 283/324) as the OTEL hook point
OTEL Diagnostics ✅ Expected No live api-proxy container in this validation run; file fallback (/var/log/api-proxy/otel.jsonl) activates when no OTLP endpoint configured — no unexpected errors

All 5 scenarios pass or are in expected-pending state for this development smoke test.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Status
GitHub MCP ⚠️ Unverified (template vars unresolved)
GitHub.com Connectivity ✅ HTTP 200
File Write/Read ⚠️ Unverified (template vars unresolved)

Overall: PARTIAL — connectivity confirmed; pre-step outputs were not injected (template literals unreplaced).

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results: Gemini

  • GitHub MCP Testing: ❌ (Missing tools/Shallow history)
  • GitHub.com Connectivity: ❌ (Network unreachable)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

PR Titles Found:

  1. Update runner doctor catalog with ARC/DinD modes A14 and A15 (Update runner doctor catalog with ARC/DinD modes A14 and A15 #5832)

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

PRs reviewed:

  • Add host/sidecar parity guard for API proxy provider env constants
  • Deduplicate provider auth header construction across runtime, validation, and model fetch paths
    Results:
  • GitHub reads: ✅
  • GH CLI queries: ✅
  • Playwright title check: ❌
  • File write/cat: ✅
  • Discussion comment: ✅
  • Build AWF: ✅
    Overall: FAIL

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color ok ✅ PASS
Go env ok ✅ PASS
Go uuid ok ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5857 · 32.8 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit 3fe7c0a into main Jul 3, 2026
88 of 89 checks passed
@lpcox lpcox deleted the fix/split-fs-chroot-home-mount-filter branch July 3, 2026 12:21
@github-actions github-actions Bot mentioned this pull request Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants