feat: gVisor runtime support#6093
Conversation
Recompiles the gVisor smoke workflow so it can be triggered via the test-gvisor label on this PR branch. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
🚀 Security Guard has started processing this pull request |
|
🦎 Smoke gVisor reports failed. gVisor compatibility issue detected. |
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 99.19% | 99.18% | ➡️ -0.01% |
| Statements | 99.15% | 99.14% | 📉 -0.01% |
| Functions | 99.45% | 99.45% | ➡️ +0.00% |
| Branches | 96.00% | 95.87% | 📉 -0.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli-workflow.ts |
100.0% → 93.9% (-6.13%) | 100.0% → 93.9% (-6.13%) |
src/log-directory-setup.ts |
96.2% → 100.0% (+3.78%) | 96.3% → 100.0% (+3.71%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
There was a problem hiding this comment.
Pull request overview
This PR updates the generated gVisor smoke test workflow lockfile to align with the current smoke-gvisor workflow content, specifically refining how the post-run verification searches agent logs for a gVisor indicator.
Changes:
- Regenerates
smoke-gvisor.lock.yml(updated gh-aw metadata hashes). - Updates the “Verify gVisor runtime was used” step to search within the downloaded agent artifact’s nested log directory and to match a more specific gVisor kernel/version indicator.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/smoke-gvisor.lock.yml |
Regenerated lockfile; adjusts the gVisor verification step to grep within /tmp/gh-aw-agent/sandbox/agent/logs and updates the fallback message. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0
- Review effort level: Low
The gVisor release URL expects the raw architecture string from uname -m (e.g., x86_64) not the remapped form (amd64). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
✅ Copilot review passed with no inline comments. @lpcox Add the |
|
🚀 Security Guard has started processing this pull request |
|
🦎 Smoke gVisor reports failed. gVisor compatibility issue detected. |
Docker's SIGHUP reload handler does NOT call setHostGatewayIP(), so the HostGatewayIPs config field remains empty after a reload-only config change. This causes --add-host host.docker.internal:host-gateway to fail with 'could not parse extra host IP invalid IP' for any container started after the reload (including the MCP Gateway). A full restart runs initNetworkController() which calls setHostGatewayIP() to populate the bridge gateway IP. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
🚀 Security Guard has started processing this pull request |
|
🦎 Smoke gVisor completed. gVisor smoke test passed. ✅ |
This comment has been minimized.
This comment has been minimized.
Adds end-to-end support for running the agent container under an alternative OCI runtime (e.g. gVisor's runsc, Kata Containers): - Added runtime?: string to DockerService interface (types/docker.ts) - Added containerRuntime?: string to ContainerImageOptions - Added --container-runtime CLI flag - Added config file support (container.containerRuntime in awf.json) - Thread runtime through agent-service.ts → docker-compose.yml - Only agent container uses the custom runtime; infra containers (squid, api-proxy) always use the default runtime - Updated smoke-gvisor workflow: - Fixed gVisor download URL (raw uname -m, no arch remap) - Fixed systemctl restart (not reload) after runsc install - Postprocess injects --container-runtime runsc into AWF command - Verify step checks docker-compose.yml for runtime: runsc - Added 3 unit tests for runtime plumbing - All 3649 tests pass Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
🚀 Security Guard has started processing this pull request |
|
🦎 Smoke gVisor reports failed. gVisor compatibility issue detected. |
gVisor's userspace netstack has an isolated sandbox loopback that cannot reach Docker's embedded DNS server at 127.0.0.11, causing container name resolution to fail with EAI_AGAIN (google/gvisor#7469, open since 2022). When containerRuntime is set (e.g., runsc for gVisor), AWF now: 1. Inspects topology-attached container IPs after connecting them to awf-net 2. Patches docker-compose.yml with extra_hosts entries for the agent 3. The agent resolves topology peers via /etc/hosts, bypassing DNS This runs between phase 2 (topology connect) and phase 3 (full compose up), so the agent picks up the entries before starting. Non-gVisor runs are unaffected — the patch only activates when containerRuntime is set. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
🔥 Smoke Test Results
Overall: PASS (core connectivity verified) cc @lpcox Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Smoke Test: Copilot BYOK (Direct) Mode ✅ GitHub.com HTTP: 200 Status: PASS — Direct BYOK mode working correctly. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Claude Engine Validation
Overall Result: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot PAT Auth — PASS
Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN) cc @lpcox Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Services Connectivity
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
@lpcox
Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
✅ GitHub MCP (pre-fetched PR data validated) Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) @lpcox PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
OTEL Smoke Test Results
Overall: ✅ All scenarios pass. OTEL integration is fully wired end-to-end. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test\n- feat: gVisor runtime support\n- chore: recompile workflows after #6087\n- ✅ GitHub PR query\n- ✅ File write/read\n- ✅ Discussion lookup\n- ✅ Playwright title check\n- ✅ Build\n- Overall status: PASSWarning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Smoke Test: Gemini Engine Validation
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Chroot Version Comparison
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
- Update D1: gVisor resolved in #6093; Kata Containers still open - Add B11: silent repair failure causes exit 1, fixed in #6072 - Add B11 error-string lookup entry in all three catalog files - Update Known unresolved items: narrow D1 to Kata only - Update symptom mapping and known-gaps step in both doctor files - Update CI test assertions for D1 and B11 Closes #6103
…nt repair exit-1 (#6118) * Initial plan * docs: update runner doctor catalog - D1 gVisor resolved, add B11 - Update D1: gVisor resolved in #6093; Kata Containers still open - Add B11: silent repair failure causes exit 1, fixed in #6072 - Add B11 error-string lookup entry in all three catalog files - Update Known unresolved items: narrow D1 to Kata only - Update symptom mapping and known-gaps step in both doctor files - Update CI test assertions for D1 and B11 Closes #6103 * docs: align runner-doctor B11 and D1 wording with implementation --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Summary
Add gVisor (
runsc) container runtime support to AWF. This PR recompiles the gVisor smoke workflow on a branch so it can be tested via thetest-gvisorlabel.Testing
Apply the
test-gvisorlabel to this PR to trigger the gVisor smoke test workflow.Related: #3264, #6092