Skip to content

feat: gVisor runtime support#6093

Merged
lpcox merged 16 commits into
mainfrom
feat/gvisor-runtime-support
Jul 10, 2026
Merged

feat: gVisor runtime support#6093
lpcox merged 16 commits into
mainfrom
feat/gvisor-runtime-support

Conversation

@lpcox

@lpcox lpcox commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

Add gVisor (runsc) container runtime support to AWF. This PR recompiles the gVisor smoke workflow on a branch so it can be tested via the test-gvisor label.

Testing

Apply the test-gvisor label to this PR to trigger the gVisor smoke test workflow.

Related: #3264, #6092

Recompiles the gVisor smoke workflow so it can be triggered via the
test-gvisor label on this PR branch.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 12:45
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦎 Smoke gVisor reports failed. gVisor compatibility issue detected.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.19% 99.18% ➡️ -0.01%
Statements 99.15% 99.14% 📉 -0.01%
Functions 99.45% 99.45% ➡️ +0.00%
Branches 96.00% 95.87% 📉 -0.13%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/cli-workflow.ts 100.0% → 93.9% (-6.13%) 100.0% → 93.9% (-6.13%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the generated gVisor smoke test workflow lockfile to align with the current smoke-gvisor workflow content, specifically refining how the post-run verification searches agent logs for a gVisor indicator.

Changes:

  • Regenerates smoke-gvisor.lock.yml (updated gh-aw metadata hashes).
  • Updates the “Verify gVisor runtime was used” step to search within the downloaded agent artifact’s nested log directory and to match a more specific gVisor kernel/version indicator.
Show a summary per file
File Description
.github/workflows/smoke-gvisor.lock.yml Regenerated lockfile; adjusts the gVisor verification step to grep within /tmp/gh-aw-agent/sandbox/agent/logs and updates the fallback message.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

The gVisor release URL expects the raw architecture string from
uname -m (e.g., x86_64) not the remapped form (amd64).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦎 Smoke gVisor reports failed. gVisor compatibility issue detected.

Docker's SIGHUP reload handler does NOT call setHostGatewayIP(), so
the HostGatewayIPs config field remains empty after a reload-only
config change. This causes --add-host host.docker.internal:host-gateway
to fail with 'could not parse extra host IP invalid IP' for any
container started after the reload (including the MCP Gateway).

A full restart runs initNetworkController() which calls
setHostGatewayIP() to populate the bridge gateway IP.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦎 Smoke gVisor completed. gVisor smoke test passed. ✅

@github-actions

This comment has been minimized.

Adds end-to-end support for running the agent container under an
alternative OCI runtime (e.g. gVisor's runsc, Kata Containers):

- Added runtime?: string to DockerService interface (types/docker.ts)
- Added containerRuntime?: string to ContainerImageOptions
- Added --container-runtime CLI flag
- Added config file support (container.containerRuntime in awf.json)
- Thread runtime through agent-service.ts → docker-compose.yml
- Only agent container uses the custom runtime; infra containers
  (squid, api-proxy) always use the default runtime
- Updated smoke-gvisor workflow:
  - Fixed gVisor download URL (raw uname -m, no arch remap)
  - Fixed systemctl restart (not reload) after runsc install
  - Postprocess injects --container-runtime runsc into AWF command
  - Verify step checks docker-compose.yml for runtime: runsc
- Added 3 unit tests for runtime plumbing
- All 3649 tests pass

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦎 Smoke gVisor reports failed. gVisor compatibility issue detected.

@lpcox lpcox removed the test-gvisor label Jul 10, 2026
gVisor's userspace netstack has an isolated sandbox loopback that cannot
reach Docker's embedded DNS server at 127.0.0.11, causing container name
resolution to fail with EAI_AGAIN (google/gvisor#7469, open since 2022).

When containerRuntime is set (e.g., runsc for gVisor), AWF now:
1. Inspects topology-attached container IPs after connecting them to awf-net
2. Patches docker-compose.yml with extra_hosts entries for the agent
3. The agent resolves topology peers via /etc/hosts, bypassing DNS

This runs between phase 2 (topology connect) and phase 3 (full compose up),
so the agent picks up the entries before starting. Non-gVisor runs are
unaffected — the patch only activates when containerRuntime is set.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

🔥 Smoke Test Results

Test Status
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read ⚠️ Template vars unresolved in workflow

Overall: PASS (core connectivity verified)

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

✅ GitHub.com HTTP: 200
✅ MCP Connectivity: OK
✅ BYOK Mode: Active (COPILOT_DUMMY_BYOK)
✅ Inference: api-proxy → api.githubcopilot.com

Status: PASS — Direct BYOK mode working correctly.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #6093 · 55.2 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP
File write/read

Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is not reachable. Service containers may not be configured for this workflow.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

  • GitHub MCP Testing: ✅
  • GitHub.com Connectivity: ✅
  • File Write/Read Test: ✅
  • BYOK Inference Test: ✅

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

✅ GitHub MCP (pre-fetched PR data validated)
✅ GitHub.com connectivity
✅ File I/O test
✅ BYOK inference test

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

@lpcox PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

OTEL Smoke Test Results

Scenario Result Notes
S1: Module Loading ✅ Pass otel.js loads cleanly; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
S2: Test Suite ✅ Pass 59/59 tests passed across otel.test.js + otel-fanout.test.js
S3: Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards all 6 OTEL vars: GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
S4: Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js (line 285, invoked at line 343) as the OTEL hook point
S5: OTEL Diagnostics i️ N/A No live containers during static smoke test; file-based fallback exporter (/var/log/api-proxy/otel.jsonl) is configured when no OTEL endpoint is set

Overall: ✅ All scenarios pass. OTEL integration is fully wired end-to-end.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test\n- feat: gVisor runtime support\n- chore: recompile workflows after #6087\n- ✅ GitHub PR query\n- ✅ File write/read\n- ✅ Discussion lookup\n- ✅ Playwright title check\n- ✅ Build\n- Overall status: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Gemini Engine Validation

  • GitHub MCP Testing: ❌ (Tools not found)
  • GitHub.com Connectivity: ❌ (Failed to connect/resolve)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Chroot Version Comparison

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

⚠️ Not all versions match — ALL_TESTS_PASSED=false

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 10, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): Maven could not create local repository at ~/.m2/repository (owned by root). Worked around by using -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo. All tests passed successfully.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #6093 · 32.6 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit b3e37f5 into main Jul 10, 2026
95 of 96 checks passed
@lpcox lpcox deleted the feat/gvisor-runtime-support branch July 10, 2026 18:49
Copilot AI added a commit that referenced this pull request Jul 11, 2026
- Update D1: gVisor resolved in #6093; Kata Containers still open
- Add B11: silent repair failure causes exit 1, fixed in #6072
- Add B11 error-string lookup entry in all three catalog files
- Update Known unresolved items: narrow D1 to Kata only
- Update symptom mapping and known-gaps step in both doctor files
- Update CI test assertions for D1 and B11

Closes #6103
lpcox pushed a commit that referenced this pull request Jul 11, 2026
…nt repair exit-1 (#6118)

* Initial plan

* docs: update runner doctor catalog - D1 gVisor resolved, add B11

- Update D1: gVisor resolved in #6093; Kata Containers still open
- Add B11: silent repair failure causes exit 1, fixed in #6072
- Add B11 error-string lookup entry in all three catalog files
- Update Known unresolved items: narrow D1 to Kata only
- Update symptom mapping and known-gaps step in both doctor files
- Update CI test assertions for D1 and B11

Closes #6103

* docs: align runner-doctor B11 and D1 wording with implementation

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants