Problem
AWF chroot mode assumes runner-visible paths are also visible to the Docker daemon. On ARC runners using Docker-in-Docker (DinD), the runner container and DinD daemon sidecar have separate root filesystems, so AWF bind mounts resolve against the daemon filesystem rather than the runner filesystem. Users must manually stage dozens of files into daemon-visible paths before AWF starts.
Context
Original report: github/gh-aw#30838
Required manual staging included: /bin, /usr/local/bin, /etc/passwd, /etc/group, /etc/hosts, writable $HOME/XDG state dirs, Copilot CLI, Node.js, capsh, shell, and core utilities — all routed through the DinD daemon.
Root Cause
src/docker-manager.ts generates bind mount paths using host environment paths at compile time. There is no mechanism to detect or translate paths when the Docker daemon context differs from the runner context (ARC DinD split-filesystem scenario).
Proposed Solution
Add a --docker-host-path-prefix CLI flag in src/cli.ts that remaps runner-side paths to daemon-visible equivalents before bind mounts are generated in src/docker-manager.ts. When ARC DinD is detected (e.g., via DOCKER_HOST env var pointing to a TCP address), emit a warning and apply the prefix automatically. Add integration tests covering the path translation logic.
Generated by Firewall Issue Dispatcher · ● 545.2K · ◷
Problem
AWF chroot mode assumes runner-visible paths are also visible to the Docker daemon. On ARC runners using Docker-in-Docker (DinD), the runner container and DinD daemon sidecar have separate root filesystems, so AWF bind mounts resolve against the daemon filesystem rather than the runner filesystem. Users must manually stage dozens of files into daemon-visible paths before AWF starts.
Context
Original report: github/gh-aw#30838
Required manual staging included:
/bin,/usr/local/bin,/etc/passwd,/etc/group,/etc/hosts, writable$HOME/XDG state dirs, Copilot CLI, Node.js,capsh, shell, and core utilities — all routed through the DinD daemon.Root Cause
src/docker-manager.tsgenerates bind mount paths using host environment paths at compile time. There is no mechanism to detect or translate paths when the Docker daemon context differs from the runner context (ARC DinD split-filesystem scenario).Proposed Solution
Add a
--docker-host-path-prefixCLI flag insrc/cli.tsthat remaps runner-side paths to daemon-visible equivalents before bind mounts are generated insrc/docker-manager.ts. When ARC DinD is detected (e.g., viaDOCKER_HOSTenv var pointing to a TCP address), emit a warning and apply the prefix automatically. Add integration tests covering the path translation logic.