[awf] Docker Manager: Workflow-wide DinD configuration (DOCKER_HOST) breaks AWF container startup

[lpcox]

Problem

When a workflow enables Docker-in-Docker (DinD) at the workflow scope (via services: dind: + DOCKER_HOST: tcp://localhost:2375), the compiled gh aw workflow fails during AWF startup with:

[INFO] Set DOCKER_API_VERSION=1.54 (server current)
Error:  Port 80 is not exposed from the container
Error:  Add port mapping: -p <host_port>:80

Agentic workflows that need to build or run Docker images as part of their task cannot use this pattern.

Context

• Original issue: Enabling workflow-wide Docker-in-Docker configuration breaks gh aw workflows gh-aw#25511

Root Cause

When DOCKER_HOST is set to a remote TCP socket (DinD daemon), the AWF docker compose commands are routed to the DinD daemon instead of the local Docker socket. The DinD daemon does not have the host port bindings that AWF relies on for the Squid proxy (ports: ["3128:3128"] in the compose config). The DinD daemon interprets "expose port" as requiring a host-level port mapping that doesn't exist in the DinD network context, causing the startup failure.

The root issue is in src/docker-manager.ts: AWF unconditionally uses DOCKER_HOST from the environment when spawning docker compose commands via execa. When DOCKER_HOST points to a DinD TCP socket, the host-side filesystem bind mounts also fail because the DinD daemon cannot access the runner host's filesystem.

Proposed Solution

1. src/docker-manager.ts — getDockerComposeEnv() or similar helper: When DOCKER_HOST is set to a TCP address (DinD), spawn docker compose with DOCKER_HOST explicitly unset (using the local socket instead), so AWF always manages its own containers via the local daemon. Add a --docker-host CLI flag to allow explicit override.

2. src/cli.ts: Add a warning when DOCKER_HOST is detected in the environment, informing the user that AWF manages its own containers via the local socket, and that the DinD daemon remains available inside the agent container (agent inherits the Docker socket mount).

3. Agent container: Ensure the DinD DOCKER_HOST value is still forwarded into the agent container's environment (via env passthrough), so the agent's workload can use DinD as intended — only the AWF orchestration layer should use the local socket.

4. Docs: Add a section in docs/environment.md explaining the DinD interaction model.

Generated by Firewall Issue Dispatcher · ● 1.6M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to an existing issue:

• [awf] docker-manager: workflow-scope DinD (DOCKER_HOST) breaks AWF container networking #1898 — [awf] docker-manager: workflow-scope DinD (DOCKER_HOST) breaks AWF container networking (closed)

Both issues describe the same root cause and error:

• DOCKER_HOST set to a DinD TCP socket (tcp://localhost:2375) breaks AWF container startup
• Same error: Port 80 is not exposed from the container
• Same affected code: src/docker-manager.ts inheriting DOCKER_HOST when spawning docker compose
• Both reference upstream issue gh-aw#25511

Issue #1898 was closed as completed — the proposed fix there was to detect the incompatibility and fail fast with a clear error message. This new issue proposes a more complete fix (unsetting DOCKER_HOST for AWF's own compose commands while forwarding it into the agent container), which goes beyond the closed issue's solution.

If the fix from #1898 didn't fully resolve the problem (e.g., you're looking for a behavioral fix rather than a fail-fast), it may be worth referencing or reopening that issue, or clarifying in this issue how the proposed solution differs.

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #1930 · ● 220.3K · ◷