fix: mount /etc/hosts in chroot mode and handle missing resolv.conf#522
fix: mount /etc/hosts in chroot mode and handle missing resolv.conf#522
Conversation
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
✅ Coverage Check PassedOverall Coverage
Coverage comparison generated by |
Build Test: Java - FAILED ❌Test Environment Issue: Maven is not properly installed or configured in the GitHub Actions runner. Error:
Overall: FAIL Root Cause: Maven executable at Action Required: The workflow runner environment needs Maven properly installed with a working Java runtime.
|
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
There was a problem hiding this comment.
Pull request overview
This PR fixes hostname resolution issues in chroot mode by mounting /etc/hosts and improving /etc/resolv.conf handling. The changes address getaddrinfo EAI_AGAIN localhost errors encountered when tools like JSDOM/Vitest attempt to resolve localhost inside the chroot environment.
Changes:
- Added
/etc/hostsread-only mount to provide localhost resolution inside chroot - Enhanced entrypoint.sh to create
/etc/resolv.confwhen missing instead of silently skipping - Implemented cleanup logic to remove created DNS configuration files on exit
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/docker-manager.ts | Added /etc/hosts:/host/etc/hosts:ro mount for chroot mode to enable localhost resolution |
| src/docker-manager.test.ts | Added test assertion to verify /etc/hosts mount in chroot mode (duplicate of existing test on line 560) |
| containers/agent/entrypoint.sh | Enhanced resolv.conf handling to create file when missing and clean up created files on exit |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const volumes = agent.volumes as string[]; | ||
|
|
||
| // These are needed for getent/user lookup inside chroot | ||
| expect(volumes).toContain('/etc/passwd:/host/etc/passwd:ro'); | ||
| expect(volumes).toContain('/etc/group:/host/etc/group:ro'); | ||
| expect(volumes).toContain('/etc/nsswitch.conf:/host/etc/nsswitch.conf:ro'); | ||
| }); | ||
|
|
||
| it('should mount /etc/hosts for hostname resolution in chroot mode', () => { | ||
| const configWithChroot = { | ||
| ...mockConfig, | ||
| enableChroot: true |
There was a problem hiding this comment.
This test is redundant with the existing test on line 560 in the 'should use selective mounts when enableChroot is true' test case. The /etc/hosts mount is already being verified there. Consider removing this duplicate test or enhancing it to test a different aspect (e.g., verifying that localhost can be resolved when using the mount).
| if cp /etc/resolv.conf /host/etc/resolv.conf 2>/dev/null; then | ||
| RESOLV_CREATED=true | ||
| echo "[entrypoint] DNS configuration created in chroot (/host/etc/resolv.conf)" |
There was a problem hiding this comment.
For consistency with the existing code pattern (lines 169-170), consider using an atomic write approach when creating the resolv.conf file. The current code uses a temporary file (.awf suffix) and mv for existing file replacement to avoid corruption. While less critical for file creation, using the same pattern would provide protection against race conditions and maintain code consistency. Suggested change: use 'cp /etc/resolv.conf /host/etc/resolv.conf.awf' followed by 'mv /host/etc/resolv.conf.awf /host/etc/resolv.conf' instead of a direct cp.
| if cp /etc/resolv.conf /host/etc/resolv.conf 2>/dev/null; then | |
| RESOLV_CREATED=true | |
| echo "[entrypoint] DNS configuration created in chroot (/host/etc/resolv.conf)" | |
| if cp /etc/resolv.conf /host/etc/resolv.conf.awf 2>/dev/null; then | |
| if mv /host/etc/resolv.conf.awf /host/etc/resolv.conf 2>/dev/null; then | |
| RESOLV_CREATED=true | |
| echo "[entrypoint] DNS configuration created in chroot (/host/etc/resolv.conf)" | |
| else | |
| echo "[entrypoint][WARN] Could not move DNS configuration into place in chroot" | |
| fi |
| fi | ||
| else | ||
| echo "[entrypoint][WARN] Could not backup host resolv.conf, skipping DNS override" | ||
| # File doesn't exist: create it (selective /etc mounts don't include resolv.conf) |
There was a problem hiding this comment.
The comment is somewhat confusing. Since we're already inside the chroot mode block (line 150), saying "e.g. chroot mode where /host/etc/resolv.conf is not mounted" is redundant and unclear. Consider revising to be more precise about the scenario, such as: "File doesn't exist: create it (e.g., host system without /etc/resolv.conf)" or "File doesn't exist on host: create it to ensure DNS resolution works inside chroot".
| # File doesn't exist: create it (selective /etc mounts don't include resolv.conf) | |
| # File doesn't exist on host: create it to ensure DNS resolution works inside chroot |
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Node.js Build Test Results
Overall: PASS ✅ All Node.js projects built and tested successfully.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
Smoke Test Results (Claude) ✅Last 2 Merged PRs:
Test Results:
Overall Status: PASS
|
Go Build Test Results
Overall: PASS ✅ All Go projects built and tested successfully.
|
✅ Smoke Test ResultsGitHub MCP: ✅ PR #520, #521 reviewed Status: PASS cc @Mossaka
|
Build Test: Java - FAILED ❌Status: ENVIRONMENT ERROR Unable to execute Java build tests due to critical system misconfiguration. Error DetailsThe GitHub Actions runner environment has a broken Java/Maven toolchain:
Attempted Projects
Overall: FAIL (Environment broken) Recommendations
|
❌ Bun Build Test - FAILEDEnvironment Incompatibility Detected
Overall: FAILED Error DetailsBun runtime crashed in the container environment:
Environment Info
RecommendationRun Bun tests in a standard VM or container with full
|
❌ Build Test: Rust - INFRASTRUCTURE FAILUREStatus: Unable to execute tests due to GitHub Actions runner environment issue. Issue DescriptionAll command execution in the runner is being hijacked to output
EvidenceEven though Next StepsThis appears to be a platform-level issue that requires investigation by the GitHub Actions team. The test cannot proceed without the ability to execute binaries normally. Test Requirements:
|
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Node.js Build Test Results
Overall: PASS ✅ All projects installed successfully and passed their test suites.
|
Build Test: Java - ❌ FAILEDStatus: Environment Error Unable to execute Java build tests due to Maven installation failure. Error DetailsTest Results
Overall: FAILED (Environment Error) Required ActionThe GitHub Actions runner's Maven installation is corrupted. This needs to be fixed before Java build tests can run.
|
Copilot Smoke Test ResultsLast 2 merged PRs:
Test Results:
Status: PASS cc @Mossaka
|
Build Test: Bun - FAILED ❌Error: Bun installation succeeded but Results
Overall: FAIL Error DetailsAll attempts to run
Root Cause: Bun v1.3.8 appears incompatible with this GitHub Actions runner environment. Next Steps: Investigation needed for Bun compatibility with GitHub Actions infrastructure.
|
Smoke Test Results - Claude EngineLast 2 Merged PRs:
Test Results:
Status: PASS
|
Mossaka
force-pushed
the
fix/chroot-etc-hosts-resolv-conf
branch
from
2c3cf49 to
23e51ba
Compare
|
Heads up — main has had 3 PRs merged since this branch diverged:
You'll need to rebase onto Key things to know when rebasing:
|
Mount /etc/hosts read-only inside the chroot so hostname resolution (e.g. localhost) works correctly for language runtimes. Handle the case where /host/etc/resolv.conf doesn't exist (which happens with selective /etc mounts): create the file instead of failing, and clean it up on exit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove the HTTP_PROXY env var from the agent container. Since commit 183e451 added iptables DNAT (intercept mode), HTTP traffic on port 80 is already redirected to Squid's intercept port. Setting HTTP_PROXY caused curl to forward-proxy through port 3128, where Squid's 403 error page is a valid HTTP response (exit code 0), breaking the "block HTTP" integration test. Fix the HTTP blocking test to check the HTTP status code (not exit code) since Squid returns a 403 HTML page for blocked HTTP requests in intercept mode. HTTPS_PROXY is retained because HTTPS needs the explicit CONNECT method through Squid's forward-proxy port (3128). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create the .copilot directory with correct ownership before installing the Copilot CLI to prevent permission errors when running as the runner user. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mossaka
force-pushed
the
fix/chroot-etc-hosts-resolv-conf
branch
from
23e51ba to
a8d0821
Compare
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Deno Build Test Results ✅
Overall: ✅ PASS All Deno tests completed successfully.
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Smoke Test Results (Copilot) ✅Last 2 merged PRs:
Tests:
Status: PASS cc @Mossaka (author)
|
Node.js Build Test Results
Overall: PASS ✅ All Node.js projects successfully installed dependencies and passed their test suites.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
|
Smoke Test Results (Claude) Last 2 merged PRs:
✅ GitHub MCP - Fetched PRs successfully Status: PASS
|
Bun Build Test ResultsSummary
Overall: FAIL DetailsBoth test projects failed with the same error: Environment:
Issue: Bun test runner is crashing with a core dump in this container environment. This appears to be a Bun compatibility issue with the execution environment, not a project-specific problem. Test files examined:
Both projects have minimal package.json files with no dependencies, so
|
Build Test: Rust - FAILED ❌Status: INFRASTRUCTURE FAILURE Unable to execute Rust build tests due to toolchain malfunction. Error DetailsThe Rust toolchain (rustup/cargo) is not functioning correctly in the test environment:
Projects Status
Overall: FAIL (Infrastructure issue - Rust toolchain unavailable) Next StepsThis appears to be a system-level issue with the test environment. Recommend:
|
Reverts the following PRs which introduced unnecessary complexity: - #520: fix: enable Squid intercept mode for NAT-redirected traffic - v0.13.5 release: chore(release): bump version to 0.13.5 - #524: fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container - #526: chore: recompile workflow lock files for AWF v0.13.5 - #527: fix: recompile lock files with release action mode - #522: fix: mount /etc/hosts in chroot and fix HTTP blocking test - #530: fix: restore HTTPS_PROXY, fix chroot hosts/permissions, fix Bun crash - v0.13.6 release: chore(release): bump version to 0.13.6 The intercept mode (#520) was introduced to fix Codex failing with HTTP_PROXY, but the simpler fix is to just not set HTTP_PROXY for Codex. The intercept mode introduced a cascade of breakage: - HTTPS can't be transparently intercepted (needs CONNECT method) - Image version bumps required lock file recompilation - host.docker.internal traffic crashed Squid under load - Multiple PRs needed to fix each regression This reverts to the pre-#520 explicit proxy mode (HTTP_PROXY/HTTPS_PROXY pointing to Squid port 3128) which worked for all engines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reverts the following PRs which introduced unnecessary complexity: - #520: fix: enable Squid intercept mode for NAT-redirected traffic - v0.13.5 release: chore(release): bump version to 0.13.5 - #524: fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container - #526: chore: recompile workflow lock files for AWF v0.13.5 - #527: fix: recompile lock files with release action mode - #522: fix: mount /etc/hosts in chroot and fix HTTP blocking test - #530: fix: restore HTTPS_PROXY, fix chroot hosts/permissions, fix Bun crash - v0.13.6 release: chore(release): bump version to 0.13.6 The intercept mode (#520) was introduced to fix Codex failing with HTTP_PROXY, but the simpler fix is to just not set HTTP_PROXY for Codex. The intercept mode introduced a cascade of breakage: - HTTPS can't be transparently intercepted (needs CONNECT method) - Image version bumps required lock file recompilation - host.docker.internal traffic crashed Squid under load - Multiple PRs needed to fix each regression This reverts to the pre-#520 explicit proxy mode (HTTP_PROXY/HTTPS_PROXY pointing to Squid port 3128) which worked for all engines. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
/etc/hostsread-only into/host/etc/hostsin chroot mode, fixinggetaddrinfo EAI_AGAIN localhosterrors for tools like JSDOM/Vitest/host/etc/resolv.confby creating the file instead of silently skipping DNS overrideresolv.confon exit to leave no trace on the hostEvidence: https://github.com/danielmeppiel/corporate-website/actions/runs/21707539888
Test plan
npm test— 731 unit tests pass (including 2 new assertions)npm run test:integration— integration tests passsudo awf --enable-chroot --allow-domains example.com -- getent hosts localhostresolves correctly🤖 Generated with Claude Code