Skip to content

[aw-failures] Smoke CI hard-fails at config generation — EACCES writing chroot 'hosts' file (awf-bundle writeConfigs), on main + [Content truncated due to length] #44827

Description

@github-actions

Fix the rootless permission on the per-run chroot dir — the AWF bundle cannot write hosts into /tmp/awf-<ts>/chroot-XXXX/ and hard-fails Smoke CI at config generation, on main and PR branches.

Problem statement

Smoke CI aborts at the Execute GitHub Copilot CLI step during [INFO] Generating configuration files..., before any agent turn runs:

[ERROR] Fatal error: Error: EACCES: permission denied, open '/tmp/awf-1783709757445/chroot-Tdqr8K/hosts'
    at Object.openSync (node:fs:560:18)
    at Object.writeFileSync (node:fs:2444:35)
    at Object.JL [as writeConfigs] (/home/runner/.local/lib/awf/awf-bundle.js:794:3010)
  errno: -13, code: 'EACCES', syscall: 'open',
  path: '/tmp/awf-1783709757445/chroot-Tdqr8K/hosts'

The run fails closed with exit code 1 and produces no safe output. It reproduces on both main and PR branches, so this is a committed/runtime regression, not a branch artifact.

Affected workflows and run IDs

Workflow Run Branch / ref Signature
Smoke CI §29116138962 PR copilot/feat-add-gvisor-install-script (44796/merge) EACCES chroot hosts
Smoke CI §29116066895 main EACCES chroot hosts

Correlated signal across the same window: multiple runs also log [WARN] Rootless artifact permission repair failed for ... (exit 1) (e.g. Smoke Copilot Small §29116716332, PR Triage Agent §29115410581), pointing at the same rootless UID/permission handling.

Probable root cause

Under --network-isolation (rootless Docker, no host iptables/sudo), writeConfigs in awf-bundle.js creates the per-run chroot directory /tmp/awf-<ts>/chroot-XXXX/ but the node process UID lacks write permission to drop the generated /etc/hosts there — the directory (or its hosts entry) is created with ownership the AWF process cannot write. The recurring Rootless artifact permission repair failed warnings indicate the rootless UID-mapping / permission-repair path is broken in the current AWF bundle.

Proposed remediation

  1. In the config-generation path, mkdir the chroot dir with a mode/owner writable by the AWF process UID before writeConfigs, or write hosts with the effective UID (avoid inheriting root-owned mounts under rootless).
  2. Fix or gate the Rootless artifact permission repair step so chroot/artifact dirs are chown/chmod'd to the runtime UID prior to write.
  3. Add a fast pre-flight assertion (writable temp probe in the chroot) that surfaces a clear error instead of a mid-run EACCES fatal.

Success criteria / verification

  • Smoke CI passes on main with no EACCES ... chroot-*/hosts in the Execute GitHub Copilot CLI step.
  • No Rootless artifact permission repair failed warnings on green Smoke CI runs.
  • Config generation completes and at least one agent turn executes.

Parent: #44735. Analyzed runs: 29116138962, 29116066895 (last 6h).
Related to #44735

Generated by 🔍 [aw] Failure Investigator (6h) · 100 AIC · ⌖ 35.6 AIC · ⊞ 6.2K ·

  • expires on Jul 17, 2026, 11:21 AM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions