Fix the rootless permission on the per-run chroot dir — the AWF bundle cannot write hosts into /tmp/awf-<ts>/chroot-XXXX/ and hard-fails Smoke CI at config generation, on main and PR branches.
Problem statement
Smoke CI aborts at the Execute GitHub Copilot CLI step during [INFO] Generating configuration files..., before any agent turn runs:
[ERROR] Fatal error: Error: EACCES: permission denied, open '/tmp/awf-1783709757445/chroot-Tdqr8K/hosts'
at Object.openSync (node:fs:560:18)
at Object.writeFileSync (node:fs:2444:35)
at Object.JL [as writeConfigs] (/home/runner/.local/lib/awf/awf-bundle.js:794:3010)
errno: -13, code: 'EACCES', syscall: 'open',
path: '/tmp/awf-1783709757445/chroot-Tdqr8K/hosts'
The run fails closed with exit code 1 and produces no safe output. It reproduces on both main and PR branches, so this is a committed/runtime regression, not a branch artifact.
Affected workflows and run IDs
| Workflow |
Run |
Branch / ref |
Signature |
| Smoke CI |
§29116138962 |
PR copilot/feat-add-gvisor-install-script (44796/merge) |
EACCES chroot hosts |
| Smoke CI |
§29116066895 |
main |
EACCES chroot hosts |
Correlated signal across the same window: multiple runs also log [WARN] Rootless artifact permission repair failed for ... (exit 1) (e.g. Smoke Copilot Small §29116716332, PR Triage Agent §29115410581), pointing at the same rootless UID/permission handling.
Probable root cause
Under --network-isolation (rootless Docker, no host iptables/sudo), writeConfigs in awf-bundle.js creates the per-run chroot directory /tmp/awf-<ts>/chroot-XXXX/ but the node process UID lacks write permission to drop the generated /etc/hosts there — the directory (or its hosts entry) is created with ownership the AWF process cannot write. The recurring Rootless artifact permission repair failed warnings indicate the rootless UID-mapping / permission-repair path is broken in the current AWF bundle.
Proposed remediation
- In the config-generation path,
mkdir the chroot dir with a mode/owner writable by the AWF process UID before writeConfigs, or write hosts with the effective UID (avoid inheriting root-owned mounts under rootless).
- Fix or gate the
Rootless artifact permission repair step so chroot/artifact dirs are chown/chmod'd to the runtime UID prior to write.
- Add a fast pre-flight assertion (writable temp probe in the chroot) that surfaces a clear error instead of a mid-run
EACCES fatal.
Success criteria / verification
- Smoke CI passes on
main with no EACCES ... chroot-*/hosts in the Execute GitHub Copilot CLI step.
- No
Rootless artifact permission repair failed warnings on green Smoke CI runs.
- Config generation completes and at least one agent turn executes.
Parent: #44735. Analyzed runs: 29116138962, 29116066895 (last 6h).
Related to #44735
Generated by 🔍 [aw] Failure Investigator (6h) · 100 AIC · ⌖ 35.6 AIC · ⊞ 6.2K · ◷
Fix the rootless permission on the per-run chroot dir — the AWF bundle cannot write
hostsinto/tmp/awf-<ts>/chroot-XXXX/and hard-fails Smoke CI at config generation, onmainand PR branches.Problem statement
Smoke CI aborts at the Execute GitHub Copilot CLI step during
[INFO] Generating configuration files..., before any agent turn runs:The run fails closed with exit code 1 and produces no safe output. It reproduces on both
mainand PR branches, so this is a committed/runtime regression, not a branch artifact.Affected workflows and run IDs
copilot/feat-add-gvisor-install-script(44796/merge)hostsmainhostsCorrelated signal across the same window: multiple runs also log
[WARN] Rootless artifact permission repair failed for ... (exit 1)(e.g. Smoke Copilot Small §29116716332, PR Triage Agent §29115410581), pointing at the same rootless UID/permission handling.Probable root cause
Under
--network-isolation(rootless Docker, no host iptables/sudo),writeConfigsinawf-bundle.jscreates the per-run chroot directory/tmp/awf-<ts>/chroot-XXXX/but the node process UID lacks write permission to drop the generated/etc/hoststhere — the directory (or itshostsentry) is created with ownership the AWF process cannot write. The recurringRootless artifact permission repair failedwarnings indicate the rootless UID-mapping / permission-repair path is broken in the current AWF bundle.Proposed remediation
mkdirthe chroot dir with a mode/owner writable by the AWF process UID beforewriteConfigs, or writehostswith the effective UID (avoid inheriting root-owned mounts under rootless).Rootless artifact permission repairstep so chroot/artifact dirs are chown/chmod'd to the runtime UID prior to write.EACCESfatal.Success criteria / verification
mainwith noEACCES ... chroot-*/hostsin the Execute GitHub Copilot CLI step.Rootless artifact permission repair failedwarnings on green Smoke CI runs.Parent: #44735. Analyzed runs: 29116138962, 29116066895 (last 6h).
Related to #44735