fix: create resolv.conf in chroot when not mounted#549
Conversation
When using selective /etc mounts in chroot mode, /etc/resolv.conf is not included in the mount list. This causes DNS queries inside the chroot to fall back to the host's systemd-resolved (127.0.0.53), which is blocked by iptables (only 8.8.8.8, 8.8.4.4, 127.0.0.11 are allowed). As a result, agents like Codex cannot resolve domains like api.openai.com. Fix: when /host/etc/resolv.conf doesn't exist, create it from the container's /etc/resolv.conf (which already has the correct AWF DNS config). Clean up on exit by removing the created file. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
@copilot review this PR please |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 82.11% | 82.10% | 📉 -0.01% |
| Statements | 82.15% | 82.14% | 📉 -0.01% |
| Functions | 81.95% | 81.95% | ➡️ +0.00% |
| Branches | 75.44% | 75.44% | ➡️ +0.00% |
📁 Per-file Coverage Changes (1 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/docker-manager.ts |
83.0% → 83.0% (-0.04%) | 82.3% → 82.3% (-0.04%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
C++ Build Test Results
Overall: PASS All C++ projects built successfully.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
Smoke Test ResultsLast 2 Merged PRs:
Test Results:
Status: PASS cc @Mossaka
|
Build Test: Node.js - ResultsAll Node.js projects tested successfully! ✅
Overall: ✅ PASS All 3 projects installed dependencies and passed their test suites.
|
❌ Build Test: Java - Environment ErrorStatus: FAILED Unable to execute Java build tests due to a runner environment issue. Error Details
All Java and Maven commands return bash version output instead of executing properly, indicating a corrupted or misconfigured runner environment. Expected vs ActualExpected: This prevents compilation and testing of both Action RequiredThis workflow needs investigation - the runner environment appears to have a fundamental issue with Java execution.
|
|
Smoke Test Results (Claude) Last 2 PRs (open):
✅ GitHub MCP: Retrieved PR data Status: PASS
|
Bun Build Test ResultsOverall: FAIL ❌ Environment IssueBun runtime installation succeeded but cannot execute in this GitHub Actions environment due to missing
Error DetailsRoot Cause: Bun requires access to Recommendation: This test requires either:
|
There was a problem hiding this comment.
Pull request overview
This pull request fixes DNS resolution failures in chroot mode when /etc/resolv.conf is not included in the selective /etc mounts introduced in PR #545. The issue occurred because DNS queries would fall back to the host's systemd-resolved stub at 127.0.0.53, which is not in the iptables allowed DNS list, causing all DNS queries to be blocked.
Changes:
- Add logic to create
/etc/resolv.conffrom the container's DNS configuration when the file doesn't exist in chroot mode - Implement proper cleanup to remove the created file on exit, leaving no trace
- Maintain existing backup/restore logic for cases where the file already exists
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Build Test: Rust - FAILED ❌Status: Environment Error IssueUnable to execute Rust toolchain commands. All binary executions (cargo, rustup, ps) are returning bash version information instead of executing properly. Diagnostic Information
Environment DetailsError Example$ /home/runner/.cargo/bin/rustup --version
GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
...This suggests a critical GitHub Actions runner environment issue rather than a project-specific problem. Further investigation is needed to determine if this is a runner configuration issue, security restriction, or other system-level problem.
|
The test used curl -s which silently receives Squid's 403 error page (a valid HTTP response, exit 0). Use curl -f instead, which returns non-zero for HTTP 4xx/5xx responses. This matches the pattern used in the non-chroot integration tests (protocol-support.test.ts). Previously this test only passed because DNS was broken in chroot mode, causing curl to fail at DNS resolution rather than actually testing HTTP blocking behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
Build Test: Node.js - ResultsAll Node.js projects tested successfully! ✅
Overall: PASS ✅ All installations and tests completed successfully.
|
Smoke Test Results (Run #21735908743)Last 2 Merged PRs:
Test Results:
Overall Status: PASS (3/4 core tests passed, GitHub API alternative method succeeded) cc @Mossaka
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
|
Smoke Test: Claude Engine - PASS ✅ GitHub MCP: Retrieved last 2 merged PRs (#548, #543)
|
❌ Java Build Test FailedStatus: UNABLE TO EXECUTE IssueThe Java build tests could not be executed because Java JDK and Maven are not available in the AWF agent container environment. Technical Details
Required ActionsTo enable Java build testing, one of the following must be implemented:
Test Results
Overall: FAILED (Environment missing required tools)
|
Build Test: Bun - FAILED ❌Status: FAILED - Bun runtime incompatible with current environment Test Results
Overall: FAIL Error DetailsBun 1.3.8 installation succeeded, but runtime operations fail:
This indicates Bun is incompatible with the current execution environment (likely Docker container limitations or missing kernel features). RecommendationThis test requires a different CI environment with full system support for Bun runtime, or testing should be performed locally.
|
Chroot Version Comparison Test Results
Overall Result: ❌ FAILED - Not all runtime versions match between host and chroot environment. Details
The chroot environment successfully accessed host binaries, but version mismatches indicate the host binaries are not being used for Python and Node.js.
|
Build Test: Rust - FAILED ❌Status: Cannot execute tests - toolchain environment issue Error SummaryThe Rust toolchain is installed but cannot be executed. All attempts to run Symptoms:
Attempted:
Diagnostic OutputThis suggests a fundamental environment or shell configuration issue preventing Rust toolchain execution. Manual investigation required.
|
Summary
/etc/resolv.confis not included in selective/etcmountsRoot Cause
In chroot mode with selective
/etcmounts (PR #545 mounted/etc/hostsbut not/etc/resolv.conf), DNS queries fall back to the host'ssystemd-resolvedstub at127.0.0.53. Since127.0.0.53is not in the iptables allowed DNS list, all DNS queries are blocked. This causes agents like Codex to fail witherror sending request for url (https://api.openai.com/v1/responses)because they can't resolve any domains.Evidence from smoke-codex logs
[entrypoint][WARN] Could not backup host resolv.conf, skipping DNS override— confirms/host/etc/resolv.confdidn't existRequest failed...error sending request— Codex can't reachapi.openai.comhost.docker.internal) worked fine — confirms the firewall bypass is working, only DNS is brokenChanges
containers/agent/entrypoint.sh:RESOLV_CREATEDflag alongside existingRESOLV_MODIFIED/host/etc/resolv.confexists before attempting backup/etc/resolv.confTest plan
npm test— 732 tests)🤖 Generated with Claude Code