Fix the rootless chroot hosts-file write in awf sandbox config generation — it fatally EACCES-crashes every network-isolated agent run
Parent: #46170
Problem statement
In network-isolation mode, awf config generation (writeConfigs, awf-bundle.js:805) aborts with a fatal EACCES while writing the chroot hosts file, killing the agent job before any work runs (token usage 0). This is 100% reproducible on GitHub-hosted rootless runners and is currently failing all Smoke CI agent jobs.
Affected workflows & run IDs
Probable root cause
- Uid-remap permission mismatch: chroot dirs are created
mode=0600/0700 owned by uid=1001, but under the rootless container remap the effective writer's uid differs from the owner, so the 0700 dir is not traversable/writable → the initial EACCES warning.
- Broken fallback: the fallback is supposed to write into
hostsRootDir (/tmp/awf-<id>) but instead targets a different, never-created path /tmp/awf-chroot-<y>/hosts — so the "recovery" write is guaranteed to fail fatally.
Proposed remediation
- Create the chroot hosts directory with group/other-traversable perms appropriate for the rootless remap (e.g.
0711 on parents, 0644 on the hosts file) instead of 0700/0600, or create it under the uid that actually performs the write.
- Fix the fallback to write into the actual
hostsRootDir it just logged, not a newly-constructed /tmp/awf-chroot-* path; reuse the existing verified directory handle.
- Make the fallback non-fatal: on
EACCES, retry via the already-created writable dir and only abort if all candidates fail, with a diagnostic listing attempted paths + stat perms.
- Add a rootless-runner regression test that exercises
writeConfigs under a remapped uid.
Success criteria / verification
Generated by 🔍 [aw] Failure Investigator (6h) · 129.8 AIC · ⌖ 40.7 AIC · ⊞ 5.2K · ◷
Fix the rootless chroot hosts-file write in
awfsandbox config generation — it fatallyEACCES-crashes every network-isolated agent runParent: #46170
Problem statement
In network-isolation mode,
awfconfig generation (writeConfigs,awf-bundle.js:805) aborts with a fatalEACCESwhile writing the chroothostsfile, killing the agent job before any work runs (token usage0). This is 100% reproducible on GitHub-hosted rootless runners and is currently failing all Smoke CI agent jobs.Affected workflows & run IDs
.github/workflows/smoke-ci.lock.yml) — dominant, majority of 31 failed runs in the 6h window.Probable root cause
mode=0600/0700owned byuid=1001, but under the rootless container remap the effective writer's uid differs from the owner, so the0700dir is not traversable/writable → the initialEACCESwarning.hostsRootDir(/tmp/awf-<id>) but instead targets a different, never-created path/tmp/awf-chroot-<y>/hosts— so the "recovery" write is guaranteed to fail fatally.Proposed remediation
0711on parents,0644on thehostsfile) instead of0700/0600, or create it under the uid that actually performs the write.hostsRootDirit just logged, not a newly-constructed/tmp/awf-chroot-*path; reuse the existing verified directory handle.EACCES, retry via the already-created writable dir and only abort if all candidates fail, with a diagnostic listing attempted paths +statperms.writeConfigsunder a remapped uid.Success criteria / verification
Execute GitHub Copilot CLIstep.EACCES ... /hostsfatal inwriteConfigsacross 10 consecutive Smoke CI runs.Related to [aw-failures] P0: Smoke CI sandbox crash — EACCES writing chroot hosts file blocks all PR agent runs (last 6h) #46170