Skip to content

fix: rootless artifact permission repair fails on ARC/DinD topology #5816

Description

@lpcox

Problem

On ARC/DinD runners (runner.topology: arc-dind), the rootless artifact permission repair fails for squid log files (access.log, cache.log, audit.jsonl). This prevents awf logs summary from reading logs and blocks artifact upload of firewall logs.

Error output

[WARN] Could not fix squid log permissions: Error: Command failed with exit code 1: chmod -R a+rX /home/runner/_work/_temp/gh-aw/sandbox/firewall/logs
chmod: changing permissions of '/home/runner/_work/_temp/gh-aw/sandbox/firewall/logs': Operation not permitted
chmod: changing permissions of '/home/runner/_work/_temp/gh-aw/sandbox/firewall/logs/access.log': Operation not permitted

[WARN] Rootless artifact permission repair failed for /home/runner/_work/_temp/gh-aw/sandbox/firewall/logs (exit 1)
[WARN] Rootless artifact permission repair failed for /home/runner/_work/_temp/gh-aw/sandbox/firewall/audit (exit 1)

##[warning]Failed to process file .../access.log: EACCES: permission denied, open '...'

Root cause

  1. Squid writes log files as its internal user (e.g., UID 13) inside the container
  2. After docker compose down, files on the host are owned by that UID
  3. The direct chmod on the host fails because runner user (UID 1001) doesn't own the files and has no sudo
  4. The docker-based repair (fixArtifactPermissionsForRootless) also fails — likely because:
    • The --docker-host-path-prefix translation isn't applied to the repair step's bind mount
    • Or the squid image is no longer available after docker compose down -v with --pull never

Impact

  • Non-blocking: the agent run itself succeeds
  • awf logs summary returns "Failed to load logs: EACCES"
  • Firewall logs are not included in uploaded artifacts
  • Audit trail is incomplete

Observed in

Suggested fixes

  1. Fix permissions BEFORE docker compose down — Run chmod -R a+rX inside the squid container (where the process is root) before stopping, while the container still has access to the log volume
  2. Run squid with matching UID — Configure squid to write logs as the runner's UID (passed via AWF_HOST_UID env var) so no repair is needed
  3. Fix docker-based repair for ARC/DinD — Apply dockerHostPathPrefix translation to the bind mount in fixArtifactPermissionsForRootless() so the daemon can resolve the path

Option 1 seems most robust since it doesn't depend on path translation or image availability after shutdown.

Related

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions