Problem
On ARC/DinD runners (runner.topology: arc-dind), the rootless artifact permission repair fails for squid log files (access.log, cache.log, audit.jsonl). This prevents awf logs summary from reading logs and blocks artifact upload of firewall logs.
Error output
[WARN] Could not fix squid log permissions: Error: Command failed with exit code 1: chmod -R a+rX /home/runner/_work/_temp/gh-aw/sandbox/firewall/logs
chmod: changing permissions of '/home/runner/_work/_temp/gh-aw/sandbox/firewall/logs': Operation not permitted
chmod: changing permissions of '/home/runner/_work/_temp/gh-aw/sandbox/firewall/logs/access.log': Operation not permitted
[WARN] Rootless artifact permission repair failed for /home/runner/_work/_temp/gh-aw/sandbox/firewall/logs (exit 1)
[WARN] Rootless artifact permission repair failed for /home/runner/_work/_temp/gh-aw/sandbox/firewall/audit (exit 1)
##[warning]Failed to process file .../access.log: EACCES: permission denied, open '...'
Root cause
- Squid writes log files as its internal user (e.g., UID 13) inside the container
- After
docker compose down, files on the host are owned by that UID
- The direct chmod on the host fails because runner user (UID 1001) doesn't own the files and has no sudo
- The docker-based repair (
fixArtifactPermissionsForRootless) also fails — likely because:
- The
--docker-host-path-prefix translation isn't applied to the repair step's bind mount
- Or the squid image is no longer available after
docker compose down -v with --pull never
Impact
- Non-blocking: the agent run itself succeeds
awf logs summary returns "Failed to load logs: EACCES"
- Firewall logs are not included in uploaded artifacts
- Audit trail is incomplete
Observed in
Suggested fixes
- Fix permissions BEFORE
docker compose down — Run chmod -R a+rX inside the squid container (where the process is root) before stopping, while the container still has access to the log volume
- Run squid with matching UID — Configure squid to write logs as the runner's UID (passed via
AWF_HOST_UID env var) so no repair is needed
- Fix docker-based repair for ARC/DinD — Apply
dockerHostPathPrefix translation to the bind mount in fixArtifactPermissionsForRootless() so the daemon can resolve the path
Option 1 seems most robust since it doesn't depend on path translation or image availability after shutdown.
Related
Problem
On ARC/DinD runners (
runner.topology: arc-dind), the rootless artifact permission repair fails for squid log files (access.log,cache.log,audit.jsonl). This preventsawf logs summaryfrom reading logs and blocks artifact upload of firewall logs.Error output
Root cause
docker compose down, files on the host are owned by that UIDfixArtifactPermissionsForRootless) also fails — likely because:--docker-host-path-prefixtranslation isn't applied to the repair step's bind mountdocker compose down -vwith--pull neverImpact
awf logs summaryreturns "Failed to load logs: EACCES"Observed in
Suggested fixes
docker compose down— Runchmod -R a+rXinside the squid container (where the process is root) before stopping, while the container still has access to the log volumeAWF_HOST_UIDenv var) so no repair is neededdockerHostPathPrefixtranslation to the bind mount infixArtifactPermissionsForRootless()so the daemon can resolve the pathOption 1 seems most robust since it doesn't depend on path translation or image availability after shutdown.
Related
fix: ensure chmod runs even when chown fails(helps standard rootless, but not ARC/DinD)fix: add write permission in rootless artifact permission repairFix rootless firewall artifact permissions to prevent EACCES on upload