Skip to content

[awf] DIFC proxy: containers run as root causing permission denied on shared rpc-messages.jsonl #3869

Closed
Closed
[awf] DIFC proxy: containers run as root causing permission denied on shared rpc-messages.jsonl#3869
Labels
awf-triage
@lpcox

Description

@lpcox
lpcox
opened on May 26, 2026

Problem

When DIFC proxy is active, start_difc_proxy.sh and start_cli_proxy.sh launch their containers without a --user flag, defaulting to root (UID 0). The MCP Gateway runs with --user "$(id -u):$(id -g)" (UID 1001) and cannot write to the root-owned rpc-messages.jsonl in the shared /tmp/gh-aw/mcp-logs/ volume. The agent job succeeds but the "Parse MCP Gateway logs" post-step calls core.setFailed() on the zero-byte file.

Context

Original report: github/gh-aw#33892

Regression introduced in #22563 (DIFC proxy added without --user); became a hard failure in #33358 (zero-byte file now fatal).

Root Cause

actions/setup/sh/start_difc_proxy.sh:42 and actions/setup/sh/start_cli_proxy.sh:43 omit --user "$(id -u):$(id -g)" from docker run, so proxy containers create log files as root, blocking the runner-UID gateway from writing.

Proposed Solution

Add --user "$(id -u):$(id -g)" to both docker run invocations:

# start_difc_proxy.sh line 42 and start_cli_proxy.sh line 43
 docker run -d --name awmg-proxy --network host \
+  --user "$(id -u):$(id -g)" \
   -e GH_TOKEN \

This ensures the proxy containers write files as the runner UID, matching the MCP Gateway's ownership, eliminating the permission denied error.

Generated by Firewall Issue Dispatcher · sonnet46 1.6M ·

Metadata

Metadata

Assignees

No one assigned

    Labels

    awf-triage

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions