Make /etc/hosts write non-fatal for non-root container execution#3985
Merged
Make /etc/hosts write non-fatal for non-root container execution#3985
Conversation
gh-aw PR #26658 adds --user $(id -u):$(id -g) to the MCP gateway Docker run command so log files are readable by downstream steps. With set -e, the echo >> /etc/hosts in configure_host_dns() would abort the gateway when running as non-root. Fix: wrap the write in an if-else so failure is a warning, not fatal. With --network host the host.docker.internal mapping is unnecessary anyway since localhost works directly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts the containerized gateway startup script to avoid aborting when running as a non-root user in the container, by making the /etc/hosts update best-effort instead of fatal under set -e.
Changes:
- Makes the
host.docker.internalappend to/etc/hostsconditional on write success and logs a warning on failure.
Show a summary per file
| File | Description |
|---|---|
run_containerized.sh |
Makes /etc/hosts write non-fatal and logs a warning if it can’t be written (e.g., non-root container user). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
Comment on lines
+288
to
+292
| if echo "$HOST_IP host.docker.internal" >> /etc/hosts 2>/dev/null; then | ||
| log_info "DNS mapping configured: $HOST_IP -> host.docker.internal" | ||
| else | ||
| log_warn "Cannot write to /etc/hosts (running as non-root?); host.docker.internal mapping skipped" | ||
| fi |
There was a problem hiding this comment.
2>/dev/null here will not reliably suppress the “Permission denied” message when >> /etc/hosts fails, because the shell attempts the >> redirection before applying the stderr redirect. In non-root runs this can still emit noisy stderr even though you log a warning. Consider redirecting stderr for a grouped command (or pre-checking writability) so redirection/open errors are also silenced.
Collaborator
Author
|
@copilot update the pr with this feedback #3985 (review) |
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/5ba53afd-63d5-4103-b7e0-e20725f32cf6 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Contributor
Updated in commit Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Companion to gh-aw#26658, which adds
--user $(id -u):$(id -g)to the MCP gateway Docker run command so log files written via/tmpbind mounts are readable by downstream redaction and upload steps.Problem
run_containerized.shruns withset -eand unconditionally writes to/etc/hosts(line 289):When the container runs as a non-root user, this write fails with EACCES, aborting the entire gateway startup.
Fix
Wrap the
/etc/hostswrite in an if-else so failure produces a warning instead of aborting. With--network host(which the gateway always uses), thehost.docker.internalmapping is unnecessary sincelocalhostworks directly.Changes
run_containerized.sh/etc/hostswrite non-fatal; log warning on failuremake agent-finished✓