fix: prevent docker output from contaminating command stdout #743
Conversation
The issue was that Docker Compose and Docker commands were using `stdio: 'inherit'` which caused container names like "awf-squid" and "awf-agent" to appear in the command stdout during container startup and teardown. This contaminated the output of user commands, causing test failures when tests checked the last line of stdout. Changes: - Changed stdio from 'inherit' to ['ignore', 'ignore', 'inherit'] in: - startContainers() docker compose up command (line 1138) - stopContainers() docker compose down command (line 1310) - stopContainers() docker rm commands (line 1325) This preserves stderr output for error messages while suppressing stdout that contains container names. Fixes the three failing tests in chroot-edge-cases.test.ts: - "should respect container-workdir in chroot mode" - "should fall back to home directory if workdir does not exist" - "should have HOME set correctly" Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Claude
AI
changed the title
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Node.js Build Test Results
Overall: PASS ✅ All Node.js test projects built and tested successfully.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
Build Test: Bun - Results
Overall: PASS ✅ All Bun projects built and tested successfully.
|
|
Smoke Test Results - Run 21936807159 ✅ GitHub MCP: Retrieved last 2 merged PRs
✅ Playwright: Verified github.com title contains "GitHub" Status: PASS cc:
|
.NET Build Test Results
Overall: PASS ✅ All .NET projects successfully restored, built, and ran with expected output.
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully with CMake and make.
|
Java Build Test Results
Overall: PASS All Java projects compiled and tested successfully through the firewall.
|
Build Test: Rust - FAILED ❌IssueRust build test cannot proceed due to environment limitations:
Test Results
Overall: FAILED - Tests could not run Required ActionsTo enable Rust build tests, choose one of:
Technical Details
|
Chroot Version Comparison Test Results
Overall Result: ❌ Tests did not pass (1/3 runtimes matched) The chroot environment successfully accesses Go from the host, but Python and Node.js versions differ. This is expected behavior - the chroot mode provides transparent access to host binaries when available.
|
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent Docker/Compose commands (e.g., docker compose up/down, docker rm -f) from writing container names to stdout, which can contaminate the user command’s output and break stdout-sensitive tests/consumers.
Changes:
- Suppress stdout for
docker compose up -dduring container startup while preserving stderr for errors. - Suppress stdout for
docker compose down -vduring cleanup while preserving stderr for errors. - Suppress stdout for fallback
docker rm -fcontainer removals while preserving stderr for errors.
Comments suppressed due to low confidence (1)
src/docker-manager.ts:1138
- This change updates the
execaoptions fordocker compose up, but the unit tests still assertstdio: 'inherit'for this call (seesrc/docker-manager.test.tsstartContainers tests around the expectations for compose up). Please update the mockedtoHaveBeenCalledWithexpectations to match the new stdio configuration so the unit test suite reflects the new behavior.
await execa('docker', composeArgs, {
cwd: workDir,
stdio: ['ignore', 'ignore', 'inherit'], // Only inherit stderr for errors, ignore stdout to prevent container names appearing in output
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| await execa('docker', composeArgs, { | ||
| cwd: workDir, | ||
| stdio: 'inherit', | ||
| stdio: ['ignore', 'ignore', 'inherit'], // Only inherit stderr for errors, ignore stdout to prevent container names appearing in output |
There was a problem hiding this comment.
stdio: ['ignore', 'ignore', 'inherit'] also changes stdin from inherited to ignored. If the goal is only to suppress Docker stdout, consider inheriting stdin and only ignoring stdout (e.g., keep stdin as inherit) to avoid an unnecessary behavior change for interactive/TTY-sensitive Docker commands.
This issue also appears on line 1136 of the same file.
| stdio: ['ignore', 'ignore', 'inherit'], // Only inherit stderr for errors, ignore stdout to prevent container names appearing in output | |
| stdio: ['inherit', 'ignore', 'inherit'], // Only inherit stderr for errors, ignore stdout to prevent container names appearing in output |
| await execa('docker', ['compose', 'down', '-v'], { | ||
| cwd: workDir, | ||
| stdio: 'inherit', | ||
| stdio: ['ignore', 'ignore', 'inherit'], // Ignore stdout to prevent container names appearing in output |
There was a problem hiding this comment.
The stopContainers() unit tests currently expect docker compose down -v to be invoked with stdio: 'inherit', but this call now uses a different stdio config. Also, stopContainers() only takes the compose-down branch when docker-compose.yml exists; the test should either create that file to exercise this branch or update expectations to match the fallback path.
| stdio: ['ignore', 'ignore', 'inherit'], // Ignore stdout to prevent container names appearing in output | |
| stdio: 'inherit', |
2 participants
Docker Compose and
docker rmcommands were outputting container names ("awf-squid", "awf-agent") to stdout, contaminating user command output and causing test failures that checked the last line of stdout.Changes
Changed
stdioconfiguration from'inherit'to['ignore', 'ignore', 'inherit']insrc/docker-manager.ts:startContainers()- docker compose up command (line 1138)stopContainers()- docker compose down command (line 1310)stopContainers()- docker rm commands (line 1325)This suppresses stdout while preserving stderr for error messages.
Example
Before the fix, running
pwdwithcontainerWorkDir: '/tmp'would output:After the fix:
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
8.8.4.4REDACTED, pid is -1(packet block)8.8.8.8REDACTED, pid is -1(packet block)example.com/usr/bin/curl curl -f --connect-timeout 5 REDACTED --no-pager s1389343469 in/iptables by/a86e7eb8d0c6ddocker io.containerd.rucompose 2b5a9d4cf6954c3aup e2c9caba6be97d97-d NR==�� 6de724716a584890 iptables k/gh-aw-firewall/node_modules/.b--log-level nat -A /node_modules/.b-t bash(dns block)https://api.github.com/repos/github/gh-aw-firewall/actions/runs/21936294354/usr/bin/gh gh run view 21936294354 --log -b claude/fix-github-actions-workflow-again /usr/local/bin/git --depth 2 REDACTED git conf�� unset --global e/node_modules/@anthropic-ai/claude-agent-sdk/vendor/ripgrep/x64-linux/rg pull.rebase(http block)If you need me to access, download, or install something from one of these locations, you can either: