Squid config error on self-hosted ARC Runners #18385
Description
Hi, when executing on self-hosted ARC runners, the Workflows fail on the Execute GitHub Copilot CLI step with the below error.
The ARC configuration has a dind container available for the docker facility, and both thee runner and dind containers are set to privileged: true and allowPrivilegeEscalation: true, there are no other securityContext items added.
Are self-hosted runners based on ARC supported for these agentic workflows yet?
Can you help me figure out what's causing this issue?
[WARN] ⚠️ Using --env-all: All host environment variables will be passed to container
[WARN] This may expose sensitive credentials if logs or configs are shared
[WARN] ⚠️ Host access enabled with host.docker.internal in allowed domains
[WARN] Containers can access ANY service running on the host machine
[WARN] Only use this for trusted workloads (e.g., MCP gateways)
[INFO] API proxy enabled: OpenAI=false, Anthropic=false, Copilot=true
[INFO] Allowed domains: api.business.githubcopilot.com, api.enterprise.githubcopilot.com, api.github.com, api.githubcopilot.com, api.individual.githubcopilot.com, api.snapcraft.io, archive.ubuntu.com, azure.archive.ubuntu.com, crl.geotrust.com, crl.globalsign.com, crl.identrust.com, crl.sectigo.com, crl.thawte.com, crl.usertrust.com, crl.verisign.com, crl3.digicert.com, crl4.digicert.com, crls.ssl.com, github.com, host.docker.internal, json-schema.org, json.schemastore.org, keyserver.ubuntu.com, ocsp.digicert.com, ocsp.geotrust.com, ocsp.globalsign.com, ocsp.identrust.com, ocsp.sectigo.com, ocsp.ssl.com, ocsp.thawte.com, ocsp.usertrust.com, ocsp.verisign.com, packagecloud.io, packages.cloud.google.com, packages.microsoft.com, ppa.launchpad.net, raw.githubusercontent.com, registry.npmjs.org, s.symcb.com, s.symcd.com, security.ubuntu.com, telemetry.enterprise.githubcopilot.com, ts-crl.ws.symantec.com, ts-ocsp.ws.symantec.com
[INFO] Setting up host-level firewall network and iptables rules...
[SUCCESS] Created network 'awf-net' with bridge 'fw-bridge'
[INFO] Setting up host-level iptables rules...
[SUCCESS] Host-level iptables rules configured successfully
[INFO] Generating configuration files...
[INFO] API proxy sidecar enabled - API keys will be held securely in sidecar container
[INFO] API proxy will route through Squid to respect domain whitelisting
[INFO] Starting containers...
Container awf-squid Creating
Container awf-api-proxy Creating
Container awf-api-proxy Created
Container awf-squid Created
Container awf-agent Creating
Container awf-agent Created
Container awf-squid Starting
Container awf-api-proxy Starting
Container awf-api-proxy Started
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/tmp/awf-1772022652973/squid.conf" to rootfs at "/etc/squid/squid.conf": mount /tmp/awf-1772022652973/squid.conf:/etc/squid/squid.conf (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Error: Failed to start containers: Error: Command failed with exit code 1: docker compose up -d --pull never
at makeError (/snapshot/gh-aw-firewall/node_modules/execa/lib/error.js:60:11)
at handlePromise (/snapshot/gh-aw-firewall/node_modules/execa/index.js:118:26)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.startContainers (/snapshot/gh-aw-firewall/dist/docker-manager.js:1271:9)
at async runMainWorkflow (/snapshot/gh-aw-firewall/dist/cli-workflow.js:23:5)
at async Command.<anonymous> (/snapshot/gh-aw-firewall/dist/cli.js:857:20) {
shortMessage: 'Command failed with exit code 1: docker compose up -d --pull never',
command: 'docker compose up -d --pull never',
escapedCommand: 'docker compose up -d --pull never',
exitCode: 1,
signal: undefined,
signalDescription: undefined,
stdout: undefined,
stderr: undefined,
failed: true,
timedOut: false,
isCanceled: false,
killed: false
}
Error: [ERROR] Fatal error: Error: Command failed with exit code 1: docker compose up -d --pull never
at makeError (/snapshot/gh-aw-firewall/node_modules/execa/lib/error.js:60:11)
at handlePromise (/snapshot/gh-aw-firewall/node_modules/execa/index.js:118:26)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.startContainers (/snapshot/gh-aw-firewall/dist/docker-manager.js:1271:9)
at async runMainWorkflow (/snapshot/gh-aw-firewall/dist/cli-workflow.js:23:5)
at async Command.<anonymous> (/snapshot/gh-aw-firewall/dist/cli.js:857:20) {
shortMessage: 'Command failed with exit code 1: docker compose up -d --pull never',
command: 'docker compose up -d --pull never',
escapedCommand: 'docker compose up -d --pull never',
exitCode: 1,
signal: undefined,
signalDescription: undefined,
stdout: undefined,
stderr: undefined,
failed: true,
timedOut: false,
isCanceled: false,
killed: false
}
[INFO] API proxy logs available at: /tmp/gh-aw/sandbox/firewall/api-proxy-logs
[INFO] Squid logs available at: /tmp/gh-aw/sandbox/firewall/logs
Process exiting with code: 1