molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

Harness Replays: cf-proxy bind-mount fails on act runner (DinD path-translation) #55

New Issue
Open
opened 2026-05-07 21:38:27 +00:00 by claude-ceo-assistant · 0 comments
claude-ceo-assistant commented 2026-05-07 21:38:27 +00:00
Owner
Copy Link

Symptom

After the Class G #168 + #173 + harness-replays pre-clone fix (#50), harness-replays.yml no longer fails on auth or docker-build COPY. It now fails further down the pipeline when starting cf-proxy:

Error response from daemon: failed to create task for container: failed to create shim task:
OCI runtime create failed: runc create failed: unable to start container process:
error during container init: error mounting
  "/workspace/molecule-ai/molecule-core/tests/harness/cf-proxy/nginx.conf"
  to rootfs at "/etc/nginx/nginx.conf":
  mount src=..., dst=..., flags=MS_BIND|MS_REC: not a directory:
  Are you trying to mount a directory onto a file (or vice-versa)?

(Run #1071 job 1, line 654.)

Root cause

Gitea Actions self-hosted runner uses act which exposes the checkout at /workspace/<owner>/<repo> inside the runner container. docker compose in the harness then asks the host docker daemon to bind-mount that path. The host has no such path → docker daemon attempts to auto-create a directory at the source → mount destination is a file (/etc/nginx/nginx.conf) but source is a directory → "not a directory" error.

Evidence harness has never been green

Reviewing 30 historical harness-replays.yml runs on this Gitea repo: 29 Failure, 1 Success. The 1 Success (run #683) was a no-op pass (paths-filter excluded the commit — Run Main No-op pass (paths filter excluded this commit) on line 32). The harness boot path has never actually executed end-to-end on Gitea Actions.

Possible fixes (need design)

  1. DinD sidecar: configure act_runner with containerOptions: --privileged -v /var/run/docker.sock:/var/run/docker.sock and use ${{ runner.workspace }} translation. Per saved memory feedback_act_runner_github_server_url, runner config edits are well-trodden.

  2. Bake nginx.conf into the cf-proxy image: change tests/harness/cf-proxy/Dockerfile to COPY nginx.conf /etc/nginx/nginx.conf, drop the bind-mount in compose.yml. Pure file → no path-translation issue. Tradeoff: slower iteration on nginx.conf changes (need rebuild).

  3. Inline nginx.conf via configMap-style env: build with envsubst < nginx.conf.template. Heavier change.

  4. Set DOCKER_HOST=tcp://docker:2375 + sidecar docker daemon scoped to act runner.

Recommend (2) as the smallest change — it makes the harness self-contained and removes the runner-specific assumption.

Pre-existing nature

This blocker would have hit even with sister #173s full fix in place — proven by run #892 on main getting only as far as the COPY step (because main has no pre-clone step in harness-replays.yml). Once #50 lands, every subsequent harness run hits this cf-proxy issue immediately.

Refs

  • Class G #168 (closes auth in clone-manifest)
  • #173 (clone outside image, COPY only)
  • PR #50 (closes pre-clone gap in harness-replays.yml — exposes this issue)
  • Saved memory: feedback_act_runner_github_server_url (related runner-config gotchas)
## Symptom After the Class G #168 + #173 + harness-replays pre-clone fix (#50), `harness-replays.yml` no longer fails on auth or docker-build COPY. It now fails further down the pipeline when starting `cf-proxy`: ``` Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/workspace/molecule-ai/molecule-core/tests/harness/cf-proxy/nginx.conf" to rootfs at "/etc/nginx/nginx.conf": mount src=..., dst=..., flags=MS_BIND|MS_REC: not a directory: Are you trying to mount a directory onto a file (or vice-versa)? ``` (Run #1071 job 1, line 654.) ## Root cause Gitea Actions self-hosted runner uses `act` which exposes the checkout at `/workspace/<owner>/<repo>` **inside the runner container**. `docker compose` in the harness then asks the **host** docker daemon to bind-mount that path. The host has no such path → docker daemon attempts to auto-create a directory at the source → mount destination is a file (`/etc/nginx/nginx.conf`) but source is a directory → "not a directory" error. ## Evidence harness has never been green Reviewing 30 historical `harness-replays.yml` runs on this Gitea repo: 29 Failure, 1 Success. The 1 Success (run #683) was a no-op pass (paths-filter excluded the commit — `Run Main No-op pass (paths filter excluded this commit)` on line 32). The harness boot path has never actually executed end-to-end on Gitea Actions. ## Possible fixes (need design) 1. **DinD sidecar**: configure act_runner with `containerOptions: --privileged -v /var/run/docker.sock:/var/run/docker.sock` and use `${{ runner.workspace }}` translation. Per saved memory `feedback_act_runner_github_server_url`, runner config edits are well-trodden. 2. **Bake nginx.conf into the cf-proxy image**: change `tests/harness/cf-proxy/Dockerfile` to `COPY nginx.conf /etc/nginx/nginx.conf`, drop the bind-mount in compose.yml. Pure file → no path-translation issue. Tradeoff: slower iteration on nginx.conf changes (need rebuild). 3. **Inline nginx.conf via configMap-style env**: build with `envsubst < nginx.conf.template`. Heavier change. 4. **Set `DOCKER_HOST=tcp://docker:2375`** + sidecar docker daemon scoped to act runner. Recommend (2) as the smallest change — it makes the harness self-contained and removes the runner-specific assumption. ## Pre-existing nature This blocker would have hit even with sister #173s full fix in place — proven by run #892 on main getting only as far as the COPY step (because main has no pre-clone step in harness-replays.yml). Once #50 lands, every subsequent harness run hits this cf-proxy issue immediately. ## Refs - Class G #168 (closes auth in clone-manifest) - #173 (clone outside image, COPY only) - PR #50 (closes pre-clone gap in harness-replays.yml — exposes this issue) - Saved memory: `feedback_act_runner_github_server_url` (related runner-config gotchas)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#55
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?