[awf] Docker Manager: DinD workflow-scope configuration breaks AWF container startup

[lpcox]

Problem

When a DinD (Docker-in-Docker) sidecar is configured at the workflow scope (e.g., DOCKER_HOST=tcp://localhost:2375), AWF-compiled workflows fail during container startup with:

[INFO] Set DOCKER_API_VERSION=1.54 (server current)
Error:  Port 80 is not exposed from the container
Error:  Add port mapping: -p <host_port>:80

Context

Original report: github/gh-aw#25511

Repro configuration:

services:
  dind:
    image: docker:dind
    options: --privileged
    ports:
      - 2375:2375
    env:
      DOCKER_TLS_CERTDIR: ""
env:
  DOCKER_HOST: tcp://localhost:2375

Root Cause

When DOCKER_HOST points to a DinD daemon, the AWF docker compose commands run against the DinD daemon. The DinD daemon's port mapping behavior differs from the default Docker socket (/var/run/docker.sock): published ports are only accessible within the DinD network, not from the host runner. The AWF-generated docker-compose.yml does not expose port 80 as a host-mapped port (it's only used internally in the overlay network 172.30.0.0/24), but the DinD networking layer raises this error when attempting to set up port forwarding for its internal routing.

The getLocalDockerEnv() function in src/docker-manager.ts (line 69-84) clones process.env and normalizes DOCKER_HOST, but does not detect or adapt for DinD-mode Docker daemons.

Proposed Solution

1. Detect DinD mode in src/docker-manager.ts: In getLocalDockerEnv(), when DOCKER_HOST is set to a TCP address (e.g., tcp://localhost:2375), set a dind flag on the config.
2. Adapt network configuration for DinD: When in DinD mode, modify the generated docker-compose.yml in generateDockerCompose() (or src/docker-manager.ts) to:
   • Use network_mode: host for containers that need host-accessible ports, or
   • Add explicit port mappings, or
   • Use a DinD-compatible bridge network configuration.
3. Add documentation: In docs/environment.md, document the DinD compatibility flag and any required workflow configuration when using DinD sidecars alongside AWF.
4. Integration test: Add a test case that validates AWF container startup when DOCKER_HOST is set to a TCP address.

Generated by Firewall Issue Dispatcher · ● 2.1M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to existing issues:

• [awf] Docker Manager: Workflow-wide DinD configuration (DOCKER_HOST) breaks AWF container startup #1930 - [awf] Docker Manager: Workflow-wide DinD configuration (DOCKER_HOST) breaks AWF container startup — nearly identical title and problem description (DinD/DOCKER_HOST breaking AWF container startup in docker-manager)
• [awf] docker-manager: workflow-scope DinD (DOCKER_HOST) breaks AWF container networking #1898 - [awf] docker-manager: workflow-scope DinD (DOCKER_HOST) breaks AWF container networking — same root cause: workflow-scope DOCKER_HOST pointing to a DinD daemon breaking AWF

Both issues describe the same core problem: DOCKER_HOST set to a TCP address (DinD sidecar) causes AWF container startup failures due to network/port mapping incompatibilities in docker-manager.ts.

If one of these addresses your concern, please consider closing this issue as a duplicate. Otherwise, feel free to clarify how your issue differs (e.g., a new error symptom or a regression after a fix was applied)!

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #2012 · ● 233.1K · ◷

[lpcox]

Fixed by #1943 (handle workflow-scope DinD DOCKER_HOST=tcp:// without failing AWF startup). Merged to main.