Add compiler support for AWF --network-isolation topology mode (ARC/DinD-compatible egress)#41088
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
--network-isolation topology mode (ARC/DinD-compatible egress)
There was a problem hiding this comment.
Pull request overview
This PR adds compiler support for AWF’s opt-in --network-isolation topology mode, threading a new sandbox.agent.network-isolation frontmatter flag through workflow data so generation can emit isolation-aware AWF config, arguments, MCP gateway wiring, and proxy startup behavior (ARC/DinD-friendly; avoids host iptables/NET_ADMIN).
Changes:
- Added
sandbox.agent.network-isolationto parsing + workflow schema, and threaded it through generation paths. - Updated MCP gateway generation to use internal container addressing (
awmg-mcpg) and bridge networking when isolation is enabled. - Extended emitted
awf --configJSON withnetwork.isolationandnetwork.topologyAttach, and adjusted AWF args / proxy scripts for isolation mode.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/schemas/awf-config.schema.json | Adds network.isolation and network.topologyAttach with a schema constraint tying topology attachments to isolation. |
| pkg/workflow/sandbox.go | Extends AgentSandboxConfig with NetworkIsolation frontmatter field. |
| pkg/workflow/mcp_setup_generator.go | Switches MCP gateway domain + docker network mode based on isolation flag. |
| pkg/workflow/mcp_setup_generator_test.go | Adds an integration test covering isolation-mode MCP gateway command/domain output. |
| pkg/workflow/frontmatter_extraction_security.go | Parses sandbox.agent.network-isolation from frontmatter object format. |
| pkg/workflow/frontmatter_extraction_security_test.go | Adds a unit test for network-isolation extraction. |
| pkg/workflow/firewall.go | Introduces isAWFNetworkIsolationEnabled helper used by generation. |
| pkg/workflow/firewall_default_enablement_test.go | Adds tests for isAWFNetworkIsolationEnabled. |
| pkg/workflow/compiler_difc_proxy.go | Threads an isolation env var into DIFC/CLI proxy startup steps. |
| pkg/workflow/awf_helpers.go | Adjusts AWF arg emission under isolation (skip host-access flags; use internal CLI proxy target). |
| pkg/workflow/awf_helpers_test.go | Adds tests for isolation behavior in AWF arg generation. |
| pkg/workflow/awf_config.go | Emits network.isolation and network.topologyAttach into generated AWF config JSON. |
| pkg/workflow/awf_config_test.go | Adds tests for isolation-mode AWF config JSON and topology attach list. |
| pkg/parser/schemas/main_workflow_schema.json | Adds sandbox.agent.network-isolation to the main workflow schema. |
| actions/setup/sh/start_difc_proxy.sh | Adds isolation-mode bridge launch with localhost-published 18443. |
| actions/setup/sh/start_cli_proxy.sh | Adds isolation-mode bridge launch with localhost-published 18443. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 16/16 changed files
- Comments generated: 3
| if domain == "" { | ||
| if workflowData.SandboxConfig.Agent != nil && workflowData.SandboxConfig.Agent.Disabled { | ||
| domain = "localhost" | ||
| } else if isAWFNetworkIsolationEnabled(workflowData) { | ||
| domain = "awmg-mcpg" | ||
| } else { | ||
| domain = "host.docker.internal" | ||
| } |
There was a problem hiding this comment.
Fixed in commit Fix network-isolation issues: host domain, port publishing, container cleanup. The hostDomain logic now also forces "localhost" when isAWFNetworkIsolationEnabled(workflowData) is true, so MCP_GATEWAY_HOST_DOMAIN is always "localhost" in isolation mode while MCP_GATEWAY_DOMAIN remains "awmg-mcpg" for container-to-container routing.
| containerCmd.WriteString("docker run -i --rm") | ||
| if isAWFNetworkIsolationEnabled(workflowData) { | ||
| containerCmd.WriteString(" --network bridge") | ||
| } else { | ||
| containerCmd.WriteString(" --network host") | ||
| } |
There was a problem hiding this comment.
Fixed in the same commit. When isolation is enabled the docker run command now includes -p 127.0.0.1:${MCP_GATEWAY_PORT}:${MCP_GATEWAY_PORT} immediately after --network bridge, so host-side clients (Gemini CLI, etc.) can reach the gateway at localhost:${MCP_GATEWAY_PORT}.
| echo "Starting DIFC proxy container: $CONTAINER_IMAGE" | ||
|
|
||
| docker run -d --name awmg-proxy --network host \ | ||
| DOCKER_NETWORK_ARGS=(--network host) | ||
| if [ "${GH_AW_NETWORK_ISOLATION:-false}" = "true" ]; then | ||
| DOCKER_NETWORK_ARGS=(--network bridge -p 127.0.0.1:18443:18443) | ||
| fi | ||
|
|
||
| docker run -d --name awmg-proxy "${DOCKER_NETWORK_ARGS[@]}" \ |
There was a problem hiding this comment.
Fixed in the same commit. Added docker rm -f awmg-proxy 2>/dev/null || true before the docker run, so any leftover container from a cancelled or retried job is cleaned up before the new one starts.
|
@copilot run pr-finisher skill |
… cleanup Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done. Addressed all three review threads:
Local validation (fmt, lint, test-unit, recompile) all pass. CI needs a human re-trigger after the push. |
AWF added an opt-in topology-based egress model (
--network-isolation) that avoids host iptables/NET_ADMIN, which is required for ARC runners with DinD. This PR teaches the compiler to emit isolation-aware workflow/config/runtime wiring for gateway and DIFC/CLI proxy paths.Frontmatter + compiler threading
sandbox.agent.network-isolationto workflow schema and parsing.AWF config emission (
awf --config)network.isolation: truenetwork.topologyAttach: [...]AWF argument behavior under isolation
--enable-host-access--allow-host-ports ...--difc-proxy-host awmg-cli-proxy:18443Gateway + DIFC/CLI proxy runtime topology
--network hostto bridge mode under isolation.--add-host host.docker.internal:127.0.0.1) is skipped in isolation mode.awmg-mcpg) when isolation is enabled.Schema sync
network.isolationandnetwork.topologyAttach, including thetopologyAttach => isolation=trueconstraint.