fix(agent): match os.ErrNotExist when probing nsenter binary

otavio · otavio · commit fca8e9e183c5 · 2026-06-10T09:38:19.000-03:00
probeTimeNSJoinable invokes nsenter via the absolute path
/usr/bin/nsenter, so exec.Command skips LookPath and can never
return exec.ErrNotFound. A missing binary surfaces as *fs.PathError
wrapping ENOENT, leaving the "nsenter not found" branch dead. Match
os.ErrNotExist instead so the warning actually fires.

Also assert session.Exit(1) is called in TestShell_StartPtyError, the
behaviour the test documents but did not verify.
diff --git a/agent/server/modes/host/command/command_docker.go b/agent/server/modes/host/command/command_docker.go
@@ -30,7 +30,7 @@ var statFn = os.Stat
 //   - (false, true):  definitive denial (EPERM/EACCES, i.e. *exec.ExitError
 //     with code other than 126/127); result is safe to cache.
 //   - (false, false): nsenter or /bin/true not found (exit 126/127 or
-//     exec.ErrNotFound); logged as a distinct warning; must NOT be cached.
+//     os.ErrNotExist); logged as a distinct warning; must NOT be cached.
 //   - (false, false): context deadline exceeded or any other transient error;
 //     must NOT be cached.
 func probeTimeNSJoinable() (result bool, definitive bool) {
@@ -42,8 +42,11 @@ func probeTimeNSJoinable() (result bool, definitive bool) {
 		return true, true
 	}
 
-	// exec.ErrNotFound means the nsenter binary itself was not located.
-	if errors.Is(err, exec.ErrNotFound) {
+	// os.ErrNotExist means the nsenter binary itself was not found at the
+	// absolute path (/usr/bin/nsenter). When an absolute path is given,
+	// exec.Command skips LookPath entirely, so exec.ErrNotFound is never
+	// returned; a missing binary surfaces as an *fs.PathError wrapping ENOENT.
+	if errors.Is(err, os.ErrNotExist) {
 		log.WithError(err).Warn("nsenter not found; time namespace join probe skipped")
 
 		return false, false
diff --git a/agent/server/modes/host/sessioner_test.go b/agent/server/modes/host/sessioner_test.go
@@ -193,6 +193,8 @@ func TestShell_StartPtyError(t *testing.T) {
 	assert.NotNil(t, retErr, "Shell() must return a non-nil error when startPty fails")
 	assert.True(t, strings.Contains(retErr.Error(), "pty"), "error should mention 'pty', got: %s", retErr.Error())
 	assert.Empty(t, s.cmds, "s.cmds must be empty — the session must not have been registered")
+	assert.Equal(t, int32(1), atomic.LoadInt32(&sess.exitCalled), "session.Exit must be called once")
+	assert.Equal(t, int32(1), atomic.LoadInt32(&sess.exitCode), "session.Exit must be called with code 1")
 }
 
 // TestExec_InitPtyError verifies that Exec() with sIsPty=true does NOT panic and

Original file line number	Diff line number	Diff line change
`@@ -193,6 +193,8 @@ func TestShell_StartPtyError(t *testing.T) {`
`193`	`193`	`assert.NotNil(t, retErr, "Shell() must return a non-nil error when startPty fails")`
`194`	`194`	`assert.True(t, strings.Contains(retErr.Error(), "pty"), "error should mention 'pty', got: %s", retErr.Error())`
`195`	`195`	`assert.Empty(t, s.cmds, "s.cmds must be empty — the session must not have been registered")`
	`196`	`+ assert.Equal(t, int32(1), atomic.LoadInt32(&sess.exitCalled), "session.Exit must be called once")`
	`197`	`+ assert.Equal(t, int32(1), atomic.LoadInt32(&sess.exitCode), "session.Exit must be called with code 1")`
`196`	`198`	`}`
`197`	`199`
`198`	`200`	`// TestExec_InitPtyError verifies that Exec() with sIsPty=true does NOT panic and`