fix(ci): privileged Docker for debos OS image build

[rplunger]

Problem

CI run 24064554874 failed on Build OS image during debos with --disable-fakemachine. Logs showed:

could not open /dev/loop-control: no such file or directory

With fakemachine disabled, debos runs on the host namespace inside the container and needs loop devices to build the image. The default docker run does not expose /dev/loop-control.

Fix

Add --privileged to the docker run that invokes godebos/debos, which is the usual approach for debos/image builds in CI when fakemachine is not available.

Verification

Workflow YAML validated; full OS image build is not reproduced locally (Docker-in-Docker differs from GitHub Actions).

Slack Thread

  

Summary by CodeRabbit

• Chores
  • Updated build workflow for image generation: the build container now runs in full privileged mode instead of a narrowly scoped capability grant, preserving existing mount, working directory, and image parameters. This change adjusts how the build environment is launched without altering public interfaces.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pai-os	Ready	Preview, Comment	Apr 7, 2026 11:31am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9157566c-5aeb-40d4-a0b7-74dfea269c2e

📥 Commits

Reviewing files that changed from the base of the PR and between 8ad81a9 and 765c01e.

⛔ Files ignored due to path filters (1)

• engine/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• .github/workflows/os-build.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/os-build.yml

---

📝 Walkthrough

Walkthrough

The GitHub Actions OS build workflow changes the Docker invocation: it adds --privileged and removes the --cap-add SYS_ADMIN flag in the debos image build step; other debos arguments and mounts remain unchanged.

Changes

Cohort / File(s)	Summary
Docker Build Workflow ​.github/workflows/os-build.yml	Replaced --cap-add SYS_ADMIN with --privileged in the docker run command used to run the godebos/debos container for the build step; other run options and debos arguments unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped into the CI night,
Gave Docker keys to make things right,
Debos spins with a trusting cheer,
Loop devices now appear,
Build dreams bound for flight 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding --privileged to Docker for debos OS image build to fix CI failures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/ci-job-failure-1b98

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/os-build.yml (2)

26-36: --cap-add SYS_ADMIN is redundant when --privileged is set.

The --privileged flag grants all capabilities to the container, making --cap-add SYS_ADMIN superfluous. Consider removing it to reduce confusion, or keep it as documentation of the minimum capability that would be needed if a less permissive alternative is found later.

♻️ Optional: Remove redundant capability

       - name: Build image with debos
         run: |
           docker run --rm \
             --privileged \
             -v "${{ github.workspace }}:/build" -w /build \
-            --cap-add SYS_ADMIN \
             godebos/debos \
             --disable-fakemachine -t machine:radxa-rock5c os/image.yaml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/os-build.yml around lines 26 - 36, The docker run step
named "Build image with debos" includes a redundant capability flag: remove the
explicit --cap-add SYS_ADMIN from the docker run invocation since --privileged
already grants that capability (locate the docker run command in the "Build
image with debos" step and delete the --cap-add SYS_ADMIN token); if you prefer
to keep documentation of required capabilities instead, replace the flag with a
brief inline comment mentioning SYS_ADMIN is required when using a
non-privileged container.

---

26-36: Local build script and CI have different privilege handling for --disable-fakemachine.

The local build script (os/build.sh) explicitly avoids sudo escalation when --disable-fakemachine is used (line 16), running debos directly. However, the CI workflow requires --privileged and --cap-add SYS_ADMIN specifically because --disable-fakemachine needs access to loop devices (/dev/loop-control). This creates a parity gap: developers running ./os/build.sh --disable-fakemachine locally will encounter /dev/loop-control permission errors unless they manually run with sudo or have appropriate permissions.

Either document this requirement in the script comments and README, or update os/build.sh to automatically wrap debos in a privileged Docker container when --disable-fakemachine is used.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/os-build.yml around lines 26 - 36, The CI workflow uses a
privileged Docker run with --privileged and --cap-add SYS_ADMIN to allow debos
--disable-fakemachine to access /dev/loop-control, but os/build.sh does not —
causing local builds to fail; update os/build.sh so that when the script detects
the --disable-fakemachine flag it either 1) documents the requirement clearly in
the script/README and exits with a clear message about needing root/privileged
Docker, or preferably 2) automatically runs debos inside a privileged container
(mirror the CI docker run invocation: mount $PWD, use --privileged and --cap-add
SYS_ADMIN, pass --disable-fakemachine through) so local invocation matches
.github/workflows/os-build.yml behavior and avoids /dev/loop-control permission
errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/os-build.yml:
- Around line 26-36: The docker run step named "Build image with debos" includes
a redundant capability flag: remove the explicit --cap-add SYS_ADMIN from the
docker run invocation since --privileged already grants that capability (locate
the docker run command in the "Build image with debos" step and delete the
--cap-add SYS_ADMIN token); if you prefer to keep documentation of required
capabilities instead, replace the flag with a brief inline comment mentioning
SYS_ADMIN is required when using a non-privileged container.
- Around line 26-36: The CI workflow uses a privileged Docker run with
--privileged and --cap-add SYS_ADMIN to allow debos --disable-fakemachine to
access /dev/loop-control, but os/build.sh does not — causing local builds to
fail; update os/build.sh so that when the script detects the
--disable-fakemachine flag it either 1) documents the requirement clearly in the
script/README and exits with a clear message about needing root/privileged
Docker, or preferably 2) automatically runs debos inside a privileged container
(mirror the CI docker run invocation: mount $PWD, use --privileged and --cap-add
SYS_ADMIN, pass --disable-fakemachine through) so local invocation matches
.github/workflows/os-build.yml behavior and avoids /dev/loop-control permission
errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c15ff789-f72a-44b6-b1ca-89617458bb75

📥 Commits

Reviewing files that changed from the base of the PR and between bfc4d34 and 8ad81a9.

📒 Files selected for processing (1)

• .github/workflows/os-build.yml