fix(BA-4096): avoid nested bind mount of DO_NOT_STORE_PERSISTENT_FILES_HERE.md (#10944)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: seedspirit

changes/10944.fix.md

@@ -0,0 +1 @@
+Fix session creation failure on macOS with Docker Desktop VirtioFS caused by nested bind mount of `DO_NOT_STORE_PERSISTENT_FILES_HERE.md` by copying the file into the scratch work directory instead.

src/ai/backend/agent/agent.py

@@ -653,9 +653,6 @@ def mount_static_binary(
             jail_path = None
 
         dotfile_extractor_path = self.resolve_krunner_filepath("runner/extract_dotfiles.py")
-        persistent_files_warning_doc_path = self.resolve_krunner_filepath(
-            "runner/DO_NOT_STORE_PERSISTENT_FILES_HERE.md"
-        )
         entrypoint_sh_path = self.resolve_krunner_filepath("runner/entrypoint.sh")
 
         fantompass_path = self.resolve_krunner_filepath("runner/fantompass.py")
@@ -673,11 +670,6 @@ def mount_static_binary(
         _mount(MountTypes.BIND, words_json_path, "/opt/kernel/words.json")
         if jail_path is not None:
             _mount(MountTypes.BIND, jail_path, "/opt/kernel/jail")
-        _mount(
-            MountTypes.BIND,
-            persistent_files_warning_doc_path,
-            "/home/work/DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
-        )
 
         _mount(MountTypes.VOLUME, krunner_volume, "/opt/backend.ai")
         pylib_path = f"/opt/backend.ai/lib/python{krunner_pyver}/site-packages/"

src/ai/backend/agent/docker/agent.py

@@ -463,6 +463,11 @@ def _clone_dotfiles() -> None:
                 zshrc_path = Path(str(files("ai.backend.runner").joinpath(".zshrc")))
                 vimrc_path = Path(str(files("ai.backend.runner").joinpath(".vimrc")))
                 tmux_conf_path = Path(str(files("ai.backend.runner").joinpath(".tmux.conf")))
+                persistent_files_warning_doc_path = Path(
+                    str(
+                        files("ai.backend.runner").joinpath("DO_NOT_STORE_PERSISTENT_FILES_HERE.md")
+                    )
+                )
                 jupyter_custom_dir = self.work_dir / ".jupyter" / "custom"
                 jupyter_custom_dir.mkdir(parents=True, exist_ok=True)
                 shutil.copy(jupyter_custom_css_path.resolve(), jupyter_custom_dir / "custom.css")
@@ -474,6 +479,10 @@ def _clone_dotfiles() -> None:
                 shutil.copy(zshrc_path.resolve(), self.work_dir / ".zshrc")
                 shutil.copy(vimrc_path.resolve(), self.work_dir / ".vimrc")
                 shutil.copy(tmux_conf_path.resolve(), self.work_dir / ".tmux.conf")
+                shutil.copy(
+                    persistent_files_warning_doc_path.resolve(),
+                    self.work_dir / "DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
+                )
 
                 def chown_scratch(uid: int | None, gid: int | None) -> None:
                     paths = [
@@ -485,6 +494,7 @@ def chown_scratch(uid: int | None, gid: int | None) -> None:
                         self.work_dir / ".zshrc",
                         self.work_dir / ".vimrc",
                         self.work_dir / ".tmux.conf",
+                        self.work_dir / "DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
                     ]
                     self._chown_paths_if_root(paths, uid, gid)
 

src/ai/backend/agent/stage/kernel_lifecycle/docker/mount/krunner.py

@@ -117,10 +117,6 @@ def _prepare_default_mounts(self) -> list[Mount]:
             self._parse_mount("runner/fantompass.py", "/opt/kernel/fantompass.py"),
             self._parse_mount("runner/hash_phrase.py", "/opt/kernel/hash_phrase.py"),
             self._parse_mount("runner/words.json", "/opt/kernel/words.json"),
-            self._parse_mount(
-                "runner/DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
-                "/home/work/DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
-            ),
         ]
 
     def _prepare_musl_mounts(self, runner_info: KernelRunnerInfo) -> list[Mount]:

src/ai/backend/agent/stage/kernel_lifecycle/docker/scratch.py

@@ -195,6 +195,9 @@ def _clone_func(self, spec: ScratchSpec) -> None:
         zshrc_path = Path(str(files("ai.backend.runner").joinpath(".zshrc")))
         vimrc_path = Path(str(files("ai.backend.runner").joinpath(".vimrc")))
         tmux_conf_path = Path(str(files("ai.backend.runner").joinpath(".tmux.conf")))
+        persistent_files_warning_doc_path = Path(
+            str(files("ai.backend.runner").joinpath("DO_NOT_STORE_PERSISTENT_FILES_HERE.md"))
+        )
         jupyter_custom_dir = work_dir / ".jupyter" / "custom"
         jupyter_custom_dir.mkdir(parents=True, exist_ok=True)
         shutil.copy(jupyter_custom_css_path.resolve(), jupyter_custom_dir / "custom.css")
@@ -206,6 +209,10 @@ def _clone_func(self, spec: ScratchSpec) -> None:
         shutil.copy(zshrc_path.resolve(), work_dir / ".zshrc")
         shutil.copy(vimrc_path.resolve(), work_dir / ".vimrc")
         shutil.copy(tmux_conf_path.resolve(), work_dir / ".tmux.conf")
+        shutil.copy(
+            persistent_files_warning_doc_path.resolve(),
+            work_dir / "DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
+        )
 
         paths = [
             work_dir,
@@ -216,6 +223,7 @@ def _clone_func(self, spec: ScratchSpec) -> None:
             work_dir / ".zshrc",
             work_dir / ".vimrc",
             work_dir / ".tmux.conf",
+            work_dir / "DO_NOT_STORE_PERSISTENT_FILES_HERE.md",
         ]
         self._chown_paths_if_root(paths, spec.container_config)
 

tests/unit/agent/stage/kernel_lifecycle/docker/mount/BUILD

@@ -0,0 +1 @@
+python_tests()

tests/unit/agent/stage/kernel_lifecycle/docker/mount/__init__.py

@@ -0,0 +1,46 @@
+"""Unit tests for KernelRunnerMountProvisioner mount list (BA-4096 regression)."""
+
+from __future__ import annotations
+
+import pytest
+
+from ai.backend.agent.stage.kernel_lifecycle.docker.mount.krunner import (
+    KernelRunnerMountProvisioner,
+)
+from ai.backend.common.types import MountPermission
+
+
+class TestKernelRunnerMountProvisionerDefaultMounts:
+    @pytest.fixture
+    def provisioner(self) -> KernelRunnerMountProvisioner:
+        return KernelRunnerMountProvisioner()
+
+    def test_default_mounts_do_not_include_warning_doc(
+        self,
+        provisioner: KernelRunnerMountProvisioner,
+    ) -> None:
+        """Regression: DO_NOT_STORE_PERSISTENT_FILES_HERE.md must NOT appear
+        as a bind mount — it is now copied via ScratchProvisioner."""
+        mounts = provisioner._prepare_default_mounts()
+        mount_targets = [str(m.target) for m in mounts]
+        assert "/home/work/DO_NOT_STORE_PERSISTENT_FILES_HERE.md" not in mount_targets
+
+    def test_default_mounts_include_expected_entries(
+        self,
+        provisioner: KernelRunnerMountProvisioner,
+    ) -> None:
+        mounts = provisioner._prepare_default_mounts()
+        mount_targets = [str(m.target) for m in mounts]
+        assert "/opt/kernel/entrypoint.sh" in mount_targets
+        assert "/opt/kernel/extract_dotfiles.py" in mount_targets
+        assert "/opt/kernel/fantompass.py" in mount_targets
+        assert "/opt/kernel/hash_phrase.py" in mount_targets
+        assert "/opt/kernel/words.json" in mount_targets
+
+    def test_default_mounts_are_read_only(
+        self,
+        provisioner: KernelRunnerMountProvisioner,
+    ) -> None:
+        mounts = provisioner._prepare_default_mounts()
+        for mount in mounts:
+            assert mount.permission == MountPermission.READ_ONLY

tests/unit/agent/stage/kernel_lifecycle/docker/mount/test_krunner_provisioner.py

@@ -0,0 +1,77 @@
+"""Unit tests for ScratchProvisioner warning doc cloning (BA-4096 regression)."""
+
+from __future__ import annotations
+
+from pathlib import Path
+from unittest.mock import patch
+from uuid import uuid4
+
+import pytest
+
+from ai.backend.agent.stage.kernel_lifecycle.docker.scratch import (
+    ContainerOwnershipConfig,
+    ScratchProvisioner,
+    ScratchSpec,
+)
+from ai.backend.agent.stage.kernel_lifecycle.docker.utils import ScratchUtil
+from ai.backend.common.types import BinarySize, KernelId
+
+_SCRATCH_OS = "ai.backend.agent.stage.kernel_lifecycle.docker.scratch.os"
+
+
+class TestScratchProvisionerCloneFunc:
+    @pytest.fixture
+    def provisioner(self) -> ScratchProvisioner:
+        return ScratchProvisioner()
+
+    @pytest.fixture
+    def scratch_spec(self, tmp_path: Path) -> ScratchSpec:
+        kernel_id = KernelId(uuid4())
+        scratch_root = tmp_path / "scratches"
+        scratch_root.mkdir()
+        work_dir = ScratchUtil.work_dir(scratch_root, kernel_id)
+        work_dir.mkdir(parents=True)
+        return ScratchSpec(
+            kernel_id=kernel_id,
+            container_config=ContainerOwnershipConfig(
+                kernel_uid=1000,
+                kernel_gid=1000,
+                supplementary_gids=set(),
+                fallback_kernel_uid=1000,
+                fallback_kernel_gid=1000,
+                kernel_features=frozenset(),
+            ),
+            scratch_type="hostdir",
+            scratch_root=scratch_root,
+            scratch_size=BinarySize(1024),
+        )
+
+    def test_clone_copies_warning_doc(
+        self,
+        provisioner: ScratchProvisioner,
+        scratch_spec: ScratchSpec,
+    ) -> None:
+        """Regression: DO_NOT_STORE_PERSISTENT_FILES_HERE.md must be copied
+        into work_dir instead of being bind-mounted separately."""
+        provisioner._clone_func(scratch_spec)
+        work_dir = ScratchUtil.work_dir(scratch_spec.scratch_root, scratch_spec.kernel_id)
+
+        copied = work_dir / "DO_NOT_STORE_PERSISTENT_FILES_HERE.md"
+        assert copied.exists()
+        assert copied.stat().st_size > 0
+
+    def test_chown_includes_warning_doc(
+        self,
+        provisioner: ScratchProvisioner,
+        scratch_spec: ScratchSpec,
+    ) -> None:
+        """When running as root, the warning doc must be chowned like dotfiles."""
+        with (
+            patch(f"{_SCRATCH_OS}.geteuid", return_value=0),
+            patch(f"{_SCRATCH_OS}.chown") as mock_chown,
+        ):
+            provisioner._clone_func(scratch_spec)
+
+        chowned_paths = {Path(call.args[0]) for call in mock_chown.call_args_list}
+        work_dir = ScratchUtil.work_dir(scratch_spec.scratch_root, scratch_spec.kernel_id)
+        assert work_dir / "DO_NOT_STORE_PERSISTENT_FILES_HERE.md" in chowned_paths