fix: add apt-get install retry logic to handle stale package archives#682
fix: add apt-get install retry logic to handle stale package archives#682
Conversation
Ubuntu package archives can supersede package versions between apt-get update and apt-get install, causing 404 errors (e.g., libexpat1 in jammy-security). Add retry logic that clears the apt cache and re-runs apt-get update on install failure to fetch the current package index. Applies to both agent and squid container Dockerfiles. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
✅ Coverage Check PassedOverall Coverage
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
Improves Docker image build reliability by adding a retry path for apt-get install to mitigate transient 404s when Ubuntu package archives change between apt-get update and apt-get install.
Changes:
- Add a one-time retry for
apt-get installin the agent Dockerfile, including refreshing the apt package index on failure. - Add the same retry pattern to the squid Dockerfile.
- Apply the retry pattern to the agent’s build-time compiler dependencies install used for building
one-shot-token.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| containers/squid/Dockerfile | Wraps apt-get install with a retry that clears apt lists and refreshes the index before re-attempting package installation. |
| containers/agent/Dockerfile | Adds retry logic for base package installation and for installing build deps (gcc/libc6-dev) used to compile the one-shot-token shared library. |
Comments suppressed due to low confidence (1)
containers/agent/Dockerfile:82
- This retry block duplicates the gcc/libc6-dev package list and the apt-get sequence. Consider extracting a small helper pattern (or a variable for the package list) so future changes don’t have to be made in two places within the same RUN instruction.
( apt-get install -y --no-install-recommends gcc libc6-dev || \
(rm -rf /var/lib/apt/lists/* && apt-get update && \
apt-get install -y --no-install-recommends gcc libc6-dev) ) && \
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
containers/squid/Dockerfile
Outdated
| (rm -rf /var/lib/apt/lists/* && apt-get update && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| curl dnsutils net-tools netcat-openbsd openssl squid-openssl) ) && \ |
There was a problem hiding this comment.
The package list is duplicated between the initial install and the retry install. This is easy to get out of sync over time (e.g., adding/removing a package requires updating two lists). Consider defining the package list once (e.g., a shell variable) and reusing it in both install attempts.
See below for a potential fix:
RUN set -eux; \
PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \
apt-get update && \
( apt-get install -y --no-install-recommends $PKGS || \
(rm -rf /var/lib/apt/lists/* && apt-get update && \
apt-get install -y --no-install-recommends $PKGS) ) && \
containers/agent/Dockerfile
Outdated
| apt-get install -y --no-install-recommends \ | ||
| iptables curl ca-certificates git gh gnupg dnsutils \ | ||
| net-tools netcat-openbsd gosu libcap2-bin) ) && \ |
There was a problem hiding this comment.
The retry path repeats the full package list, which can drift from the primary install list above if it’s edited later. To avoid future inconsistencies, define the packages once (e.g., in a shell variable) and use that in both the initial install and the retry.
This issue also appears on line 80 of the same file.
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Smoke Test Results - Claude EngineLast 2 Merged PRs:
Test Results:
Overall Status: PASS
|
Rust Build Test Results
Overall: PASS ✅ All Rust projects built and tested successfully.
|
Bun Build Test Results
Overall: PASS ✅ All Bun projects built and tested successfully.
|
✅ Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
|
Smoke Test Results (Copilot)
Test Results:
Overall Status: PASS 🎉 cc @Mossaka
|
|
Merged PRs: fix: update testPathPattern to testPathPatterns for Jest 30; fix: use lowercase discussion categories to restore create_discussion tool
|
.NET Build Test Results
Overall: PASS ✅ All .NET projects successfully restored packages, built, and ran without errors.
|
Java Build Test Results
Overall: PASS ✅ All Java projects compiled successfully and passed their tests through the firewall proxy.
|
Chroot Mode Version Comparison
Overall Result: ❌ Not all versions match The chroot mode successfully accesses host binaries, but Python and Node.js show version mismatches. This indicates the container's built-in versions are being used instead of the host versions for those runtimes.
|
Address Copilot review feedback: define package lists once as shell variables and reuse them in both the initial install and retry paths, preventing the lists from drifting out of sync. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Deno Build Test Results
Overall: ✅ PASS All Deno tests passed successfully.
|
Build Test: Bun - Results
Overall: PASS ✅ All Bun projects built and tested successfully.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed their tests.
|
Claude Smoke Test ResultsLast 2 merged PRs:
Tests:
Status: PASS
|
Build Test: Rust - Results
Overall: PASS ✅ All Rust projects built and tested successfully.
|
Node.js Build Test Results ✅All projects tested successfully through the AWF firewall.
Overall: PASS All three projects installed dependencies and passed their tests successfully.
|
C++ Build Test Results
Overall: PASS Both projects successfully configured with CMake and built without errors.
|
|
fix: update testPathPattern to testPathPatterns for Jest 30
|
Build Test: Java ✅All Java build tests passed successfully!
Overall: PASS Test Details:
|
Smoke Test ResultsLast 2 merged PRs:
Test Results:
Overall Status: FAIL (Playwright timeout) cc @Mossaka
|
Chroot Mode Test ResultsTested transparent host binary access through
Status: Tests failed - Python and Node.js versions do not match between host and chroot environment.
|
1 participant
Summary
apt-get installin both agent and squid Dockerfilesrm -rf /var/lib/apt/lists/*), re-runsapt-get updateto fetch the current package index, and retries the installapt-get updateandapt-get install(e.g.,libexpat1_2.4.7-1ubuntu0.7returning 404 in jammy-security)Root Cause
The smoke-claude workflow run failed during
docker compose up -dbecause the agent container build couldn't fetchlibexpat1_2.4.7-1ubuntu0.7_amd64.deb— it had been superseded in the Ubuntu 22.04 security archive. Theapt-get updatefetched a package index referencing the old version, but by the timeapt-get installtried to download it, the.debfile was already gone (HTTP 404).Test plan
--build-local--build-local🤖 Generated with Claude Code