Skip to content

Run MCP gateway on 8080 and add explicit host mapping for non-root containers#27058

Merged
lpcox merged 4 commits intomainfrom
copilot/run-mcp-gateway-on-port-8080
Apr 18, 2026
Merged

Run MCP gateway on 8080 and add explicit host mapping for non-root containers#27058
lpcox merged 4 commits intomainfrom
copilot/run-mcp-gateway-on-port-8080

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 18, 2026
edited
Loading

Running the MCP gateway container as non-root failed because gh-aw generated a privileged bind (0.0.0.0:80), and HTTP backends using host.docker.internal were not reliably resolvable inside the gateway container. This updates the generated gateway runtime defaults/command to use a non-privileged port and explicit host mapping.

  • Gateway runtime defaults

    • Changed default MCP gateway port from 80 to 8080 (pkg/constants/constants.go).
    • Propagated the new default through workflow gateway config/constants and related spec/docs references.

  • Gateway container launch

    • Updated generated docker run command to include:
      • --add-host host.docker.internal:127.0.0.1
    • This keeps host-network behavior compatible with backends bound to loopback and avoids Docker host-gateway compatibility issues on older engines.

  • Generated output + expectations

    • Updated workflow generation expectations/goldens to reflect:
      • export MCP_GATEWAY_PORT="8080"
      • gateway command containing --add-host host.docker.internal:127.0.0.1
    • Updated setup comment wording to clarify this is the default port (Start MCP Gateway (default port 8080)).
    • Updated related inline URL examples from :80 to :8080 where they document gateway URLs.
docker run -i --rm --network host \
  --add-host host.docker.internal:127.0.0.1 \
  ...
export MCP_GATEWAY_PORT="8080"

> [!WARNING]
>
>

Copilot AI linked an issue Apr 18, 2026 that may be closed by this pull request
Run MCP Gateway on port 8080 instead of 80 and update firewall rules #27057
Closed
5 tasks
Copilot AI changed the title [WIP] Run MCP Gateway on port 8080 and update firewall rules Run MCP gateway on 8080 and add host-gateway mapping for non-root containers Apr 18, 2026
Copilot AI requested a review from lpcox April 18, 2026 16:50
@lpcox lpcox marked this pull request as ready for review April 18, 2026 17:00
Copilot AI review requested due to automatic review settings April 18, 2026 17:00
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates MCP gateway defaults and workflow generation so the gateway can run as non-root (non-privileged port) and reliably resolve host.docker.internal from inside the gateway container.

Changes:

  • Changed the default MCP gateway port from 80 to 8080 across constants, docs, and goldens.
  • Updated the generated gateway docker run command to include --add-host host.docker.internal:host-gateway.
  • Updated unit tests and golden workflow fixtures to match the new defaults/command.
Show a summary per file
File Description
pkg/constants/constants.go Switches default gateway port to 8080.
pkg/constants/spec_test.go Updates spec test expectation for the new default port.
pkg/constants/README.md Updates docs for the new default port.
pkg/workflow/mcp_gateway_constants.go Updates gateway constants documentation comments to 8080.
pkg/workflow/mcp_gateway_config.go Updates gateway config documentation comments/examples to 8080.
pkg/workflow/mcp_setup_generator.go Adds --add-host host.docker.internal:host-gateway to generated docker run.
pkg/workflow/mcp_setup_generator_test.go Asserts generated YAML includes port 8080 and --add-host snippet.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates expected generated workflow output (8080 + --add-host).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates expected generated workflow output (8080 + --add-host).
actions/setup/js/mount_mcp_as_cli.cjs Updates inline URL examples from :80 to :8080.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 10/10 changed files
  • Comments generated: 3

Comment thread pkg/workflow/mcp_setup_generator.go Outdated

var containerCmd strings.Builder
containerCmd.WriteString("docker run -i --rm --network host")
containerCmd.WriteString(" --add-host host.docker.internal:host-gateway")
Copy link

Copilot AI Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With --network host, mapping host.docker.internal to host-gateway may resolve to a non-loopback IP (e.g., 172.17.0.1). If any backend the gateway calls is bound only to 127.0.0.1, requests to host.docker.internal can fail even though host networking is enabled. Consider mapping host.docker.internal to 127.0.0.1 when using host networking, or switching to bridge networking + explicit -p mappings so host-gateway semantics match typical expectations.

Suggested change
containerCmd.WriteString(" --add-host host.docker.internal:host-gateway")
containerCmd.WriteString(" --add-host host.docker.internal:127.0.0.1")

Copilot uses AI. Check for mistakes.
Comment thread pkg/workflow/mcp_setup_generator.go Outdated
Comment on lines +698 to +699
containerCmd.WriteString("docker run -i --rm --network host")
containerCmd.WriteString(" --add-host host.docker.internal:host-gateway")
Copy link

Copilot AI Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The host-gateway token requires sufficiently new Docker Engine support; on older Docker versions this can cause docker run to fail outright. To keep generated workflows broadly compatible, consider generating a small runtime check in the shell (e.g., detect support via docker run --help / docker version) and only append --add-host host.docker.internal:host-gateway when supported, otherwise omit it or fall back to resolving the host IP another way.

Copilot uses AI. Check for mistakes.
Comment thread pkg/workflow/mcp_setup_generator.go Outdated
// - Write mcp-scripts config to ${RUNNER_TEMP}/gh-aw/mcp-scripts/
// - Start mcp-scripts HTTP server on port 3000
// - Start MCP Gateway on port 80
// - Start MCP Gateway on port 8080
Copy link

Copilot AI Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment states a fixed port, but the gateway port appears to be configurable (via constants/config/env). To avoid misleading documentation, adjust wording to reflect that 8080 is the default (e.g., 'Start MCP Gateway (default port 8080)' or 'Start MCP Gateway on configured port').

Suggested change
// - Start MCP Gateway on port 8080
// - Start MCP Gateway (default port 8080)

Copilot uses AI. Check for mistakes.
@lpcox
Copy link
Copy Markdown
Collaborator

lpcox commented Apr 18, 2026

@copilot address this review feedback #27058 (review)

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 18, 2026
edited
Loading

@copilot address this review feedback #27058 (review)

Addressed the linked review feedback in commit 856296a.

I updated MCP gateway host mapping to --add-host host.docker.internal:127.0.0.1 (with --network host), removed the host-gateway dependency from generated commands, adjusted the setup comment to “default port 8080”, and updated the related tests/golden fixtures accordingly.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE tartedAt,updated--show-toplevel git rev-�� --show-toplevel go /usr/bin/git SameOutput395480git GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name HG13/D9CAwrHq4MPGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 2202586/b366/impGO111MODULE -c k/gh-aw/gh-aw/cmGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-importcfg (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv y rev-parse clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle run 90 64/bin/go git conf�� --get remote.origin.url om/org2/repo2.git 01 sh 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv -h gh-aw.wasm | cut -f1))" GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/gh 2/001/test-inlingit GO111MODULE ache/go/1.25.8/x--show-toplevel gh api /repos/actions/checkout/git/ref/tags/v5 --jq /usr/bin/git -h gh-aw.wasm |git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv test/concurrent-image:v1.0.0 go /usr/bin/git licyMinIntegritygit GO111MODULE ache/node/24.14.--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git sistency_WithImpgit GOPROXY /usr/lib/git-cor--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/xHEAD git rev-�� --show-toplevel go /usr/bin/git 1642-36991/test-git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE /bin/sh -c if ! cd actions/GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go iptables -w -t security 64/bin/go -nxv GO111MODULE 64/bin/go go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git ub/workflows GO111MODULE 64/bin/go git rev-�� --git-dir go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv add remote1 /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.name Test User /usr/bin/git cli/install.sh..git GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260418-171642-36991/test-3555853033/custom/workflows GOPROXY /usr/lib/git-core/git GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git pack�� --all-progress-implied --revs /usr/bin/git --thin --delta-base-offrev-parse -q git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -v -parallel=4 ache/node/24.14.1/x64/bin/node -run=^Test ./... -short git-receive-pack t-27�� k/gh-aw/gh-aw/.github/workflows/ai-moderator.md go /usr/bin/git tOhT/2Mdf8aJAanjgit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv : ${{ github.repository }} GOPROXY ache/node/24.14.1/x64/bin/node GOSUMDB GOWORK 64/bin/go git t-14�� k/gh-aw/gh-aw/.github/workflows/ai-moderator.md my-default /usr/bin/git f0_b/AhAw9J9M4cggit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env mpiledOutput1024434594/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos=public_1781095933/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 LsRemoteWithRealGitcustom_branch3348885796/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity2448687319/001 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name mLsRemoteWithRealGitcustom_branch3348885796/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos=public_1781095933/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity2448687319/0remote.origin.url GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env mpiledOutput1024434594/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env edOutput3325981862/001 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name mLsRemoteWithRealGitbranch_with_hyphen3981695968/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env rity2669985058/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ions-lock.json does not exist yeremote env mpiledOutput1024434594/001 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE e4b68e421d17c53b1b4acf9bcb4ce7ee2b547c5e3ea04ea9-d GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --cheGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 ../../../**/*.js-1 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 3791/001/stabiligit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go _bra�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -t security 64/bin/go OUTPUT -d 168.63.129.16 go env Gitmain_branch401259562/001' Gitmain_branch401259562/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv s/data/action_pins.json..." security 64/bin/go OUTPUT -d 168.63.129.16 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go -Oz --enable-bugit GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 2/001/test-frontmatter-with-arrays.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 863950526/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2984025750/b403/cli.test /tmp/go-build2984025750/b403/cli.test -test.testlogfile=/tmp/go-build2984025750/b403/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name uWMD/b7to1rDItKkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 2202586/b365/impGO111MODULE -c 2202586/b365/embGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-buildtags (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Run MCP gateway on 8080 and add host-gateway mapping for non-root containers Run MCP gateway on 8080 and add explicit host mapping for non-root containers Apr 18, 2026
@lpcox lpcox merged commit 04be9d2 into main Apr 18, 2026
88 of 90 checks passed
@lpcox lpcox deleted the copilot/run-mcp-gateway-on-port-8080 branch April 18, 2026 17:43
lpcox added a commit that referenced this pull request Apr 18, 2026
@lpcox
fix: add --allow-host-ports to AWF command for MCP gateway port 8080
063213b 
PR #27058 moved the MCP gateway from port 80 to 8080 (non-privileged),
but AWF's --enable-host-access only allows traffic on ports 80 and 443
by default. This caused the agent inside AWF to be unable to reach the
gateway, resulting in safe-output and MCP tool-call timeouts.

Add --allow-host-ports 80,443,<gateway-port> to the compiled AWF command
so the firewall's iptables rules allow traffic to the MCP gateway.
Respects custom sandbox.mcp.port configuration if set.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox mentioned this pull request Apr 18, 2026
Merged
lpcox added a commit that referenced this pull request Apr 18, 2026
@lpcox
@pelikhan
fix: add --allow-host-ports to AWF command for MCP gateway port 8080 (#…
a77850e 
…27080)

* fix: add --allow-host-ports to AWF command for MCP gateway port 8080

PR #27058 moved the MCP gateway from port 80 to 8080 (non-privileged),
but AWF's --enable-host-access only allows traffic on ports 80 and 443
by default. This caused the agent inside AWF to be unable to reach the
gateway, resulting in safe-output and MCP tool-call timeouts.

Add --allow-host-ports 80,443,<gateway-port> to the compiled AWF command
so the firewall's iptables rules allow traffic to the MCP gateway.
Respects custom sandbox.mcp.port configuration if set.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: gate --allow-host-ports by minimum AWF version

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b06a522a-2ce7-4f3b-9d25-8a61cd422322

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* chore: clarify allow-host-ports version gate messaging

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b06a522a-2ce7-4f3b-9d25-8a61cd422322

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Run MCP Gateway on port 8080 instead of 80 and update firewall rules

3 participants

@lpcox