Skip to content

fix: handle apt repository metadata changes in Dockerfile #1730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
juanmichelini wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: handle apt repository metadata changes in Dockerfile #1730

juanmichelini wants to merge 1 commit into from

Conversation

@juanmichelini
Copy link
Collaborator

@juanmichelini juanmichelini commented Jan 14, 2026
edited by github-actions bot
Loading

Problem

When building agent-server images on top of base images with outdated apt repository configurations, builds fail with:

E: Repository 'https://repos.azul.com/zulu/deb stable InRelease' changed its 'Origin' value from 'Azul Systems' to 'Azul Systems, Inc.'
E: Repository 'https://repos.azul.com/zulu/deb stable InRelease' changed its 'Label' value from '. stable' to 'Azul Systems, Inc., Ubuntu Repository'

This is currently blocking Multi-SWE-Bench evaluation builds, where base images like mswebench/alibaba_m_fastjson2:base have repository metadata that has changed since the image was created.

Root Cause

Upstream repositories sometimes update their metadata (Origin, Label, Suite, Codename, etc.). When apt-get update encounters these changes, it exits with error code 100 by default as a security precaution.

The Azul Zulu Java repository recently changed its metadata, affecting Multi-SWE-Bench base images that have this repository configured.

Solution

Add --allow-releaseinfo-change flag to apt-get update in the Dockerfile:

-    apt-get update; \
+    apt-get update --allow-releaseinfo-change; \

This is the recommended approach for handling repository metadata changes in automated builds. It allows apt to proceed when only metadata has changed, which is safe for our use case.

Impact

  • ✅ Fixes Multi-SWE-Bench evaluation image builds
  • ✅ Defensive practice that prevents future issues with other base images
  • ✅ No breaking changes - this only makes builds more resilient
  • ✅ Follows Debian/Ubuntu best practices for CI/CD environments

Testing

  • Test Multi-SWE-Bench evaluation run with eval_limit=1
  • Verify image builds successfully
  • Confirm evaluation proceeds to run_infer step

Related Issues

Part of Multi-SWE-Bench evaluation support implementation.

Note: This PR is marked as draft while we test the fix. Will mark as ready for review once confirmed working.

Agent Server images for this PR

GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server

Variants & Base Images

Variant Architectures Base Image Docs / Tags
java amd64, arm64 eclipse-temurin:17-jdk Link
python amd64, arm64 nikolaik/python-nodejs:python3.12-nodejs22 Link
golang amd64, arm64 golang:1.21-bookworm Link

Pull (multi-arch manifest)

# Each variant is a multi-arch manifest supporting both amd64 and arm64
docker pull ghcr.io/openhands/agent-server:41afcd2-python

Run

docker run -it --rm \
  -p 8000:8000 \
  --name agent-server-41afcd2-python \
  ghcr.io/openhands/agent-server:41afcd2-python

All tags pushed for this build

ghcr.io/openhands/agent-server:41afcd2-golang-amd64
ghcr.io/openhands/agent-server:41afcd2-golang_tag_1.21-bookworm-amd64
ghcr.io/openhands/agent-server:41afcd2-golang-arm64
ghcr.io/openhands/agent-server:41afcd2-golang_tag_1.21-bookworm-arm64
ghcr.io/openhands/agent-server:41afcd2-java-amd64
ghcr.io/openhands/agent-server:41afcd2-eclipse-temurin_tag_17-jdk-amd64
ghcr.io/openhands/agent-server:41afcd2-java-arm64
ghcr.io/openhands/agent-server:41afcd2-eclipse-temurin_tag_17-jdk-arm64
ghcr.io/openhands/agent-server:41afcd2-python-amd64
ghcr.io/openhands/agent-server:41afcd2-nikolaik_s_python-nodejs_tag_python3.12-nodejs22-amd64
ghcr.io/openhands/agent-server:41afcd2-python-arm64
ghcr.io/openhands/agent-server:41afcd2-nikolaik_s_python-nodejs_tag_python3.12-nodejs22-arm64
ghcr.io/openhands/agent-server:41afcd2-golang
ghcr.io/openhands/agent-server:41afcd2-java
ghcr.io/openhands/agent-server:41afcd2-python

About Multi-Architecture Support

  • Each variant tag (e.g., 41afcd2-python) is a multi-arch manifest supporting both amd64 and arm64
  • Docker automatically pulls the correct architecture for your platform
  • Individual architecture tags (e.g., 41afcd2-python-amd64) are also available if needed

@juanmichelini juanmichelini marked this pull request as ready for review January 14, 2026 18:58
@juanmichelini juanmichelini marked this pull request as draft January 14, 2026 19:02
all-hands-bot
all-hands-bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Collaborator

@all-hands-bot all-hands-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

The approach is sound and follows best practices, but the fix is incomplete.

🔴 Critical Issue: Inconsistent Application

This PR only adds --allow-releaseinfo-change to one of four apt-get update calls in the Dockerfile. The other three calls at lines 151, 168, and 175 are missing this flag:

  • Line 151: After adding Docker repository
  • Line 168: After adding GitHub CLI repository
  • Line 175: Before installing VNC/Desktop packages

If repository metadata changes are a real concern (and they are, as the PR description confirms), then ALL apt-get update calls should have this flag. The Docker and GitHub CLI repositories could also change their metadata at any time, causing the same build failure.

Recommendation

Add --allow-releaseinfo-change to all three remaining apt-get update calls for consistency and to prevent future build failures.

openhands-agent-server/openhands/agent_server/docker/Dockerfile
RUN set -eux; \
# Install base packages (works for both Debian-based images)
apt-get update; \
apt-get update --allow-releaseinfo-change; \
Copy link
Collaborator

@all-hands-bot all-hands-bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Suggestion: Consider adding a brief comment explaining why this flag is needed for future maintainers.

Suggested change
apt-get update --allow-releaseinfo-change; \
# Allow repository metadata changes (Origin, Label, etc.) which can happen when upstream repos update
apt-get update --allow-releaseinfo-change; \

@juanmichelini
fix: handle apt repository metadata changes in Dockerfile
d301c37 
When building agent-server images on top of base images with outdated
apt repository configurations, apt-get update can fail with errors like:

  E: Repository '...' changed its 'Origin' value
  E: Repository '...' changed its 'Label' value

This happens when upstream repositories update their metadata (e.g., the
Azul Zulu Java repository in Multi-SWE-Bench base images recently changed
from 'Azul Systems' to 'Azul Systems, Inc.').

Adding --allow-releaseinfo-change makes apt-get update accept these
metadata changes, which is the recommended approach for handling this
situation. This is a defensive practice that prevents build failures
when base images have outdated repository configurations.

This fix specifically unblocks Multi-SWE-Bench evaluation builds, where
base images like mswebench/alibaba_m_fastjson2:base have repository
metadata that has changed since the image was created.
@juanmichelini juanmichelini force-pushed the fix-apt-repository-metadata-change branch from 944724f to d301c37 Compare January 14, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@all-hands-bot all-hands-bot all-hands-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juanmichelini @all-hands-bot