Skip to content

Codex agent unable to use MCP tools due to host.docker.internal DNS resolution failure #9998

New issue
New issue
Closed
#9999
Closed
Codex agent unable to use MCP tools due to host.docker.internal DNS resolution failure#9998
#9999
Assignees
Mossakacopilot-swe-agent
@Mossaka

Description

@Mossaka
Mossaka
opened on Jan 14, 2026

Summary

Workflow runs with the Codex engine are showing as successful (green checkmark) but the agent cannot actually use any MCP tools due to DNS resolution failures when connecting to host.docker.internal.

Evidence

Workflow Run: https://github.com/githubnext/gh-aw/actions/runs/21005890162

Discovery Process

Using gh aw audit to investigate the run:

./gh-aw audit https://github.com/githubnext/gh-aw/actions/runs/21005890162 --parse -v

The audit report shows the workflow completed successfully with 0 errors, but examining the agent logs reveals critical MCP server failures.

Root Cause

All 6 MCP servers failed to start from the Codex client with DNS resolution errors:

ERROR rmcp::transport::worker: worker quit with fatal: Transport channel closed, when Client(reqwest::Error { kind: Request, url: "http://host.docker.internal/mcp/<server>", source: hyper_util::client::legacy::Error(Connect, ConnectError("dns error", Custom { kind: Uncategorized, error: "failed to lookup address information: Name does not resolve" })) })

Failed MCP Servers:

  • safeinputs
  • playwright
  • serena
  • tavily
  • github
  • safeoutputs

MCP Gateway Status

The MCP Gateway itself is working correctly:

  • Successfully started: Loaded 6 MCP server(s): [safeoutputs serena tavily github playwright safeinputs]
  • All servers connected and responded to tools/list requests
  • Gateway listening on 0.0.0.0:80

The Problem

The Codex agent running inside the Docker container cannot resolve host.docker.internal to connect to the MCP Gateway. This causes all MCP tool calls to fail silently.

Additional Context

OAuth Warnings:
The logs also show repeated warnings about keyring access failures:

WARN codex_rmcp_client::oauth: failed to read OAuth tokens from keyring: Platform secure storage failure: zbus error: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.secrets was not provided by any .service files

This suggests the system cannot access org.freedesktop.secrets for secure storage.

Impact

  • Workflows appear successful but MCP functionality is completely broken
  • Silent failure makes debugging difficult without examining detailed logs
  • Affects all Codex engine workflows that rely on MCP tools

Reproduction

  1. Run any Codex workflow that uses MCP servers
  2. Use gh aw audit <run-id> to download logs
  3. Search for "mcp:.*failed" in agent-stdio.log: 
    grep -E "mcp:.*failed" .github/aw/logs/run-<id>/agent-stdio.log

Suggested Fix

Investigate Docker networking configuration to ensure host.docker.internal DNS resolution works correctly inside the Codex agent container. This may involve:

  • Verifying Docker network settings
  • Checking if --add-host flags are needed
  • Ensuring the container has proper DNS configuration

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions