lazyfrosch
commented
1 year ago For EC2 instances, this could be added here, then the user can use sudo if needed.
Closed pharindoko closed 1 year ago
lazyfrosch
commented
1 year ago For EC2 instances, this could be added here, then the user can use sudo if needed.
pharindoko
commented
1 year ago sorry had a wrong understanding what exactly RUNNER_ALLOW_RUNASROOT does :)
pharindoko
commented
1 year ago For EC2 instances, this could be added here, then the user can use sudo if needed.
https://github.com/CloudSnorkel/cdk-github-runners/blob/29708ebe9a83cf84566a7073cda60dd6bbff402a/src/providers/image-builders/linux-components.ts#L44 @lazyfrosch: I like your idea :) (... we have already discussed it internally)
@kichik what`s your opinion ?
kichik
commented
1 year ago Are you guys saying you can't sudo in your jobs? What's the exact runner configuration you're using? This is tested in the integration tests and seems to be working.
lazyfrosch
commented
1 year ago We use EC2 (spot) instances, but there is no sudo rule for runner. We just added the following component to our default builder:
defaultBuilder.addComponent(
new ImageBuilderComponent(defaultBuilder, `sudo-for-runner`, {
platform: 'Linux',
displayName: 'Allow sudo for runner',
description: 'Grant sudo with NOPASSWD for runner user',
commands: [
'set -ex',
'echo "runner ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/github-runner',
'chmod 0400 /etc/sudoers.d/github-runner'
],
})
);Turns out we don't have the tests I thought we did.
It would be great to have an option to run the runner job as root user. this option has been built in ... https://github.com/actions/runner/blob/caec043085990710070108f375cd0aeab45e1017/images/Dockerfile#L20
and would be set when you configure a runner e.g. here https://github.com/CloudSnorkel/cdk-github-runners/blob/ae30d9050e2cc2a4280ab4663ae82459c011a30b/src/providers/docker-images/lambda/linux-arm64/runner.sh#L11
Would look like this: