search

actions / runner-images

GitHub Actions runner images
MIT License
9.82k stars 3.01k forks source link

CRAC JDK is not usable as criu needs SUID permissions to work #10466

Closed snicoll closed 1 week ago

snicoll commented 1 month ago

Description: I am trying to use CRAC in GitHub Actions. With the following definition:

 - name: Set up Java
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          java-package: 'jdk+crac'
          distribution: 'zulu'

I can't use criu as it's missing SUID permissions. Courtesy of @wkia, it would work if the archive was extracted using sudo tar xz.

There's not much, but here it is failing: https://github.com/spring-projects/spring-lifecycle-smoke-tests/actions/runs/10032558509/job/27724454193

With a manual setup (see https://github.com/spring-projects/spring-lifecycle-smoke-tests/commit/efd6ee22b9eafdf1276739574ff57d67e1156bba), it is working: https://github.com/spring-projects/spring-lifecycle-smoke-tests/actions/runs/10039511315

Task version: v3

Platform:

Runner type:

Repro steps:

Expected behavior: criu works out-of-the-box

Actual behavior: criu fails as it's missing SUID permissions

mahabaleshwars commented 1 month ago

Hello @snicoll, Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.

priyagupta108 commented 1 month ago

Hello @snicoll, Currently, the setup-java action does not directly support CRaC-specific configurations. CRaC relies on a fork of CRIU, which requires broad permissions, usually involving running as root granted through the SUID bit. After setting up a CRaC-aware OpenJDK with setup-java, you need to change the CRIU ownership to root and set the SUID bit. Please ensure the CRIU binary is owned by the root user and has the SUID bit set:

  1. Check CRIU Permissions:

    ls -la $JAVA_HOME/lib/criu

  2. Update Permissions if Necessary:

    sudo chown root:root $JAVA_HOME/lib/criu
sudo chmod u+s $JAVA_HOME/lib/criu

For more information, see: Azul CRaC Debugging Documentation

snicoll commented 1 month ago

@priyagupta108 thanks very much for the reply. I've done something similar in https://github.com/spring-projects/spring-lifecycle-smoke-tests/actions/runs/10039511315 (see in the above description) although your use of $JAVA_HOME is much cleaner.

The issue here was to see if this could be done automatically. Given that jdk+crac is a supported distribution, it makes sense to me it would.

priyagupta108 commented 3 weeks ago

Hi @snicoll, Thank you for your response. Since setting SUID permissions on the CRIU binary requires root access (a runner-level privilege), it might be more appropriate to address this concern in the actions/runner-images repository.
Going to transfer this issue to the actions/runner-images repository to ensure it gets the attention it needs.

Prabhatkumar59 commented 3 weeks ago

Hi @snicoll - Thank you for bringing this issue to our attention. We will look into this issue and will update you after investigating.

Prabhatkumar59 commented 3 weeks ago

Hi @snicoll - From the above comments, as I can see that you want an automatic setup using the actions/setup-java@v3 action and considering that jdk+crac is a supported distribution, here's a more automated approach which I am providing to you:-

Proposal for Automated Setup You can try using a combination of setup-java and a custom script to automate the SUID fix after the JDK is installed:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Install necessary dependencies
      run: sudo apt-get update && sudo apt-get install -y criu

    - name: Set up Java with CRAC support
      uses: actions/setup-java@v3
      with:
        java-version: '17'
        java-package: 'jdk+crac'
        distribution: 'zulu'

    - name: Fix CRIU SUID Permissions
      run: |
        sudo find $JAVA_HOME -name criu | sudo xargs chmod u+s

    - name: Verify CRAC JDK with CRIU
      run: java -version

Providing explanation for you as well:- Install Dependencies: The necessary CRIU package is installed. Set up Java: The actions/setup-java@v3 action installs the jdk+crac. Fix Permissions: After the JDK is installed, the script finds the CRIU executable and sets the SUID bit using chmod u+s. Verify Installation: Finally, it verifies the setup by running java -version.

And after that Next Steps would be:- Automation Request: If you believe this setup should be automated by the GitHub action itself, it would be best to raise an issue or contribute to the actions/setup-java repository to handle CRIU and SUID settings automatically when the jdk+crac distribution is selected.

Also, to automate CRIU usage with the jdk+crac distribution in GitHub Actions, you can suggest modifying the actions/setup-java action to include a post-installation step that runs sudo tar xz to set the necessary SUID permissions. This would allow the jdk+crac distribution to work out-of-the-box without manual intervention.

These above solution ensures that the process is as automated as possible within the constraints of the current GitHub Actions environment and you should now get resolution for your query.

snicoll commented 3 weeks ago

@Prabhatkumar59 thank you for your reply but I don't need a solution, I already have one. Please review:

With a manual setup (see https://github.com/spring-projects/spring-lifecycle-smoke-tests/commit/efd6ee22b9eafdf1276739574ff57d67e1156bba), it is working

in my original description.

The purpose of this issue was to see if criu could be made available out of the box since setup-java has support fro crac.

Prabhatkumar59 commented 3 weeks ago

@snicoll- Thanks for your reply.

This could be implemented by:

Enhancing the setup-java Action: Modify the action to include an additional step that checks if the jdk+crac distribution is being used, and if so, extracts the necessary files with sudo tar xz to ensure CRIU works correctly.

Community Contribution: If you're comfortable with contributing to open-source, you could propose a pull request to the actions/setup-java repository to add this feature.

If these above changes are made, CRIU could be supported out-of-the-box with the setup-java action, streamlining the setup process for users leveraging CRAC.

However, in my opinion CRIU cannot be made available out-of-the-box through the setup-java action because of:-

Security Considerations: Automatically setting SUID permissions could introduce security risks, as it requires elevated privileges. The setup-java action operates in a way that minimizes security risks by not requiring such permissions.

Runner Environment Limitations: The GitHub-hosted runners do not have SUID permissions by default, and enabling them would require changes at the runner level, which is outside the scope of the setup-java action.

The manual setup remains necessary to properly configure CRIU for use with the jdk+crac distribution.

snicoll commented 2 weeks ago

Perhaps a documentation change could help ? I can have a look to that.

Prabhatkumar59 commented 1 week ago

Hi @snicoll- Please go through the below documents:-

https://github.com/canonical/crac-criu This documentation provides a comprehensive guide to integrating CRIU with the jdk+crac distribution in a GitHub Actions environment.

Also, For more additional details on using the setup-java action, please refer to the official GitHub Actions setup-java documentation.

Prabhatkumar59 commented 1 week ago

Hi @snicoll - Since we haven't heard back, we'll assume you got help for your issue and we will close this issue for now. Feel free to reach out us for any other queries. Thanks.