search

actions / runner

The Runner for GitHub Actions :rocket:
https://github.com/features/actions
MIT License
4.91k stars 964 forks source link

Run the job.container as the same user of the host VM by default #691

Open felipecrs opened 4 years ago

felipecrs commented 4 years ago

Description

Run the containers as the same user running on the host (the VM) by default, or at least provide an option. The related docker option would be docker run --user "$(id -u):$(id -g)".

Containers job.container runs as the container's default user by default, which often is root. This causes some weird behaviors because the workspace on the GitHub runner is mounted to the container, and no other user (other than the Runner user) has permission to write on it. This is what makes @actions/checkout fail when running on containers.

As Jenkins does, this should be made by default. Users who might want to run as a different user can still use the --user docker option.

Workaround

As suggested by @xanantis:

jobs:
  configure:
    runs-on: ubuntu-latest
    outputs:
      uid_gid: ${{ steps.get-user.outputs.uid_gid }}
    steps:
      - id: get-user
        run: echo "::set-output name=uid_gid::$(id -u):$(id -g)"

  clone-and-install:
    needs: configure
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user ${{ needs.configure.outputs.uid_gid }}
    steps:
      - uses: actions/checkout@v2

It's even funny to have to do such a thing.

BlueskyFR commented 2 years ago

Can reproduce, I know it's been 2 years now but is there any update?

sulfasTor commented 2 years ago

Description

Run the containers as the same user running on the host (the VM) by default, or at least provide an option. The related docker option would be docker run --user "$(id -u):$(id -g)".

Containers job.container runs as the container's default user by default, which often is root. This causes some weird behaviors because the workspace on the GitHub runner is mounted to the container, and no other user (other than the Runner user) has permission to write on it. This is what makes @actions/checkout fail when running on containers.

As Jenkins does, this should be made by default. Users who might want to run as a different user can still use the --user docker option.

Workaround

As suggested by @xanantis:

jobs:
  configure:
    runs-on: ubuntu-latest
    outputs:
      uid_gid: ${{ steps.get-user.outputs.uid_gid }}
    steps:
      - id: get-user
        run: echo "::set-output name=uid_gid::$(id -u):$(id -g)"

  clone-and-install:
    needs: configure
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user ${{ needs.configure.outputs.uid_gid }}
    steps:
      - uses: actions/checkout@v2

It's even funny to have to do such a thing.

This won't work if you have a pool of self-hosted runners and jobs are dispatched by different runners. ID's may mismatch.

felipecrs commented 2 years ago

That's true.

russellsch commented 1 year ago

Does anyone have any suggestions for dealing with this on self-hosted runners?

xanantis commented 1 year ago

@russellsch There are two options for you: Rootless Docker Podman, with podman.socket enabled. You may have to create a symlink for /usr/bin/docker to /usr/bin/podman.

Before rootless docker was available and podman supported interaction over a socket, I used parameter injection to inject --user for create, exec, and run commands.

jcelerier commented 5 months ago

any hope of seeing this little change one day ? there's no correct solution to this right now