search

awalsh128 / cache-apt-pkgs-action

Cache APT packages in GitHub Actions
Other
205 stars 35 forks source link

Cannot install openjdk-11 due to permissions issue #72

Closed tb0hdan closed 1 year ago

tb0hdan commented 2 years ago

Hi,

Following stanza:

    - name: Cache Debian packages (cache version 1.0)
      uses: awalsh128/cache-apt-pkgs-action@latest
      with:
        packages:  openjdk-11-jre
        version: 1.0

will fail with permissions error during certificate installation

awalsh128 commented 1 year ago

Hi @tb0hdan, can you provide: the workflow container settings, and the run logs?

I will try to setup a regression and look further when I have some time.

Themis3000 commented 1 year ago

Similar issue here probably caused by the same root issue.

Here's the yaml for installing my package:

      - name: Install java
        uses: awalsh128/cache-apt-pkgs-action@latest
        with:
          packages: default-jre
          version: 1.0

And here's the log output I get:

Run awalsh128/cache-apt-pkgs-action@latest
Run /home/runner/work/_actions/awalsh128/cache-apt-pkgs-action/latest/pre_cache_action.sh \
grep: /tmp/cache-apt-pkgs-action-cache/install.log: No such file or directory

19:43:24 Validating action arguments (version='1', packages='default-jre ')...
19:43:24 done

19:43:24 Verifying packages...
19:43:25 done

19:43:25 Creating cache key...
19:43:25 - Normalized package list is 'default-jre=2:1.11-72build2 '.
19:43:25 - Value to hash is 'default-jre=2:1.11-72build2  @ 1'.
19:43:25 - Value hashed as '6617026d100dee4a2e59d22c57f6d817'.
19:43:25 done
19:43:25 Hash value written to /home/runner/cache-apt-pkgs/cache_key.md5
Run actions/cache@v3
Cache not found for input keys: cache-apt-pkgs_6617026d100dee4a2e59d22c57f6d817
Run /home/runner/work/_actions/awalsh128/cache-apt-pkgs-action/latest/post_cache_action.sh \
grep: /tmp/cache-apt-pkgs-action-cache/install.log: No such file or directory

grep: /tmp/cache-apt-pkgs-action-cache/install.log: No such file or directory

19:43:25 Clean installing and caching 1 package(s).

19:43:25 Package list:
19:43:25 - default-jre:2:1.11-72build2
19:43:25 Writing main packages manifest to /home/runner/cache-apt-pkgs/manifest_main.log...
19:43:25 done

19:43:25 Installing apt-fast for optimized installs...
--2022-11-30 19:43:26--  https://raw.githubusercontent.com/ilikenwf/apt-fast/master/apt-fast
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22293 (22K) [text/plain]
Saving to: ‘/usr/local/sbin/apt-fast’

     0K .......... .......... .                               100% 13.9M=0.002s

2022-11-30 19:43:26 (13.9 MB/s) - ‘/usr/local/sbin/apt-fast’ saved [22293/22293]

19:43:26 done

19:43:26 Updating APT package list...
19:43:28 done

19:43:28 Clean installing 1 packages...
19:43:58 done
19:43:58 Installation log written to /home/runner/cache-apt-pkgs/install.log

19:43:58 Installed package list:
19:43:58 - libpcsclite1:1.9.5-3
19:43:58 - openjdk-11-jre-headless:11.0.17+8-1ubuntu2~22.04
19:43:58 - default-jre-headless:2:1.11-72build2
19:43:58 - ca-certificates-java:20190909
19:43:58 - openjdk-11-jre:11.0.17+8-1ubuntu2~22.04
19:43:58 - default-jre:2:1.11-72build2
19:43:58 - libxcb-shape0:1.14-3ubuntu3
19:43:58 - libxv1:2:1.0.11-1build2
19:43:58 - libxxf86dga1:2:1.1.5-0ubuntu3
19:43:58 - x11-utils:7.7+5build2
19:43:58 - libatk-wrapper-java:0.38.0-5build1
19:43:58 - libatk-wrapper-java-jni:0.38.0-5build1

19:43:58 Caching 12 installed packages...
19:43:58   * Caching libpcsclite1 to /home/runner/cache-apt-pkgs/libpcsclite1:1.9.5-3.tar.gz...
19:43:59     done (compressed size 20K).
19:43:59   * Caching openjdk-11-jre-headless to /home/runner/cache-apt-pkgs/openjdk-11-jre-headless:11.0.17+8-1ubuntu2~22.04.tar.gz...
19:44:07     done (compressed size 57M).
19:44:07   * Caching default-jre-headless to /home/runner/cache-apt-pkgs/default-jre-headless:2:1.11-72build2.tar.gz...
19:44:07     done (compressed size 4.0K).
19:44:07   * Caching ca-certificates-java to /home/runner/cache-apt-pkgs/ca-certificates-java:20190909.tar.gz...
tar: etc/default/cacerts: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors

My suggestion for a hot fix on this is a "runasprivileged" option that just runs all steps as root as to avoid any permissions issues.

awalsh128 commented 1 year ago

Hey @tb0hdan and @Themis3000, are you perhaps running this under a custom container? I am wondering if this is related to https://github.com/actions/container-action/issues/2#issuecomment-854057781

I am a bit hesistant to use this option given the security implications, but the biggest is any unintended side effects that may be encountered as a result. That said I can push a change to dev for testing while the ramifications are considered. Where would this option be defined at in the YAML?

Themis3000 commented 1 year ago

Hey @tb0hdan and @Themis3000, are you perhaps running this under a custom container? I am wondering if this is related to actions/container-action#2 (comment)

In my case I'm not running inside of a custom container, I'm just running on ubuntu-22.04.

I am a bit hesistant to use this option given the security implications, but the biggest is any unintended side effects that may be encountered as a result. That said I can push a change to dev for testing while the ramifications are considered. Where would this option be defined at in the YAML?

I personally would have no idea on what ramifications could be caused as a result of running the action as privileged so I'm not sure I can comment on this. I'd suggest leaving a how and when to run as privileged as a section at the end of the readme, and just inform what the possible ramifications are (or just a simple "potential ramifications unknown, use at your own risk").

As for where the option would be defined in the YAML I'd imagine it would look something like this, where the privileged input is an optional input that defaults to false if not specified:

      - name: Install java
        uses: awalsh128/cache-apt-pkgs-action@latest
        with:
          packages: default-jre
          privileged: true
          version: 1.0

Thanks for taking a look at this issue! I appreciate your work on this

marwenguesmii commented 1 year ago

I had the same problem.

awalsh128 commented 1 year ago

I added a test for this but am not able to replicate the issue; it caches the CA certs files correctly.

https://github.com/awalsh128/cache-apt-pkgs-action-ci/actions/runs/3796793485/jobs/6457205526 https://github.com/awalsh128/cache-apt-pkgs-action-ci/actions/runs/3796793485/jobs/6457205608

The runner itself will run commands as sudo but is not allowed to run as root (https://github.com/actions/runner/blob/master/src/Misc/layoutroot/run.sh#L4). Lack of privileges may be a red herring here since file I/O issues can report permission denied as well.

@Themis3000 @tb0hdan @Marwennnne, could someone share their entire run setup so I can look at this action in context and possibly attempt to replicate the problem?

ghost commented 1 year ago

The problem is already fixed? I replicated it with package ca-certificates-java. test But while I tried to replicate it with dev version, it success.

Themis3000 commented 1 year ago

The problem is already fixed? I replicated it with package ca-certificates-java. test But while I tried to replicate it with dev version, it success.

Thank you for bringing this up, can confirm that for me using the dev release makes everything work perfectly for me.

@awalsh128 here is my full workflow file:

name: Tests

on: [push]

jobs:
  test:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v3
        with:
          persist-credentials: false
      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - name: Install modules
        run: npm ci
      - name: Install java
        uses: awalsh128/cache-apt-pkgs-action@latest
        with:
          packages: default-jre
          version: 1.0
      - name: Install firebase tools
        run: sudo npm install -g firebase-tools
      - name: Run tests
        run: npm test
awalsh128 commented 1 year ago

Great, thank you! Can you confirm the tag that is still failing since we have a couple?

I can then confirm the fix, add the regression to the CI and graduate the build as a new patch release.

Themis3000 commented 1 year ago

Great, thank you! Can you confirm the tag that is still failing since we have a couple?

I can then confirm the fix, add the regression to the CI and graduate the build as a new patch release.

Can confirm that using the latest tag still fails out for me with exit code 123

awalsh128 commented 1 year ago

Thanks. I'll update once we are all set.

awalsh128 commented 1 year ago

Confirmed the break on the CI against latest (run log). This was due to the tag not actually be rev'd to latest (see #51). It works now on the CI. Thanks for your patience.

Themis3000 commented 1 year ago

Awesome, thank you for the fix! It's all working perfect on my end now