search

step-security / harden-runner

Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
https://www.stepsecurity.io
Apache License 2.0
616 stars 50 forks source link

Allowed endpoint could not be resolved #283

Closed ben-manes closed 1 year ago

ben-manes commented 1 year ago

Thu, 20 Apr 2023 00:22:15 GMT:Error resolving allowed domain error in response from dns.google unable to resolve domain repo.maven.apache.org. Thu, 20 Apr 2023 00:22:15 GMT:unable to resolve domain: repo.maven.apache.org. Thu, 20 Apr 2023 00:22:15 GMT:Reverted changes Error: StepSecurity Harden Runner: Reverting agent since allowed endpoint repo.maven.apache.org could not be resolved

The domain is on the allow list and has worked in prior runs. It appears that Google's dns entry is not resolving, causing the workflow to fail. I can resolve it locally, but have not tried it through that dns. Can the runner be more resilient to a dns outage?

See failed job

ben-manes commented 1 year ago

I'll close since this seems to have been broader and the dns fixed.

varunsh-coder commented 1 year ago

Hi @ben-manes, thanks for reporting the issue!

The current logic is that in block mode, harden-runner tries to resolve each of the allowed domains in the pre step. It reverts the agent (in the pre step) if it cannot resolve even one of them (maybe because the domain has a typo and is incorrect, or it cannot be resolved at that time). Once the agent is reverted (maybe uninstalled would be a better term), the hosted runner handles all DNS calls. So, in this case, the job did not fail because of harden runner. As you mentioned, there was probably a broader DNS issue.

Please let me know if you have feedback on the current logic, and we can improve it.