Question for self-hosted runner?

[ambretanmay]

I am trying to run this action on a self hosted runner. I am getting the following error which makes sense. Is there a specific setup of github runner that this action is designed for?

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

[DentonGentry]

The action expects sudo to work, without a password. I think creating an /etc/sudoers file in your runner would accomplish this.

[DentonGentry]

Reopen if not sufficiently answered.

[markstos]

Is this really designed to run on self-hosted runners?

This seems to:

• Think it's reasonable to use sudo on the host without a password
• Overwrite /usr/bin/tailscale and tailscaled on the host without checking to seeing they already exist
• Runs the binary as root that it just installed as root, without checking to see if Tailscale is already running.

As a security product, are you really advising self-hosted runners that's reasonable to trust Github Actions to download remote binaries and run them as root?

[markstos]

To ssh/rsync out of a container, I found an alternate solution: Use the ProxyCommand option to SSH through an account on the host running TailScale, which can then resolve the tailnet from there. When that pattern is used, the TailScale Github Action is not needed within a container at all.

[smultar]

To ssh/rsync out of a container, I found an alternate solution: Use the ProxyCommand option to SSH through an account on the host running TailScale, which can then resolve the tailnet from there. When that pattern is used, the TailScale Github Action is not needed within a container at all.

Could you expand on this @markstos for a new bro with GitHub Actions?

[markstos]

ProxyCommand is an SSH configuration option that allows you to give the details of an intermediate host that your SSH connections should be proxied through.

A common pattern for using is when you have a private network full of machines, but none of them expose SSH to the public. A single machine, called a bastion or jumphost, listens for SSH on the public network, but is also a member of the private network.

If you were connecting the CLI, the command structure might look like this:

ssh -J bastion.example.com internal-host.example.com

TailScale is one technology that can create a private network.

So, to SSH into a tailnet without being on a tailnet, one way to do that is use the ProxyCommand feature to SSH into an intermediate server that is both on your network and is also part of the tailnet.

So, a container on a CI server doesn't itself need to be part of a tailnet, as long as it can SSH into the parent CI server, and the parent CI server itself is part of the tailnet.

Ref: https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/

If you want to use the method for other things besides SSH, you possibly can. Research SSH tunnels. SSH tunnels can traverse bastion hosts such that you could end up accessing any port on a remote machine in a tailnet as if it was port on your local machine.

This can work like a "Poor Man's VPN" to access resources privately and securely when SSH is available but a true VPN service is not.