Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUNNER_ALLOW_RUNASROOT variable is not set during start-runner operations #1524

Closed
inhumantsar opened this issue Dec 16, 2021 · 2 comments · Fixed by #1537
Closed

RUNNER_ALLOW_RUNASROOT variable is not set during start-runner operations #1524

inhumantsar opened this issue Dec 16, 2021 · 2 comments · Fixed by #1537

Comments

@inhumantsar
Copy link
Contributor

During instance startup when trying to launch the runner as root, the following logs are produced and the runner fails to launch.

  | 2021-12-16T12:34:20.628-06:00 | Dec 16 18:34:19 ip-10-100-76-217 user-data: Delete GH Runner token from AWS SSM
  | 2021-12-16T12:34:20.628-06:00 | Dec 16 18:34:20 ip-10-100-76-217 user-data: Configure GH Runner as user root
  | 2021-12-16T12:34:20.628-06:00 | Dec 16 18:34:20 ip-10-100-76-217 systemd: Created slice User Slice of root.
  | 2021-12-16T12:34:20.628-06:00 | Dec 16 18:34:20 ip-10-100-76-217 systemd: Started Session c1 of user root.
  | 2021-12-16T12:34:20.628-06:00 | Dec 16 18:34:20 ip-10-100-76-217 user-data: Must not run with sudo

The logs never reach "Starting the runner as user" as expected so it seems that the ./config.sh call is failing. To hackfix this, I'm approaching it like so:

...

if [[ "$run_as" == "root" ]]; then
    run_as_root_flag='RUNNER_ALLOW_RUNASROOT=1'
fi

echo "Configure GH Runner as user $run_as"
sudo -u "$run_as" -- $run_as_root_flag ./config.sh --unattended --name "$instance_id" --work "_work" $${config}

## Start the runner
echo "Starting runner after $(awk '{print int($1/3600)":"int(($1%3600)/60)":"int($1%60)}' /proc/uptime)"
echo "Starting the runner as user $run_as"

if [[ $agent_mode = "ephemeral" ]]; then  
  echo "Starting the runner in ephemeral mode"
  sudo -u "$run_as" -- $run_as_root_flag ./run.sh
  echo "Runner has finished"
  
  echo "Stopping cloudwatch service"
  service awslogsd stop
  echo "Terminating instance"
  aws ec2 terminate-instances --instance-ids "$instance_id" --region "$region"
else 
  echo "Installing the runner as a service"
  ./svc.sh install "$run_as"
  echo "Starting the runner in persistent mode"
  ./svc.sh start
fi

Please let me know if there's a config I'm missing or there's a better way to accomplish this, otherwise I can put in a PR with this.
@npalm
Copy link
Member

npalm commented Dec 16, 2021

@ScottGuymer can you have a look at this issue?

@ScottGuymer
Copy link
Member

Yeah I see the problem.

We set the env var in the install phase but then we execute the config and ephemeral start as the specified user and the environment doesn't get passed along.

We should use --preserve-env flag in sudo to pass the listed variables along into the sudo.

It might look something like this

sudo -u "$run_as" --preserve-env=RUNNER_ALLOW_RUNASROOT -- ./config.sh --unattended --name "$instance_id" --work "_work" $${config}

And it can be a list of existing vars that will take the current value from env e.g. --preserve-env=ABC,XYZ,DEF.

@inhumantsar Do you have the time to open a PR for this?

@inhumantsar inhumantsar mentioned this issue Dec 20, 2021
Merged
@npalm npalm mentioned this issue Dec 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@inhumantsar @ScottGuymer @npalm