Run the job.container as the same user of the host VM by default #691
Comments
Some data files from a previous run of this action are created with root as the owner. Because the action runs as a non-root user, such files are [not able to be deleted](https://github.com/cmu-delphi/forecast-eval/runs/3351290227?check_suite_focus=true) which is needed for the actions/checkout@v2 step to install the newest version of the repo. This seems to be a bug in the actions/checkout@v2 command, perhaps specific to self-hosted workflows. [Summary of issue](actions/runner#691) and [suggested fixes[(actions/checkout#211).
AFAIK we anyway run self-hosted runners from root due to all those problems like [1]. No reason to include the hack into every workflow file. If we'll going to start runners from a non-root user, it is better to pass `--user $PROPER_UID` to all docker jobs instead, see [2]: at least it does not require to place a boilerplate into all workflow files. Didn't touch perf_* jobs: don't want to dig inside this part of the infrastructure ATM. It reverts PR #5953. [1]: actions/checkout#211 [2]: actions/runner#691
AFAIK we anyway run self-hosted runners from root due to all those problems like [1]. No reason to include the hack into every workflow file. If we'll going to start runners from a non-root user, it is better to pass `--user $PROPER_UID` to all docker jobs instead, see [2]: at least it does not require to place a boilerplate into all workflow files. Didn't touch perf_* jobs: don't want to dig inside this part of the infrastructure ATM. It reverts PR #5953. [1]: actions/checkout#211 [2]: actions/runner#691
AFAIK we anyway run self-hosted runners from root due to all those problems like [1]. No reason to include the hack into every workflow file. If we'll going to start runners from a non-root user, it is better to pass `--user $PROPER_UID` to all docker jobs instead, see [2]: at least it does not require to place a boilerplate into all workflow files. Didn't touch perf_* jobs: don't want to dig inside this part of the infrastructure ATM. It reverts PR #5953. [1]: actions/checkout#211 [2]: actions/runner#691 (cherry picked from commit a0a2e8b)
AFAIK we anyway run self-hosted runners from root due to all those problems like [1]. No reason to include the hack into every workflow file. If we'll going to start runners from a non-root user, it is better to pass `--user $PROPER_UID` to all docker jobs instead, see [2]: at least it does not require to place a boilerplate into all workflow files. Didn't touch perf_* jobs: don't want to dig inside this part of the infrastructure ATM. It reverts PR #5953. [1]: actions/checkout#211 [2]: actions/runner#691 (cherry picked from commit a0a2e8b)
AFAIK we anyway run self-hosted runners from root due to all those problems like [1]. No reason to include the hack into every workflow file. If we'll going to start runners from a non-root user, it is better to pass `--user $PROPER_UID` to all docker jobs instead, see [2]: at least it does not require to place a boilerplate into all workflow files. Didn't touch perf_* jobs: don't want to dig inside this part of the infrastructure ATM. It reverts PR #5953. [1]: actions/checkout#211 [2]: actions/runner#691
|
Can reproduce, I know it's been 2 years now but is there any update? |
This won't work if you have a pool of self-hosted runners and jobs are dispatched by different runners. ID's may mismatch. |
|
That's true. |
|
Does anyone have any suggestions for dealing with this on self-hosted runners? |
|
@russellsch There are two options for you: Before rootless docker was available and podman supported interaction over a socket, I used parameter injection to inject --user for create, exec, and run commands. |
This reverts commit 8abd363.
|
any hope of seeing this little change one day ? there's no correct solution to this right now |
Description
Run the containers as the same user running on the host (the VM) by default, or at least provide an option. The related docker option would be
docker run --user "$(id -u):$(id -g)".Containers
job.containerruns as the container's default user by default, which often is root. This causes some weird behaviors because theworkspaceon the GitHub runner is mounted to the container, and no other user (other than the Runner user) has permission to write on it. This is what makes @actions/checkout fail when running on containers.As Jenkins does, this should be made by default. Users who might want to run as a different user can still use the
--userdocker option.Workaround
As suggested by @xanantis:
It's even funny to have to do such a thing.
The text was updated successfully, but these errors were encountered: