Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't work for self-hosted runners that are nobodies (no passwd entry) #188

Closed
javbit opened this issue Aug 28, 2023 · 6 comments
Closed

Doesn't work for self-hosted runners that are nobodies (no passwd entry) #188

javbit opened this issue Aug 28, 2023 · 6 comments

Comments

@javbit
Copy link

javbit commented Aug 28, 2023

The use of os.userInfo().homedir depends on a /etc/passwd entry, which in some hardened setups may not exist. os.homedir(), which just depends on $HOME, is more more likely to be right.

For example, it thinks my user's home is / which is breaking things when my runtime home is actually /run/github-runner/runner-2.
@javbit
Copy link
Author

javbit commented Aug 28, 2023

I'm working on a PR to handle this issue, will link when ready.

@javbit javbit mentioned this issue Aug 28, 2023
Closed
@javbit
Copy link
Author

javbit commented Aug 29, 2023

I made a PR, and it solves the immediate failure case. However, I'm now seeing the following error:

Run git clone [email protected]:javbit/foo.git
  shell: /bin/bash -e {0}
  env:
    SSH_AUTH_SOCK: /tmp/ssh-XXXXXX9t0fhl/agent.561530
    SSH_AGENT_PID: 561531
Cloning into 'foo'...
ssh: Could not resolve hostname key-fd80f028b988cd54b2c736f6496796d4d46383315756a21b9cbba1b1b7928385.github.com: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Error: Process completed with exit code 128.

(Edited slightly for clarity and confidentiality. Namely condensed list of private repositories to the single foo.)

I've added the GitHub host key to my ssh known hosts before running this step, so I think that should be good.

      - run: >
          echo github.com
          ssh-ed25519
          AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
          >> "$HOME/.ssh/known_hosts"

I only set ED25519 deploy keys so I didn't add the other host keys.

Any idea what's going on? Name resolution seems fine when I ping github.com, but doesn't work for the key-*.github.com one, both on my CI machine and my local.

Seems to be caused by this:

ssh-agent/index.js

Lines 71 to 73 in d4b9b8f

child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "[email protected]:${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://[email protected]/${ownerAndRepo}"`);

@javbit
Copy link
Author

javbit commented Aug 29, 2023

Never mind, I missed this important section right after!

ssh-agent/index.js

Lines 71 to 78 in d4b9b8f

child_process.execSync(`${gitCmd} config --global --replace-all url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "https://github.com/${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "[email protected]:${ownerAndRepo}"`);
child_process.execSync(`${gitCmd} config --global --add url."git@key-${sha256}.github.com:${ownerAndRepo}".insteadOf "ssh://[email protected]/${ownerAndRepo}"`);
const sshConfig = `\nHost key-${sha256}.github.com\n`
+ ` HostName github.com\n`
+ ` IdentityFile ${homeSsh}/key-${sha256}\n`
+ ` IdentitiesOnly yes\n`;

I see what's going on now, and am trying to figure out why ssh isn't picking this config up.

@javbit
Copy link
Author

javbit commented Aug 29, 2023

Resolution was to manually set the Git SSH command to reference the config file that was generated. I'll add this to my PR.

git config --global core.sshCommand "ssh -F $HOME/.ssh//config"

@mpdude
Copy link
Member

mpdude commented Jan 8, 2025

Using os.userInfo().homedir instead of the $HOME env var was necessary to make this action run in Docker-based Action runs in the first place. From memory, it may be the case that in Docker containers $HOME points to... something.

The ssh binary will use the getpwuid() system call to look up the user's home directory from the password database, and use this directory to locate config files (see https://github.com/openssh/openssh-portable/blob/826483d51a9fee60703298bbf839d9ce37943474/ssh.c#L710).

When I try to run ssh in an Ubuntu 22.04 Docker container started with a user ID that has no /etc/passwd entry, ssh immediately fails with No user exists for uid ....

Closing since I do not see right now how we could support this without breaking Docker-based action runs in general (#20).

@mpdude mpdude closed this as completed Jan 8, 2025
@mpdude mpdude reopened this Jan 8, 2025
@mpdude mpdude closed this as not planned Won't fix, can't repro, duplicate, stale Jan 8, 2025
@mpdude mpdude mentioned this issue Jan 8, 2025
Closed
@mpdude
Copy link
Member

mpdude commented Jan 8, 2025

Can you explain why ssh works in the first place when no entry in /etc/passwd is present for the user?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Derive home from $HOME instead of /etc/passwd javbit/ssh-agent
2 participants
@mpdude @javbit