Checkout error in container runner #26811

aleks-ivanov · 2021-10-06T09:01:36Z

aleks-ivanov
Oct 6, 2021

This is the non-root user I am creating in the Docker image to run the workflow:

RUN useradd --shell /bin/bash --create-home cicd-runner
USER cicd-runner

When I try to simply checkout the repo with the official checkout action, this error appears:

  /usr/bin/git init /__w/pydeps/pydeps
  /__w/pydeps/pydeps/.git: Permission denied
  Error: The process '/usr/bin/git' failed with exit code 1

What permissions do I need to give the non-root user ?

Answered by airtower-luna

Oct 6, 2021

There are no permissions you can set inside the container image to make this work. The workspace on the runner VM is mounted to /__w/ when the runner starts the job container (check the “Initialize containers” step in the log). Assuming a GitHub hosted runner VM the workspace is owned by the user runner. So what’s happening here is that the container is running as a different non-root user and can’t write another user’s files.

The documentation on Dockerfiles for Actions mentions the following regarding USER instructions:

Docker actions must be run by the default Docker user (root). Do not use the USER instruction in your Dockerfile, because you won’t be able to access the GITHUB_WORKSPACE.

View full answer

airtower-luna · 2021-10-06T16:17:13Z

airtower-luna
Oct 6, 2021

There are no permissions you can set inside the container image to make this work. The workspace on the runner VM is mounted to /__w/ when the runner starts the job container (check the “Initialize containers” step in the log). Assuming a GitHub hosted runner VM the workspace is owned by the user runner. So what’s happening here is that the container is running as a different non-root user and can’t write another user’s files.

The documentation on Dockerfiles for Actions mentions the following regarding USER instructions:

Docker actions must be run by the default Docker user (root). Do not use the USER instruction in your Dockerfile, because you won’t be able to access the GITHUB_WORKSPACE.

If you use a job container you can’t adjust ownership before passing control to the container, so I’m afraid you’ll have to either run the container as root or start it manually (docker run and possibly docker exec).

0 replies

aleks-ivanov · 2021-10-06T18:10:25Z

aleks-ivanov
Oct 6, 2021
Author

Yeah, that’s what I was afraid of… thank you for the clarification 🙂

0 replies

aleks-ivanov · 2021-10-07T09:32:17Z

aleks-ivanov
Oct 7, 2021
Author

Just to confirm if I understood correcly, does that mean that the GiHA runtime is installing a non-root user (runner) under the hood and ensuring the upcoming GiHA actions are executed within the context of this non-root (runner) user (installed by the GiHA runtime) ?

1 reply

n1ngu Feb 28, 2024

Not quite but sort of. GHA ubuntu VMs run with a UID=1001 user and the runner workspace is owned by that and mounted as is in the docker container. If your container runs as non-root, non-1001, you won't own the workspace 🥲 .

You can run the container with options: --user=1001 even if that UID did not exist inside the container userspace, most containers will work because a home and a workspace are mounted belonging to 1001. You can try it at home with some container e.g. docker run --rm -ti --user=1234 debian: your uid does not have a named user but everything "works".

But if your container featured an environment and file system tailored for the non-root, non-1001 user, then you are mostly screwed.

airtower-luna · 2021-10-07T13:42:50Z

airtower-luna
Oct 7, 2021

Not sure what you mean by “under the hood”. On a GitHub hosted runner the runner user is part of the standard VM setup, not sure about self-hosted ones.

Actions stuff that runs on the VM (run without a job container, Javascript Actions) runs as the runner user. You can use sudo without password for commands that need root access. Job containers and Docker Actions run as the default user for the image, which is root unless there’s a USER instruction.

The workspace directory in the VM is owned by the runner user. root naturally can write there anyway, but any other user defined in a container that doesn’t happen to have the exact same UID as the runner user won’t be able to.

0 replies

n1ngu · 2024-02-28T14:53:37Z

n1ngu
Feb 28, 2024

Related actions/checkout#47

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Checkout error in container runner #26811

{{title}}

Replies: 5 comments 1 reply

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

Checkout error in container runner #26811

aleks-ivanov Oct 6, 2021

Replies: 5 comments · 1 reply

airtower-luna Oct 6, 2021

aleks-ivanov Oct 6, 2021 Author

aleks-ivanov Oct 7, 2021 Author

n1ngu Feb 28, 2024

airtower-luna Oct 7, 2021

n1ngu Feb 28, 2024

aleks-ivanov
Oct 6, 2021

Replies: 5 comments 1 reply

airtower-luna
Oct 6, 2021

aleks-ivanov
Oct 6, 2021
Author

aleks-ivanov
Oct 7, 2021
Author

airtower-luna
Oct 7, 2021

n1ngu
Feb 28, 2024