-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Actions break using the new (non-root) CKAN images #86
Comments
Maybe a specific GitHub Actions image is required in future rather than a |
Copying my comment in #80 re options:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e8bb23a..73d4d51 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,7 @@ jobs:
runs-on: ubuntu-latest
container:
image: ckan/ckan-dev:${{ matrix.ckan-version }}
+ options: --user root
services:
solr:
image: ckan/ckan-solr:${{ matrix.ckan-version }}-solr9
|
I'm in favour of the @amercader The 'test-infrastructure' setup does look interesting - but testing a plugin would still involve checking out the plugin code, right? And the GitHub |
See this comment by Adrià for details: ckan/ckan-docker-base#86 (comment).
See this comment by Adrià for details: ckan/ckan-docker-base#86 (comment).
Let's avoid the Reverting the ckan-dev changes would also be going against best practices https://www.docker.com/blog/understanding-the-docker-user-instruction/ Can the better release management for ckan-docker-base that @amercader has been working on be used so that extensions can point to a specific ckan-docker-base release version for running tests and when we make changes to master we don't break everything all at once? |
I'm not sure I agree, the base and dev images are virtually the same except the dev ones:
All of these are required to do development work or run the tests, and you want none of these in a production image, so it makes sense to keep them separate. We could create a common image that installs the dev reqs (bad IMO as it increases the risk of vulnearbilites) and run either werkzeug or uwsgi depeding on a runtime env var, but I don't think the complexity and potential risks justify the benefit of using just one image.
That is true, and the main thing we need to assess when choosing which way to go.
I'm less concern about the best practice and security aspect of this in the ckan-dev image, as I agree with @ThrawnCA that it's fair to assume that these are not secure to run a production site. I'm slightly more worried about problems arising from different permissions related errors happening in one or the other but not both sets of images, which will complicate debugging.
A better release management is needed and definitely merging to master shouldn't change the pushed images (it doesn't now), but pinning the image in the workflow in practice would mean 90% of maintainers not upgrading the images when a new release is out and workflows stuck in old patch releases. For the ones that want to keep track we will create release tags but I'm skeptical that most maintainers will keep those up to date (including us in extensions in the ckan org) |
@EricSoroos @pdelboca @smotornyuk @tino097 @Zharktas any thoughts on this? |
What is the github user trying to write? Would it work to run as the ckan user instead of root? |
This no longer true and IMHO a big improvement. Now locally mounted extensions are installed with a separate command, not every time on start up. This also makes restarting the dev environment much faster.
We could publish -dev images that revert just the user change now (but leave the change on master) then announce the change as an upcoming ckan-docker-base release to give users some time to update their workflow files. That's probably better than leaving everyone's workflows broken. |
I would like to point out that the current "fix" in workflow files involves running the container with Currently I don't know a way someone could use |
For github action tests we could recommend running the |
IIRC the older Alpine Linux containers don't have |
We are deprecating the Alpine Linux images and no longer working on them so I assume the new ownership changes weren't ported there. We need to do a proper announcement but you can already migrate to the Python/Debian based ones, see the tags in the README for details |
@amercader - yes correct the ownership changes were only ported to the Dockerfiles (and subsequent images) that have |
See this comment by Adrià for details: ckan/ckan-docker-base#86 (comment).
The Debian based Python image don't have |
If we don't have sudo how about |
That would behave differently if it's run as the non-root user, though (eg needing a password). So it adds even more hoops to jump through, which leaves more scope for DEV and PROD getting out of sync. Unless you're proposing to entirely replace the |
I'm proposing only changing the commands run in github actions since they must be executed with i.e. no changes to ckan-docker-base, prod and dev would be the same defaulting to run as a non-root user. |
As part of the github workflow, can we create/mount directories that need to be GHA writable that aren't part of the usual ckan stuff? |
I tested using https://github.com/ckan/ckanext-dcat/actions/runs/11935587926/job/33267263002#step:8:118 In general, I think we'll have the same issue with any process that tries to write a file in the mounted runner directory. In this case it was some utility, but tests themselves trying to write a file in their own directory will also fail, see e.g: https://github.com/ckan/ckanext-dcat/actions/runs/11951458054/job/33315134324#step:8:416 If we keep the dev images as they are, I think we should stick with |
As discussed in today's dev meeting:
The only thing left to do the release is closing #88, merging #89 and finishing #73 . |
Failure in Post Run actions/checkput@v4
PR merged for reference
GitHub Actions sets up a user named
github
to execute commands inside the Docker container. This user often has UID/GID 1001, but it might vary based on the container’s configuration.As the CKAN images now use a non-root user (ckan/ckan-sys - UID/GID = 503/502) in the running container there may be problems with permissions on GitHub Actions
A temporary workaround is to add an option to the CKAN container in the workflow file to run as root
…
runs-on: ubuntu-latest
container:
image: ckan/ckan-dev:${{ ckan-version }}
options: --user root
…
The text was updated successfully, but these errors were encountered: