6

Github recommending running their runner as a non-root user gives rise to some issues surrounding mixing docker and non-docker actions. This is quite annoying because it results in the checkout action not being able to run because it can't access the files created by actions run in docker containers.

Can this be solved by running the actions runner with rootless docker?

Frederik Baetens
  • 781
  • 1
  • 9
  • 20

1 Answers1

4

This problem can be solved by running the github actions runner as root, which somewhat reduces security.

A better solution is using rootless docker:

  1. Remove docker from your system if you have previously installed it through Ubuntu's default repositories.
  2. install docker from Docker's repositories as directed here (I also recommend enabling cgroupsV2, as described here) & reboot. This will give you the script in /usr/bin needed to setup rootless docker in the next step.
  3. setup rootless docker as described here.
  4. don't forget to run the following, so docker remains running after you logout (as described in the guide)
systemctl --user enable docker
systemctl --user start docker
sudo loginctl enable-linger $(whoami)

  1. Also make sure to create the rootless context as described on that same page. This will make your own docker commands and the github actions runner automatically use rootless docker.

  2. install the self hosted runner: https://docs.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners (skip if already installed)

  3. Add the DOCKER_HOST env var to the .env file in the runner directory. The file might already be created by default. The line you add should look as follows (change the 1000 if your UID is not 1000):

DOCKER_HOST=unix:///run/user/1000/docker.sock
  1. re(start) the actions runner. This can by done by restarting its systemd service. Your runner should now work with rootless docker

If you're having issues with the new docker build github action using buildx, also see How to solve error with rootless docker in github actions self hosted runner: write /proc/sys/net/ipv4/ping_group_range: invalid argument: unknown

Frederik Baetens
  • 781
  • 1
  • 9
  • 20
  • 1
    Enabling cgroupsV2 is far from being clear for non Fedora systems. So if you are wondering what should you put in GRUB_CMDLINE_LINUX as I did, you just need to edit the file to GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=1" – m33n Oct 29 '21 at 09:33