I am trying to run self-hosted GitHub runners in a K8s cluster using actions-runner-controller. Whenever I run a workflow on the runner and attempt to use sudo, it fails with the following error: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
I have created the runner user and added it to the sudo group with the following commands in my dockerfile. I have also made sure to set the permissions for the location where sudo is installed.
RUN apt-get update && apt-get install -y sudo \
&& adduser --disabled-password --gid 0 --gecos "" --uid 1001 runner \
&& groupadd docker \
&& usermod -aG sudo runner \
&& usermod -aG docker runner \
&& echo "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers \
&& chown root:root /usr/bin/sudo \
&& chmod 4755 /usr/bin/sudo \
&& chmod u+s /usr/bin/sudo
In my runnerdeployment.yaml, I have tried multiple different settings for trying to get the runner to be able to run sudo. Including;
- setting RUN_AS_ROOT to both
trueandfalse - Setting RUNNER_ALLOW_RUNASROOT to both
1and0 - Having securityContext.runAsUser set to
1001(uid of runner user) and not having it set
Nothing has seemed to help, and I have tried everything I've seen from other SA posts about the same error sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Running mount does not show /usr/bin/sudo or / with the nosuid bit set, here's the output from some commands I have seen on other posts about this error:
> df `which sudo`
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 129886128 26817760 103051984 21% /
> whomami
runner
> groups
root daemon sudo docker
> id
uid=1001(runner) gid=0(root) groups=0(root),1(daemon),27(sudo),1000(docker)
I am unsure what else to try to fix this issue.
Host OS is ubuntu-20.04 focal.
ls -l /usr/bin/sudo shows
-rwsr-xr-x 1 root root 166056 Jan 19 2021 /usr/bin/sudo
A few of the other posts I've looked at:
sudo: effective uid is not 0, is sudo installed setuid root?
https://askubuntu.com/questions/625540/suddenly-cant-run-sudo
Dockerfile Config:
FROM ubuntu:20.04
COPY --from=installer-env ["/actions-runner", "/actions-runner"]
# Set env vars
ENV RUNNER_WORKDIR "/_work"
ENV GITHUB_TOKEN ""
ENV RUNNER_SCOPE ""
ENV REPO_URL ""
ENV ORG_NAME ""
ENV RUNNER_NAME_PREFIX ""
ENV LABELS ""
ENV DISABLE_AUTOMATIC_DEREGISTRATION ""
ENV RUNNER_OPTIONS ""
ENV RUN_AS_ROOT "true"
ENV RUNNER_ALLOW_RUNASROOT=1
ENV RUNNER_TOOLS_DIRECTORY=/opt/hostedtoolcache
ARG GOSU_VERSION=1.10-1
COPY ./github-runner/user.sh ./github-runner/runnertoken.sh ./github-runner/entrypoint.sh /actions-runner/
COPY ./github-runner/startup_script.sh /usr/local/bin/
WORKDIR /actions-runner
# RUN
RUN apt-get update && apt-get install -y sudo \
&& adduser --disabled-password --gid 0 --gecos "" --uid 1001 runner \
&& groupadd docker \
&& usermod -aG sudo runner \
&& usermod -aG docker runner \
&& echo "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers \
&& chown root:root /usr/bin/sudo \
&& chmod 4755 /usr/bin/sudo \
&& chmod u+s /usr/bin/sudo
RUN ./bin/installdependencies.sh \
&& mkdir -p ${RUNNER_WORKDIR} \
&& mkdir -p ${RUNNER_TOOLS_DIRECTORY} \
&& chown -R runner ${RUNNER_WORKDIR} /actions-runner ${RUNNER_TOOLS_DIRECTORY} /usr/local/bin/startup_script.sh \
&& chmod +x /actions-runner/runnertoken.sh /actions-runner/entrypoint.sh /usr/local/bin/startup_script.sh
RUN apt-get update \
&& apt-get install --no-install-recommends -y jq gosu=${GOSU_VERSION} 2>&1 \
# Clean up
&& apt-get autoremove -y \
&& apt-get clean -y \
&& rm -rf /var/lib/apt/lists/*
# Add premissions to runner user
ENTRYPOINT ["/actions-runner/entrypoint.sh"]
