gitea/act_runner
61
106
Fork 79
Code Issues 136 Pull Requests 9 Actions Releases 21 Activity

"oneshot"/ephemeral runners #19

New Issue
Open
opened 2023-02-05 06:32:59 +00:00 by techknowlogick · 4 comments
techknowlogick commented 2023-02-05 06:32:59 +00:00
Owner
Copy Link

A runner would accept one job, run it, then exit.

This would allow for an external runner orchestrator to spin up completely fresh envs for each job (assuming running as non-docker/exec mode), in firecracker/fargate/tart/etc..

A runner would accept one job, run it, then exit. This would allow for an external runner orchestrator to spin up completely fresh envs for each job (assuming running as non-docker/exec mode), in firecracker/fargate/tart/etc..
👍 3
lunny commented 2023-02-05 06:53:43 +00:00
Owner
Copy Link

serverless runner?

serverless runner?
techknowlogick commented 2023-02-05 07:31:04 +00:00
Author
Owner
Copy Link

serverless runner?

Yeah, that could be one case. Where the orchestrator sees a job has come in and starts a new lambda run with a oneshot agent, and then when job is done agent will quit and lambda will stop.

> serverless runner? Yeah, that could be one case. Where the orchestrator sees a job has come in and starts a new lambda run with a oneshot agent, and then when job is done agent will quit and lambda will stop.
techknowlogick added the
kind
feature
 label 2023-03-01 05:14:42 +00:00
ChristopherHX commented 2023-04-24 14:14:43 +00:00
Contributor
Copy Link

Two act_runners can connect with the same token to Gitea Actions, while in GitHub Actions this is currently impossible due to session lock.

To reproduce execute act_runner daemon twice with the same configuration.

For example currently someone can craft a workflow file, which either

  • bind mount the runner config (container mode) This has been fixed
  • use the bind mounted docker socket to do the bind mount runner config anywhere in the step (container mode)
    You are unaffected if the docker daemon and the act_runner has no shared folder containing .runner
    Dind in the same container as act_runner is affected.
  • directly access the runner config (host mode)

Finally use the token to receive jobs outside of your infrastructure. All jobs sent to the duplicated instance get access to new job requests and it's secrets.

Only allow to connect one runner with the same token at a time can increase security and make it harder to use the token while the job is running.

Finally ephemeral runners would fix the hole, if Gitea Actions would never send a second job to the runner.

Two act_runners can connect with the same token to Gitea Actions, while in GitHub Actions this is currently impossible due to session lock. To reproduce execute `act_runner daemon` twice with the same configuration. For example currently someone can craft a workflow file, which either - ~~bind mount the runner config (container mode)~~ This has been fixed - use the bind mounted docker socket to do the bind mount runner config anywhere in the step (container mode) You are unaffected if the docker daemon and the act_runner has no shared folder containing .runner Dind in the same container as act_runner is affected. - directly access the runner config (host mode) Finally use the token to receive jobs outside of your infrastructure. All jobs sent to the duplicated instance get access to new job requests and it's secrets. Only allow to connect one runner with the same token at a time can increase security and make it harder to use the token while the job is running. Finally ephemeral runners would fix the hole, if Gitea Actions would never send a second job to the runner.
👍 1
gabriel-samfira commented 2023-08-02 07:59:47 +00:00
Copy Link

Only allow to connect one runner with the same token at a time can increase security and make it harder to use the token while the job is running.

This would be great to have. Along with ephemeral runners and a public API to generate short-lived, single-use runner registration tokens. It would allow us to create orchestration around spinning up/taring down runners.

For GitHub we wrote an auto-scaler that can spin up ephemeral self-hosted runner pools on potentially any IaaS, because we needed VMs/bare metal for runners (initially). I would love to try and add gitea as a platform along side GitHub and GitHub enterprise server.

> Only allow to connect one runner with the same token at a time can increase security and make it harder to use the token while the job is running. This would be great to have. Along with ephemeral runners and a public API to generate short-lived, single-use runner registration tokens. It would allow us to create orchestration around spinning up/taring down runners. For GitHub [we wrote an auto-scaler](https://github.com/cloudbase/garm) that can spin up ephemeral self-hosted runner pools on potentially any IaaS, because we needed VMs/bare metal for runners (initially). I would love to try and add `gitea` as a platform along side GitHub and GitHub enterprise server.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/github.com-nektos-act-0.x
renovate/alpine-3.x
renovate/actions-setup-go-5.x
renovate/golang.org-x-term-0.x
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.8
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.1
Labels
Clear labels   
kind
bug
Something is not working

  
kind
build

  
kind/compatible
  
kind
dependencies

  
kind
docs

  
kind
enhancement
New feature

  
kind
feature

  
kind
help wanted
Need some help

  
kind
proposal

  
kind
refactor

  
related
act
Related to act.

  
related
environment
Related to the environment.

  
related
exec

  
related
gitea
Related to Gitea.

  
related
workflow
Related to the workflow file or actions scripts.

  
reviewed
confirmed
confirmed issue

  
reviewed
duplicate
This issue or pull request already exists

  
reviewed
invalid
Something is wrong

  
reviewed
needs feedback

  
reviewed
wontfix
This won't be fixed

  
reviewed
workaround

No Label
kind
bug
kind
build
kind/compatible
kind
dependencies
kind
docs
kind
enhancement
kind
feature
kind
help wanted
kind
proposal
kind
refactor
related
act
related
environment
related
exec
related
gitea
related
workflow
reviewed
confirmed
reviewed
duplicate
reviewed
invalid
reviewed
needs feedback
reviewed
wontfix
reviewed
workaround
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/act_runner#19
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?