Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github Actions running on Scale Set are not able to complete jobs #3872

Open
4 tasks done
mxw-sec opened this issue Jan 8, 2025 · 2 comments
Open
4 tasks done

Github Actions running on Scale Set are not able to complete jobs #3872

mxw-sec opened this issue Jan 8, 2025 · 2 comments
Labels
bug Something isn't working gha-runner-scale-set Related to the gha-runner-scale-set mode needs triage Requires review from the maintainers

Comments

@mxw-sec
Copy link

mxw-sec commented Jan 8, 2025

Checks

Controller Version

0.10.1

Deployment Method

Helm

Checks

  • This isn't a question or user support case (For Q&A and community support, go to Discussions).
  • I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

Deploy Github Runner Controller and Scaleset on EKS.
Create a Job that downloads the codebase from github and then reads a file and updates the readme.

Describe the bug

/usr/bin/tar: XXXXXXXXX Cannot change ownership to uid 0, gid 0: Operation not permitted
/usr/bin/tar: Exiting with failure status due to previous errors
Error: The process '/usr/bin/tar' failed with exit code 2
Error: Error: failed to run script step: command terminated with non-zero exit code: error executing command [sh -e /__w/_temp/a133c0e0-cd61-11ef-9cd1-fdc32e02a729.sh], exit code 1
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.

I have tried use GP2, GP3, and EFS Volumes.

GP2 and GP3 Support the init-container workaround, but I run into other issues, such as the job files are not found in the Job Container.

Describe the expected behavior

Permissions issues do not exist.

Additional Context

# Chart: git@github.com:actions/actions-runner-controller
# git ref: 4357525445b0b77388af4e1f171b5b7bd9b116a4
# Path: charts/gha-runner-scale-set

      githubConfigSecret: pre-defined-secret
      githubConfigUrl: "https://github.com/{ORG}"
      controllerServiceAccount:
        namespace: arc-systems
        # Name must line up with the above chart release name eg `github-actions-scale-set-controller`. Install the above chart and see what SA name it makes.
        name: arc-gha-rs-controller
      minRunners: 1
      maxRunners: 50
      containerMode:
        # Needed, even if the docs say it isn't.
        type: kubernetes
      kubernetesModeServiceAccount:
          annotations:
            # https://github.com/actions/actions-runner-controller/blob/98854ef9c018141d7386657322da351e11029da2/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml#L4
            eks.amazonaws.com/role-arn: arn:aws:iam::{ACCOUNT}:role/{ROLE}
      kubernetesModeWorkVolumeClaim:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp3"
        resources:
          requests:
            storage: 5Gi
        # Here is how your make the runner pods have a custom IAM Role, so they can (eg) contact real resources in you AWS account.
      template:
        spec:
          # We must add an init container to change the ownership of the _work directory
          # https://docs.github.com/en/enterprise-server@3.9/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#error-access-to-the-path-homerunner_work_tool-is-denied
          initContainers:
          - name: kube-init
            image: ghcr.io/actions/actions-runner:latest
            command: ["sudo", "chown", "-R", "1001:123", "/home/runner/_work"]
            volumeMounts:
            - name: work
              mountPath: /home/runner/_work

          # We have to fully override the containers simply to set our own "image"
          containers:
          - name: runner
            # This image is used as the runner image.
            # Note it cannot be "your image `FROM ubunutu` or similar, it must be based off the one in https://github.com/actions/runner/blob/main/images/Dockerfile
            # Or you can build your own and try and include all the items from that build.
            image: ghcr.io/actions/actions-runner:latest
            command:
            - /home/runner/run.sh
            env:
            - name: ACTIONS_RUNNER_CONTAINER_HOOKS
              value: /home/runner/k8s/index.js
            - name: ACTIONS_RUNNER_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
              value: "false"
            volumeMounts:
            - name: work
              mountPath: /home/runner/_work
          volumes:
          - name: work
            ephemeral:
              volumeClaimTemplate:
                spec:
                  accessModes: [ "ReadWriteOnce" ]
                  # Critical change here compared to the docs. EKS does not support "local-storage" by default.
                  storageClassName: "gp3"
                  resources:
                    requests:
                      storage: 2Gi




OR 


githubConfigSecret: pre-defined-secret
## maxRunners is the max number of runners the autoscaling runner set will scale up to.
maxRunners: 50
minRunners: 2
githubConfigUrl: "https://github.com/helium10"
containerMode:
  type: "kubernetes"
  kubernetesModeWorkVolumeClaim:
    accessModes: ["ReadWriteOnce"]
    storageClassName: "gold"
    resources:
      requests:
        storage: 5Gi
template:
  spec:
    securityContext:
      runAsUser: 1001
      runAsGroup: 0
      fsGroup: 0
    containers:
      - name: runner
        image: ghcr.io/actions/actions-runner:latest
        command: ["/home/runner/run.sh"]
        env:
          - name: ACTIONS_RUNNER_CONTAINER_HOOKS
            value: /home/runner/k8s/index.js
          - name: ACTIONS_RUNNER_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
            value: "true"
        volumeMounts:
          - name: work
            mountPath: /home/runner/_work
    volumes:
      - name: work
        ephemeral:
          volumeClaimTemplate:
            spec:
              accessModes: ["ReadWriteOnce"]
              storageClassName: "gold"
              resources:
                requests:
                  storage: 1Gi

Controller Logs

v

Runner Pod Logs

a
@mxw-sec mxw-sec added bug Something isn't working gha-runner-scale-set Related to the gha-runner-scale-set mode needs triage Requires review from the maintainers labels Jan 8, 2025
Copy link
Contributor

github-actions bot commented Jan 8, 2025

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

@YodaKV
Copy link

YodaKV commented Jan 11, 2025

More context's need. Please post logs from controller, listener pod, output from kubectl -n XXX get all (replace XXX with your namespace)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working gha-runner-scale-set Related to the gha-runner-scale-set mode needs triage Requires review from the maintainers
Projects
None yet
Development

No branches or pull requests

2 participants