The directory '/github/home/.cache/pip' or its parent directory is not owned or is not writable by the current user

[kostrykin]

Description:
I'm trying to use the setup-python action using a freshly setup self-hosted runner and a container image:

jobs:
  testjob:
    name: Compute results
    runs-on: self-hosted
    container:
       image: ubuntu:20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - uses: actions/setup-python@v5
        with:
          python-version: '3.8.5'

This leads to the following docker invocation:

/usr/bin/docker create --name 06d8c28b649c4fec99e050857eef67ca_ubuntu2004_c82e22 --label 794e5b --workdir /__w/SuperDSM/SuperDSM --network github_network_92d5036e6d6b41ec93eb978392679a2d -e "HOME=/github/home" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/opt/github-actions-runner/_work":"/__w" -v "/opt/github-actions-runner/externals":"/__e":ro -v "/opt/github-actions-runner/_work/_temp":"/__w/_temp" -v "/opt/github-actions-runner/_work/_actions":"/__w/_actions" -v "/opt/github-actions-runner/_work/_tool":"/__w/_tool" -v "/opt/github-actions-runner/_work/_temp/_github_home":"/github/home" -v "/opt/github-actions-runner/_work/_temp/_github_workflow":"/github/workflow" --entrypoint "tail" ubuntu:20.04 "-f" "/dev/null"

In the next step, the setup-python action yields the error:

The directory '/github/home/.cache/pip' or its parent directory is not owned or is not writable by the current user

When I create the docker container using the command cited above manually, I can inspect the directory /github/home:

root@a7617501a8b5:/__w/SuperDSM/SuperDSM# ls -al /github/home
total 12
drwxr-xr-x 2 1002 1003 4096 Feb 14 16:20 .
drwxr-xr-x 4 root root 4096 Feb 14 16:21 ..
-rw------- 1 root root   71 Feb 14 16:20 .bash_history

Touching/removing the contents of /github/home also works just fine, so there seems to be no permission issue.

The runner is running wird UID 1002 and GID 1003.

Running the action without a container results in a different error (mkdir: cannot create directory ‘/Python’) which I think is because it attempts to modify the host root filesystem, for which the user with UID 1002 lacks permissions (which is intended).

Action version: 5

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:
3.8.x

Full log of the action:

2024-02-14T15:47:28.6104198Z ##[group]Run actions/setup-python@v5
2024-02-14T15:47:28.6104851Z with:
2024-02-14T15:47:28.6105295Z python-version: 3.8.5
2024-02-14T15:47:28.6105814Z check-latest: false
2024-02-14T15:47:28.6106542Z token: ***
2024-02-14T15:47:28.6107024Z update-environment: true
2024-02-14T15:47:28.6107636Z allow-prereleases: false
2024-02-14T15:47:28.6108153Z ##[endgroup]
2024-02-14T15:47:28.6114420Z ##[command]/usr/bin/docker exec a7482f9b2eb01ed4dc679094581d2af3454f9572075f4a0bd79318ebf5e48bd3 sh -c "cat /etc/*release | grep ^ID"
2024-02-14T15:47:29.2215858Z ##[group]Installed versions
2024-02-14T15:47:29.2229736Z Version 3.8.5 was not found in the local cache
2024-02-14T15:47:29.8803349Z Version 3.8.5 is available for downloading
2024-02-14T15:47:29.8807343Z Download from "https://github.com/actions/python-versions/releases/download/3.8.5-96743/python-3.8.5-linux-20.04-x64.tar.gz"
2024-02-14T15:47:31.2925542Z Extract downloaded archive
2024-02-14T15:47:31.3117101Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /__w/_temp/7f47c2c1-e5a4-4e53-8b2f-ff2278f4b174 -f /__w/_temp/4230ff9e-50c0-4e30-9f21-2a6bf94a88a5
2024-02-14T15:47:33.2791649Z Execute installation script
2024-02-14T15:47:33.2995788Z Check if Python hostedtoolcache folder exist...
2024-02-14T15:47:33.2998605Z Creating Python hostedtoolcache folder...
2024-02-14T15:47:33.3028927Z Create Python 3.8.5 folder
2024-02-14T15:47:33.3063517Z Copy Python binaries to hostedtoolcache folder
2024-02-14T15:47:33.7212376Z Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
2024-02-14T15:47:33.7305206Z Upgrading PIP...
2024-02-14T15:47:35.4861232Z Looking in links: /tmp/tmpew8h9ge8
2024-02-14T15:47:35.4873903Z Requirement already satisfied: setuptools in /__w/_tool/Python/3.8.5/x64/lib/python3.8/site-packages (47.1.0)
2024-02-14T15:47:35.5276007Z Requirement already satisfied: pip in /__w/_tool/Python/3.8.5/x64/lib/python3.8/site-packages (20.1.1)
2024-02-14T15:47:36.4125976Z ##[error]WARNING: The directory '/github/home/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
2024-02-14T15:47:36.4383554Z ##[error]WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
2024-02-14T15:47:36.4510696Z ##[error]WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
2024-02-14T15:47:36.9530345Z ##[error]WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
2024-02-14T15:47:37.9547529Z ##[error]WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
2024-02-14T15:47:39.9580965Z ##[error]WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
2024-02-14T15:47:43.9632314Z ##[error]WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
2024-02-14T15:47:43.9647388Z Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
2024-02-14T15:47:43.9665183Z ##[error]ERROR: Could not find a version that satisfies the requirement pip (from versions: none)
2024-02-14T15:47:43.9673307Z ##[error]ERROR: No matching distribution found for pip
2024-02-14T15:47:43.9764274Z ##[error]WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
2024-02-14T15:47:43.9787010Z Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
2024-02-14T15:47:44.0338114Z ##[error]The process '/usr/bin/bash' failed with exit code 1

[HarithaVattikuti]

Hello @kostrykin
Thank you for creating this feature request. We will investigate it and get back to you as soon as we have some feedback.

[ablatner]

I see this error as well with a GH runner and setup-python@v5.

Current runner version: '2.313.0'
Runner name: 'ubuntu-64-core_52f54d836f2b'

    - name: Set up python
      uses: actions/setup-python@v5
      env:
        PIP_ROOT_USER_ACTION: ignore
      with:
        python-version-file: "${{ github.workspace }}/.python-version"

  Version 3.9.13 was not found in the local cache
  Version 3.9.13 is available for downloading
  Download from "https://github.com/actions/python-versions/releases/download/3.9.13-2717571420/python-3.9.13-linux-22.04-x64.tar.gz"
  Extract downloaded archive
  /usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /__w/_temp/748f9721-eda0-46d4-9ef8-998917524fe8 -f /__w/_temp/f7bf8f82-a8c6-4bbf-bb5b-37fe58a73ad4
  Execute installation script
  Check if Python hostedtoolcache folder exist...
  Create Python 3.9.13 folder
  Copy Python binaries to hostedtoolcache folder
  Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
  Upgrading pip...
  Looking in links: /tmp/tmpoatwhyci
  Requirement already satisfied: setuptools in /__t/Python/3.9.13/x64/lib/python3.9/site-packages (58.1.0)
  Requirement already satisfied: pip in /__t/Python/3.9.13/x64/lib/python3.9/site-packages (22.0.4)
  Error: WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
  Error: WARNING: The directory '/github/home/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you should use sudo's -H flag.
  Collecting pip
  Downloading pip-24.0-py3-none-any.whl (2.1 MB)
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 17.6 MB/s eta 0:00:00
  
  Installing collected packages: pip
  Successfully installed pip-24.0
  Error: WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
  Create complete file
  Successfully set up CPython (3.9.13)

[danielefranceschi]

One of the classical issues with self-hosted runners.

This BTW happens for any tool installation that happens inside a container, as the tool is saved in the toolcache by the container user (as the action is executed inside the container by the nodejs mounted at /__e) so, in most cases, root.

If container use is a requirement, prefer container's native package management or even better use directly library/python:3.11.

If you are using self-hosted runners to run containerized jobs that install things using js actions, the only solution I found is to add a cron in the runner VM to chown -R $RUNNERUSER /opt/actions-runner/_work/_tool/* that is executed every minute.

---

PS out-of-topic: IMHO self-hosted runners are a painful mess of technical debt. I suggest to add daily crons for:

• find /opt/actions-runner/_work/_temp/ -type d -mtime +2 ! -name '*runner*' ! -name '*home*' -exec rm -rf {} \; (tempdir cleanup)
• find /opt/actions-runner/_diag/ -type d -mtime +2 -exec rm -rf {} \; (logs cleanup)
• find /opt/actions-runner/_work/[a-z]* -mindepth 1 -maxdepth 1 -mtime +2 -exec rm -rf {} \; (workspace dirs cleanup)

But -spoiler- this is only a start, be ready to modify your preferred checkout action with a $HOME override if inside a container.

[aparnajyothi-y]

Hello @kostrykin, We have investigated the issue and found that the error occurs when the current user doesn't have write permissions to the specified directory. In the context of docker, this issue is related to how the container is set up and the user that the container is running as. The root cause of the issue could be related to how the container and user are set up. If the issue persists, we might need to look into configuring the docker container to run as a specific user that has the necessary permissions.
The workaround to resolve this issue, please add a step in the workflow to change the ownership of the /github/home directory to the current user before running actions/setup-python. Here's an example of how you could do this:
jobs:
testjob:
name: Compute results
runs-on: self-hosted
container:
image: ubuntu:20.04
steps:
- name: Checkout
uses: actions/checkout@v2

  - name: Change ownership of /github/home
    run: sudo chown -R $(whoami) /github/home

  - uses: actions/setup-python@v5
    with:
      python-version: '3.8.5'

This will change the ownership of the /github/home directory to the current user, which should resolve the permission issue when setup-python tries to use the /github/home/.cache/pip directory.
Please reach us in case further clarification needed.