Using service containers #152
Comments
|
other variants of this are 127.0.0.1:5432 and 0.0.0.0:5432. I don't know if it is worth trying, the best way to debug this would be to add the Harden Runner App to check whether the port is open or not. |
|
Sorry to hear that the traffic to the service container is blocked. That is not expected. Both in I looked at the documentation and see that it has examples of using service container with a Also, when using it in a private repo, you will need to install the App. Else it cannot download the build log and correlate outbound traffic with each step. It only needs |
|
@h0x0er can you please try to repro this issue on a public repo? You can use the workflow from here: https://docs.github.com/en/actions/using-containerized-services/creating-postgresql-service-containers#running-jobs-directly-on-the-runner-machine |
|
@varunsh-coder the build:
name: Check Python ${{ matrix.python }} on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest] # Enable more later.
python: ['3.9', '3.10']
services:
postgres:
image: postgres:14
env:
POSTGRES_PASSWORD: postgres
POSTGRES_DB: testdb
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
# Disable so tests succeed.
- name: Harden Runner
uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
with:
egress-policy: audit
# allowed-endpoints: >
# postgres:5432 # PostgreSQL service container
- name: Checkout
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- name: Set up Python
uses: actions/setup-python@d09bd5e6005b175076f227b13d9730d56e9dcfcb
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: make setup
- name: Run tests
run: make test
# The tests use SQLAlchemy as ORM, and connecting to the db fails.The Action log shows the following error: When I comment out the |
|
@varunsh-coder I had completed my investigation, the error indeed is occurring because of checkout this workflow @jenstroeger after applying the below fix; the workflow will run normally with options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
--restart always |
|
Thank you, @h0x0er. One question: why would the PostgreSQL container stop running, thus warranting the automatic restart? I wasn’t able to find details on the health options but perhaps they’re insufficient if subsequent jobs take too long? I mean |
@jenstroeger I can answer your question.
https://github.com/step-security/agent/blob/main/dnsconfig.go#L169 Normally, by the time all this happens, in the I hope this answers your question. @h0x0er is trying to figure out if as part of restarting docker daemon, we can restart all images that were already running. But if we cannot figure that out, we will need to add documentation to add the |
|
@h0x0er was able to figure out a way to restart existing running containers as part of the docker daemon restart. I will test out the changes and release next week. After new version is released, you will not need to add |
|
@varunsh-coder thanks for the update! I’ll wait for the next release and then update on my end, and I’ll let you know whether it works. |
|
This is fixed in the latest release |
Confirming that the change works. |
I tried out the
harden-runneraction (based on this repo) andand it worked, until I added a PostgreSQL service container to run a few tests. It looks like traffic to that container is blocked? I tried to add
but neither of these two worked. It’s a private organization and I don’t have the privileges to install the app to check the egress audit log.
I disabled the step, and all tests pass just fine. How do you recommend to proceed?
Much thanks!
The text was updated successfully, but these errors were encountered: