shithub Public

Watch 1 Fork 0 Star 0

markdown · 1126 bytes Raw Blame History

Runner config assets

seccomp.json is a pinned copy of Docker/Moby's default seccomp profile. It is copied to /etc/shithubd-runner/seccomp.json by the shithubd-runner Ansible role and passed to each step container via:

--security-opt=seccomp=/etc/shithubd-runner/seccomp.json

Source: moby/moby commit 7d169a7f0ccd8f79edb6ad02ba20025cb487b217, vendor/github.com/moby/profiles/seccomp/default.json.

Update this file deliberately when changing Docker daemon versions or runner syscall posture.

dnsmasq.conf.j2 is the optional runner DNS allowlist template. The Ansible role renders it to /etc/shithubd-runner/dnsmasq.conf from shithub_runner_network_allowlist; operators can run dnsmasq bound to their Actions Docker bridge and point step containers at it with engine.dns_servers.

The dnsmasq template intentionally has no default upstream resolver, so names outside the allowlist fail resolution. DNS allowlisting alone does not block direct-IP egress or a workflow that brings its own resolver; pair it with host firewall rules on the runner bridge for a deny-by- default network boundary.

View source

  
        1
        # Runner config assets
      
        2
        
        3
        `seccomp.json` is a pinned copy of Docker/Moby's default seccomp
      
        4
        profile. It is copied to `/etc/shithubd-runner/seccomp.json` by the
      
        5
        `shithubd-runner` Ansible role and passed to each step container via:
      
        6
        
        7
        ```sh
      
        8
        --security-opt=seccomp=/etc/shithubd-runner/seccomp.json
      
        9
        ```
      
        10
        
        11
        Source: `moby/moby` commit
      
        12
        `7d169a7f0ccd8f79edb6ad02ba20025cb487b217`,
      
        13
        `vendor/github.com/moby/profiles/seccomp/default.json`.
      
        14
        
        15
        Update this file deliberately when changing Docker daemon versions or
      
        16
        runner syscall posture.
      
        17
        
        18
        `dnsmasq.conf.j2` is the optional runner DNS allowlist template. The
      
        19
        Ansible role renders it to `/etc/shithubd-runner/dnsmasq.conf` from
      
        20
        `shithub_runner_network_allowlist`; operators can run dnsmasq bound to
      
        21
        their Actions Docker bridge and point step containers at it with
      
        22
        `engine.dns_servers`.
      
        23
        
        24
        The dnsmasq template intentionally has no default upstream resolver, so
      
        25
        names outside the allowlist fail resolution. DNS allowlisting alone does
      
        26
        not block direct-IP egress or a workflow that brings its own resolver;
      
        27
        pair it with host firewall rules on the runner bridge for a deny-by-
      
        28
        default network boundary.

1	# Runner config assets
2
3	`seccomp.json` is a pinned copy of Docker/Moby's default seccomp
4	profile. It is copied to `/etc/shithubd-runner/seccomp.json` by the
5	`shithubd-runner` Ansible role and passed to each step container via:
6
7	```sh
8	--security-opt=seccomp=/etc/shithubd-runner/seccomp.json
9	```
10
11	Source: `moby/moby` commit
12	`7d169a7f0ccd8f79edb6ad02ba20025cb487b217`,
13	`vendor/github.com/moby/profiles/seccomp/default.json`.
14
15	Update this file deliberately when changing Docker daemon versions or
16	runner syscall posture.
17
18	`dnsmasq.conf.j2` is the optional runner DNS allowlist template. The
19	Ansible role renders it to `/etc/shithubd-runner/dnsmasq.conf` from
20	`shithub_runner_network_allowlist`; operators can run dnsmasq bound to
21	their Actions Docker bridge and point step containers at it with
22	`engine.dns_servers`.
23
24	The dnsmasq template intentionally has no default upstream resolver, so
25	names outside the allowlist fail resolution. DNS allowlisting alone does
26	not block direct-IP egress or a workflow that brings its own resolver;
27	pair it with host firewall rules on the runner bridge for a deny-by-
28	default network boundary.