shithub Public

Watch 1 Fork 0 Star 0

markdown · 1172 bytes Raw Blame History

Runner config assets

seccomp.json is a pinned copy of Docker/Moby's default seccomp profile. It is copied to /etc/shithubd-runner/seccomp.json by the shithubd-runner Ansible role and passed to each step container via:

--security-opt=seccomp=/etc/shithubd-runner/seccomp.json

Source: moby/moby commit 7d169a7f0ccd8f79edb6ad02ba20025cb487b217, vendor/github.com/moby/profiles/seccomp/default.json.

Update this file deliberately when changing Docker daemon versions or runner syscall posture.

dnsmasq.conf.j2 is the runner DNS allowlist template. The Ansible role renders it to /etc/dnsmasq.d/shithubd-runner.conf from shithub_runner_network_allowlist, binds dnsmasq to the dedicated Actions Docker bridge, and points step containers at that resolver with engine.dns_servers.

firewall.sh.j2 is installed as /usr/local/sbin/shithub-runner-firewall and run by shithub-runner-firewall.service. It creates the ipset used by dnsmasq and rejects direct-IP egress from the Actions bridge unless the destination IP was populated by an allowlisted DNS response. DNS to the bridge resolver is the only DNS path allowed from step containers.

View source

  
        1
        # Runner config assets
      
        2
        
        3
        `seccomp.json` is a pinned copy of Docker/Moby's default seccomp
      
        4
        profile. It is copied to `/etc/shithubd-runner/seccomp.json` by the
      
        5
        `shithubd-runner` Ansible role and passed to each step container via:
      
        6
        
        7
        ```sh
      
        8
        --security-opt=seccomp=/etc/shithubd-runner/seccomp.json
      
        9
        ```
      
        10
        
        11
        Source: `moby/moby` commit
      
        12
        `7d169a7f0ccd8f79edb6ad02ba20025cb487b217`,
      
        13
        `vendor/github.com/moby/profiles/seccomp/default.json`.
      
        14
        
        15
        Update this file deliberately when changing Docker daemon versions or
      
        16
        runner syscall posture.
      
        17
        
        18
        `dnsmasq.conf.j2` is the runner DNS allowlist template. The Ansible
      
        19
        role renders it to `/etc/dnsmasq.d/shithubd-runner.conf` from
      
        20
        `shithub_runner_network_allowlist`, binds dnsmasq to the dedicated
      
        21
        Actions Docker bridge, and points step containers at that resolver
      
        22
        with `engine.dns_servers`.
      
        23
        
        24
        `firewall.sh.j2` is installed as `/usr/local/sbin/shithub-runner-firewall`
      
        25
        and run by `shithub-runner-firewall.service`. It creates the ipset used
      
        26
        by dnsmasq and rejects direct-IP egress from the Actions bridge unless
      
        27
        the destination IP was populated by an allowlisted DNS response. DNS to
      
        28
        the bridge resolver is the only DNS path allowed from step containers.

1	# Runner config assets
2
3	`seccomp.json` is a pinned copy of Docker/Moby's default seccomp
4	profile. It is copied to `/etc/shithubd-runner/seccomp.json` by the
5	`shithubd-runner` Ansible role and passed to each step container via:
6
7	```sh
8	--security-opt=seccomp=/etc/shithubd-runner/seccomp.json
9	```
10
11	Source: `moby/moby` commit
12	`7d169a7f0ccd8f79edb6ad02ba20025cb487b217`,
13	`vendor/github.com/moby/profiles/seccomp/default.json`.
14
15	Update this file deliberately when changing Docker daemon versions or
16	runner syscall posture.
17
18	`dnsmasq.conf.j2` is the runner DNS allowlist template. The Ansible
19	role renders it to `/etc/dnsmasq.d/shithubd-runner.conf` from
20	`shithub_runner_network_allowlist`, binds dnsmasq to the dedicated
21	Actions Docker bridge, and points step containers at that resolver
22	with `engine.dns_servers`.
23
24	`firewall.sh.j2` is installed as `/usr/local/sbin/shithub-runner-firewall`
25	and run by `shithub-runner-firewall.service`. It creates the ipset used
26	by dnsmasq and rejects direct-IP egress from the Actions bridge unless
27	the destination IP was populated by an allowlisted DNS response. DNS to
28	the bridge resolver is the only DNS path allowed from step containers.