From 870f6a427371f2b6cb036db390d0cb1b286af1f5 Mon Sep 17 00:00:00 2001 From: Doc Date: Mon, 6 Oct 2025 13:43:34 -0400 Subject: [PATCH] revisions of isolation-check --- .gitea/workflows/isolation-check.yaml | 100 ++++++++++++-------------- 1 file changed, 45 insertions(+), 55 deletions(-) diff --git a/.gitea/workflows/isolation-check.yaml b/.gitea/workflows/isolation-check.yaml index 4271de6..6b62e0e 100644 --- a/.gitea/workflows/isolation-check.yaml +++ b/.gitea/workflows/isolation-check.yaml @@ -20,10 +20,11 @@ jobs: run: | echo "=== SYSTEM INFO ===" uname -a - id - cat /etc/os-release || true + echo "User: $(id)" + echo "User groups: $(id -Gn)" echo "Running as user: $(whoami)" - pwd + cat /etc/os-release || true + echo "Working directory: $(pwd)" df -h - name: Dumping environment variables @@ -32,8 +33,10 @@ jobs: for var in GITEA_RUNNER_REGISTRATION_FILE GITEA_RUNNER_REGISTRATION_TOKEN_FILE GITEA_RUNNER_REGISTRATION_TOKEN; do printenv "$var" || echo "$var not set" done - echo "--- List all variables ---" + echo "--- Output printenv ---" printenv + echo "--- content of env.txt ---" + cat "${GITHUB_ENV}" - name: Network routes and interfaces run: | @@ -45,88 +48,75 @@ jobs: cat /etc/resolv.conf - name: LAN reachability test - continue-on-error: true run: | - set +e echo "=== LAN REACHABILITY ===" - for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \ - 172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \ - 172.24.0.1 192.168.1.185; do - echo "--- Pinging $subnet:8098 ---" - ping -4 -n -c 4 $subnet || echo "no ping response" - echo "--- Contacting http://${subnet}:8098/docker-compose.yaml ---" - curl -s -m 5 http://$subnet:8098/docker-compose.yaml || echo "no http response" - done echo "--- Checking private IP routes ---" ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \ && echo "!! Possible LAN route detected !!" \ || echo "No direct LAN route found." + echo "--- Checking for responses ---" + for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \ + 172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \ + 172.24.0.1 192.168.1.185; do + ping -4 -n -c 4 $subnet >/dev/null 2>&1 && echo "$subnet ping response" + curl -s -m 5 http://$subnet:8098/docker-compose.yaml >/dev/null 2>&1 && echo "HTTP response at $subnet:8098" + done - name: Check external IP - continue-on-error: true run: | - set +e echo "--- Checking external IP (https://ifconfig.me)" - curl -s https://ifconfig.me - true + for addr in https://ifconfig.me ; do + curl $addr + done - - name: Host reachability sanity check - continue-on-error: true + - name: Outbound reachability sanity check run: | - set +e echo "=== OUTBOUND TEST ===" - curl -fsSL https://google.com >/dev/null && echo "Internet access OK" || echo "No internet access?" + for addr in https://google.com ; do + curl -fsSL "$addr" >/dev/null 2>&1 && echo "$addr access OK" || echo "No internet access to $addr?" + done - name: Traceroute to google.com - continue-on-error: true run: | - echo "=== Traceroute to google ===" - traceroute -4 -n google.com + echo "=== Traceroutes ===" + for addr in google.com ; do + echo "--- Tracing to $addr ---" + traceroute -4 -n $addr + done - name: Process visibility - continue-on-error: true run: | - set +e echo "=== PROCESS VISIBILITY ===" ps aux | head -20 - ps aux | grep -E "dockerd|systemd|sshd|python" \ - && echo "!! Possible host process visible !!" \ + for procname in blanktext ; do + ps aux | head -n -1 | grep -E "dockerd|systemd|sshd|python" \ + >/dev/null 2>&1 && echo "!! Possible host process visible !!" \ || echo "Looks isolated." + done - name: Privilege and device access - continue-on-error: true run: | - set +e echo "=== PRIVILEGE CHECK ===" - id -Gn - ls -l /dev | head -30 - mount | head -20 - test -S /var/run/docker.sock \ - && echo "!! Host docker.sock mounted !!" \ - || echo "No docker.sock (good)" + echo '--- devices ---' + ls -l /dev | head -80 + echo '--- mounts ---' + mount | head -80 + for ignore in errs ; do + test -S /var/run/docker.sock \ + && echo "!! Host docker.sock mounted !!" \ + || echo "No docker.sock (good)" + done - name: File system sanity check - continue-on-error: true run: | - set +e - echo "=== FILESYSTEM ===" - ls -1 / - echo - test -f /root/.bashrc && echo "Root home accessible!" || echo "No /root home (good)" - head -n 3 /etc/passwd + echo "=== passwd content (tail 10) ===" + tail -n 10 /etc/passwd - name: Capability check - continue-on-error: true run: | - set +e echo "=== CAPABILITIES ===" - capsh --print 2>/dev/null || echo "capsh not available" - dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)" - - - name: Mount Info - continue-on-error: true - run: | - set +e - echo "=== Mount Info ===" - findmnt -a + for ignore in errs ; do + capsh --print 2>/dev/null || echo "capsh not available" + dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)" + done