Doc/work_flow_tester
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

revisions of isolation-check
All checks were successful
Runner Isolation Check / isolation-test (push) Successful in 2m39s
Details

Browse Source
This commit is contained in:
Doc
2025-10-06 13:43:34 -04:00
parent c1a64d8e87
commit 870f6a4273
1 changed files with 45 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
.gitea/workflows/isolation-check.yaml
View File

@@ -20,10 +20,11 @@ jobs:
run: | run: |
echo "=== SYSTEM INFO ===" echo "=== SYSTEM INFO ==="
uname -a uname -a
id echo "User: $(id)"
cat /etc/os-release || true echo "User groups: $(id -Gn)"
echo "Running as user: $(whoami)" echo "Running as user: $(whoami)"
pwd cat /etc/os-release || true
echo "Working directory: $(pwd)"
df -h df -h
- name: Dumping environment variables - name: Dumping environment variables
@@ -32,8 +33,10 @@ jobs:
for var in GITEA_RUNNER_REGISTRATION_FILE GITEA_RUNNER_REGISTRATION_TOKEN_FILE GITEA_RUNNER_REGISTRATION_TOKEN; do for var in GITEA_RUNNER_REGISTRATION_FILE GITEA_RUNNER_REGISTRATION_TOKEN_FILE GITEA_RUNNER_REGISTRATION_TOKEN; do
printenv "$var" || echo "$var not set" printenv "$var" || echo "$var not set"
done done
echo "--- List all variables ---" echo "--- Output printenv ---"
printenv printenv
echo "--- content of env.txt ---"
cat "${GITHUB_ENV}"
- name: Network routes and interfaces - name: Network routes and interfaces
run: | run: |
@@ -45,88 +48,75 @@ jobs:
cat /etc/resolv.conf cat /etc/resolv.conf
- name: LAN reachability test - name: LAN reachability test
continue-on-error: true
run: | run: |
set +e
echo "=== LAN REACHABILITY ===" echo "=== LAN REACHABILITY ==="
for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \
172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \
172.24.0.1 192.168.1.185; do
echo "--- Pinging $subnet:8098 ---"
ping -4 -n -c 4 $subnet || echo "no ping response"
echo "--- Contacting http://${subnet}:8098/docker-compose.yaml ---"
curl -s -m 5 http://$subnet:8098/docker-compose.yaml || echo "no http response"
done
echo "--- Checking private IP routes ---" echo "--- Checking private IP routes ---"
ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \ ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \
&& echo "!! Possible LAN route detected !!" \ && echo "!! Possible LAN route detected !!" \
|| echo "No direct LAN route found." || echo "No direct LAN route found."
echo "--- Checking for responses ---"
for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \
172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \
172.24.0.1 192.168.1.185; do
ping -4 -n -c 4 $subnet >/dev/null 2>&1 && echo "$subnet ping response"
curl -s -m 5 http://$subnet:8098/docker-compose.yaml >/dev/null 2>&1 && echo "HTTP response at $subnet:8098"
done
- name: Check external IP - name: Check external IP
continue-on-error: true
run: | run: |
set +e
echo "--- Checking external IP (https://ifconfig.me)" echo "--- Checking external IP (https://ifconfig.me)"
curl -s https://ifconfig.me for addr in https://ifconfig.me ; do
true curl $addr
done
- name: Host reachability sanity check - name: Outbound reachability sanity check
continue-on-error: true
run: | run: |
set +e
echo "=== OUTBOUND TEST ===" echo "=== OUTBOUND TEST ==="
curl -fsSL https://google.com >/dev/null && echo "Internet access OK" || echo "No internet access?" for addr in https://google.com ; do
curl -fsSL "$addr" >/dev/null 2>&1 && echo "$addr access OK" || echo "No internet access to $addr?"
done
- name: Traceroute to google.com - name: Traceroute to google.com
continue-on-error: true
run: | run: |
echo "=== Traceroute to google ===" echo "=== Traceroutes ==="
traceroute -4 -n google.com for addr in google.com ; do
echo "--- Tracing to $addr ---"
traceroute -4 -n $addr
done
- name: Process visibility - name: Process visibility
continue-on-error: true
run: | run: |
set +e
echo "=== PROCESS VISIBILITY ===" echo "=== PROCESS VISIBILITY ==="
ps aux | head -20 ps aux | head -20
ps aux | grep -E "dockerd|systemd|sshd|python" \ for procname in blanktext ; do
&& echo "!! Possible host process visible !!" \ ps aux | head -n -1 | grep -E "dockerd|systemd|sshd|python" \
>/dev/null 2>&1 && echo "!! Possible host process visible !!" \
|| echo "Looks isolated." || echo "Looks isolated."
done
- name: Privilege and device access - name: Privilege and device access
continue-on-error: true
run: | run: |
set +e
echo "=== PRIVILEGE CHECK ===" echo "=== PRIVILEGE CHECK ==="
id -Gn echo '--- devices ---'
ls -l /dev | head -30 ls -l /dev | head -80
mount | head -20 echo '--- mounts ---'
mount | head -80
for ignore in errs ; do
test -S /var/run/docker.sock \ test -S /var/run/docker.sock \
&& echo "!! Host docker.sock mounted !!" \ && echo "!! Host docker.sock mounted !!" \
|| echo "No docker.sock (good)" || echo "No docker.sock (good)"
done
- name: File system sanity check - name: File system sanity check
continue-on-error: true
run: | run: |
set +e echo "=== passwd content (tail 10) ==="
echo "=== FILESYSTEM ===" tail -n 10 /etc/passwd
ls -1 /
echo
test -f /root/.bashrc && echo "Root home accessible!" || echo "No /root home (good)"
head -n 3 /etc/passwd
- name: Capability check - name: Capability check
continue-on-error: true
run: | run: |
set +e
echo "=== CAPABILITIES ===" echo "=== CAPABILITIES ==="
for ignore in errs ; do
capsh --print 2>/dev/null || echo "capsh not available" capsh --print 2>/dev/null || echo "capsh not available"
dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)" dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)"
done
- name: Mount Info
continue-on-error: true
run: |
set +e
echo "=== Mount Info ==="
findmnt -a