From 8775acbdddeb5e67aaf99f082d936b1bb1d38aa1 Mon Sep 17 00:00:00 2001 From: Doc Date: Mon, 6 Oct 2025 12:41:21 -0400 Subject: [PATCH] Add isolation-check workflow --- .gitea/workflows/isolation-check.yaml | 111 ++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 .gitea/workflows/isolation-check.yaml diff --git a/.gitea/workflows/isolation-check.yaml b/.gitea/workflows/isolation-check.yaml new file mode 100644 index 0000000..1b8f3b6 --- /dev/null +++ b/.gitea/workflows/isolation-check.yaml @@ -0,0 +1,111 @@ +name: Runner Isolation Check +on: + workflow_dispatch: + +jobs: + isolation-test: + runs-on: ubuntu-latest + + steps: + - name: Prepare environment + run: | + echo "=== INSTALLING TEST TOOLS ===" + apt-get update -y + DEBIAN_FRONTEND=noninteractive apt-get install -y \ + curl iproute2 net-tools util-linux procps coreutils \ + iputils-ping dnsutils libcap2-bin + + - name: Basic system info + run: | + echo "=== SYSTEM INFO ===" + uname -a + id + cat /etc/os-release || true + echo "Running as user: $(whoami)" + pwd + df -h + + - name: Dumping environment variables + run: | + echo "--- Check for parent variables ---" + printenv | grep -Pi 'GITEA_RUNNER_REGISTRATION_FILE|GITEA_RUNNER_REGISTRATION_TOKEN_FILE|GITEA_RUNNER_REGISTRATION_TOKEN' + echo "--- List all variables ---" + printenv + + - name: Network routes and interfaces + run: | + echo "=== NETWORK ===" + ip addr + echo + ip route + echo + cat /etc/resolv.conf + + - name: LAN reachability test + run: | + echo "=== LAN REACHABILITY ===" + for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \ + 172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \ + 172.24.0.1 192.168.1.185; do + echo "--- Pinging $subnet:8098 ---" + ping -4 -n -c 4 $subnet || echo "no ping response" + echo "--- Contacting http://${subnet}:8098/docker-compose.yaml ---" + curl -s -m 5 http://$subnet:8098/docker-compose.yaml || echo "no http response" + done + echo "--- Checking private IP routes ---" + ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \ + && echo "!! Possible LAN route detected !!" \ + || echo "No direct LAN route found." + + - name: Check external IP + run: | + echo "--- Checking external IP (https://ifconfig.me)" + curl -s https://ifconfig.me + + - name: Host reachability sanity check + run: | + echo "=== OUTBOUND TEST ===" + curl -fsSL https://google.com >/dev/null && echo "Internet access OK" || echo "No internet access?" + + - name: Traceroute to google.com + run: | + echo "=== Traceroute to google ===" + traceroute -4 -n google.com + + - name: Process visibility + run: | + echo "=== PROCESS VISIBILITY ===" + ps aux | head -20 + ps aux | grep -E "dockerd|systemd|sshd|python" \ + && echo "!! Possible host process visible !!" \ + || echo "Looks isolated." + + - name: Privilege and device access + run: | + echo "=== PRIVILEGE CHECK ===" + id -Gn + ls -l /dev | head -30 + mount | head -20 + test -S /var/run/docker.sock \ + && echo "!! Host docker.sock mounted !!" \ + || echo "No docker.sock (good)" + + - name: File system sanity check + run: | + echo "=== FILESYSTEM ===" + ls -1 / + echo + test -f /root/.bashrc && echo "Root home accessible!" || echo "No /root home (good)" + head -n 3 /etc/passwd + + - name: Capability check + run: | + echo "=== CAPABILITIES ===" + capsh --print 2>/dev/null || echo "capsh not available" + dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)" + + - name: Mount Info + run: | + echo "=== Mount Info ===" + findmnt -a +