name: Runner Isolation Check on: workflow_dispatch: push: jobs: isolation-test: runs-on: ubuntu-latest steps: - name: Prepare environment run: | echo "=== INSTALLING TEST TOOLS ===" apt-get update -y DEBIAN_FRONTEND=noninteractive apt-get install -y \ curl iproute2 net-tools util-linux procps coreutils \ iputils-ping dnsutils libcap2-bin traceroute - name: Basic system info run: | echo "=== SYSTEM INFO ===" uname -a echo "User: $(id)" echo "User groups: $(id -Gn)" echo "Running as user: $(whoami)" cat /etc/os-release || true echo "Working directory: $(pwd)" df -h - name: Dumping environment variables run: | echo "--- Check for parent variables ---" for var in GITEA_RUNNER_REGISTRATION_FILE GITEA_RUNNER_REGISTRATION_TOKEN_FILE GITEA_RUNNER_REGISTRATION_TOKEN; do printenv "$var" || echo "$var not set" done echo "--- Output printenv ---" printenv echo "--- content of env.txt ---" cat "${GITHUB_ENV}" - name: Network routes and interfaces run: | echo "=== NETWORK ===" ip addr echo ip route echo cat /etc/resolv.conf - name: LAN reachability test run: | echo "=== LAN REACHABILITY ===" echo "--- Checking private IP routes ---" ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \ && echo "!! Possible LAN route detected !!" \ || echo "No direct LAN route found." echo "--- Checking for responses ---" for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \ 172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \ 172.24.0.1 192.168.1.185; do ping -4 -n -c 4 $subnet >/dev/null 2>&1 && echo "$subnet ping response" curl -s -m 5 http://$subnet:8098/docker-compose.yaml >/dev/null 2>&1 && echo "HTTP response at $subnet:8098" done - name: Check external IP run: | echo "--- Checking external IP (https://ifconfig.me)" for ignore in errors ; do curl -4 icanhazip.com curl -6 icanhazip.com done - name: Outbound reachability sanity check run: | echo "=== OUTBOUND TEST ===" for addr in https://google.com ; do curl -fsSL "$addr" >/dev/null 2>&1 && echo "$addr access OK" || echo "No internet access to $addr?" done - name: Traceroute to google.com run: | echo "=== Traceroutes ===" for addr in google.com ; do echo "--- Tracing to $addr ---" traceroute -4 -n $addr done - name: Process visibility run: | echo "=== PROCESS VISIBILITY ===" ps aux | head -20 for procname in blanktext ; do ps aux | head -n -1 | grep -E "dockerd|systemd|sshd|python" \ >/dev/null 2>&1 && echo "!! Possible host process visible !!" \ || echo "Looks isolated." done - name: Privilege and device access run: | echo "=== PRIVILEGE CHECK ===" echo '--- devices ---' ls -l /dev | head -80 echo '--- mounts ---' mount | head -80 for ignore in errs ; do test -S /var/run/docker.sock \ && echo "!! Host docker.sock mounted !!" \ || echo "No docker.sock (good)" done - name: File system sanity check run: | echo "=== passwd content (tail 10) ===" tail -n 10 /etc/passwd - name: Capability check run: | echo "=== CAPABILITIES ===" for ignore in errs ; do capsh --print 2>/dev/null || echo "capsh not available" dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)" done