Doc/work_flow_tester
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db7e5f769f3478c29156186632eb1c5bd010815b
work_flow_tester/.gitea/workflows/isolation-check.yaml
Doc db7e5f769f
All checks were successful
Runner Isolation Check / isolation-test (push) Successful in 2m32s
Details
revisions of isolation-check
2025-10-06 18:42:09 -04:00

127 lines
4.2 KiB
YAML
Raw Blame History

name: Runner Isolation Check
on:
workflow_dispatch:
push:
jobs:
isolation-test:
runs-on: ubuntu-latest
steps:
- name: Prepare environment
run: |
echo "=== INSTALLING TEST TOOLS ==="
apt-get update -y
DEBIAN_FRONTEND=noninteractive apt-get install -y \
curl iproute2 net-tools util-linux procps coreutils \
iputils-ping dnsutils libcap2-bin traceroute
- name: Basic system info
run: |
echo "=== SYSTEM INFO ==="
uname -a
echo "User: $(id)"
echo "User groups: $(id -Gn)"
echo "Running as user: $(whoami)"
cat /etc/os-release || true
echo "Working directory: $(pwd)"
df -h
- name: Dumping environment variables
run: |
echo "--- Check for parent variables ---"
for var in GITEA_RUNNER_REGISTRATION_FILE GITEA_RUNNER_REGISTRATION_TOKEN_FILE GITEA_RUNNER_REGISTRATION_TOKEN; do
printenv "$var" || echo "$var not set"
done
echo "--- Output printenv ---"
printenv
echo "--- content of env.txt ---"
cat "${GITHUB_ENV}"
- name: Network routes and interfaces
run: |
echo "=== NETWORK ==="
ip addr
echo
ip route
echo
cat /etc/resolv.conf
- name: Check external IP
run: |
echo "--- Checking external IP (https://ifconfig.me)"
for ignore in errors ; do
curl -4 icanhazip.com >/dev/null 2>&1 || echo 'Error getting ipv4' && true
curl -6 icanhazip.com >/dev/null 2>&1 || echo "Error getting ipv6" && true
done
- name: Outbound reachability sanity check
run: |
echo "=== OUTBOUND TEST ==="
for addr in https://google.com http://github.com ; do
curl -fsSL "$addr" >/dev/null 2>&1 && echo "$addr access OK" || echo "No internet access to $addr?"
done
- name: Traceroute to google.com
run: |
echo "=== Traceroutes ==="
for addr in google.com ; do
echo "--- Tracing to $addr ---"
traceroute -4 -n $addr
done
- name: LAN reachability test
run: |
echo "=== LAN REACHABILITY ==="
echo "--- Checking private IP routes ---"
ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \
&& echo "!! Possible LAN route detected !!" \
|| echo "No direct LAN route found."
echo "--- Checking for responses ---"
for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \
172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \
172.24.0.1 192.168.1.185; do
echo -n "$subnet ... "
ping -4 -n -c 1 $subnet >/dev/null 2>&1 && echo -n "ping response "
curl -m 3 http://$subnet:8098/docker-compose.yaml >/dev/null 2>&1 && echo -n "HTTP response "
echo ''
done
- name: Process visibility
run: |
echo "=== PROCESS VISIBILITY ==="
ps aux | head -20
for procname in blanktext ; do
ps aux | head -n -1 | grep -E "dockerd|systemd|sshd|python" \
>/dev/null 2>&1 && echo "!! Possible host process visible !!" \
|| echo "Looks isolated."
done
- name: Privilege and device access
run: |
echo "=== PRIVILEGE CHECK ==="
echo '--- devices ---'
ls -l /dev | head -80
echo '--- mounts ---'
mount | head -80
for ignore in errs ; do
test -S /var/run/docker.sock \
&& echo "!! Host docker.sock mounted !!" \
|| echo "No docker.sock (good)"
done
- name: File system sanity check
run: |
echo "=== passwd content (tail 10) ==="
tail -n 10 /etc/passwd
- name: Capability check
run: |
echo "=== CAPABILITIES ==="
for ignore in errs ; do
capsh --print 2>/dev/null || echo "capsh not available"
dmesg 2>&1 | head -5 && echo "!! dmesg readable !!" || echo "dmesg not accessible (good)"
done
Reference in New Issue View Git Blame Copy Permalink