Add --userns flag to support Docker daemon that enables user namespace (#533)

I got an error like this after hitting `act` command.

> Error: Error response from daemon: cannot share the host's network namespace when user namespaces are enabled

According to the document, when user namespaces are enabled on the Docker daemon,
neither host network mode and --privileged work without --userns=host. Since `act`
uses host network mode to match GitHub Actions runners, it cannot run jobs when
user namespaces are enabled. So I added the flag.

https://docs.docker.com/engine/security/userns-remap/#user-namespace-known-limitations

Co-authored-by: Casey Lee <cplee@nektos.com>
This commit is contained in:
Hibariya 2021-02-28 01:31:25 +09:00 committed by GitHub
parent 6c118fe9ad
commit 8de7b956b7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 9 additions and 0 deletions

View file

@ -105,6 +105,7 @@ It will save that information to `~/.actrc`, please refer to [Configuration](#co
-r, --reuse reuse action containers to maintain state -r, --reuse reuse action containers to maintain state
-s, --secret stringArray secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret) -s, --secret stringArray secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)
--secret-file string file with list of secrets to read from (e.g. --secret-file .secrets) (default ".secrets") --secret-file string file with list of secrets to read from (e.g. --secret-file .secrets) (default ".secrets")
--userns string user namespace to use
-v, --verbose verbose output -v, --verbose verbose output
--version version for act --version version for act
-w, --watch watch the contents of the local repo and run when files change -w, --watch watch the contents of the local repo and run when files change

View file

@ -25,6 +25,7 @@ type Input struct {
insecureSecrets bool insecureSecrets bool
defaultBranch string defaultBranch string
privileged bool privileged bool
usernsMode string
} }
func (i *Input) resolve(path string) string { func (i *Input) resolve(path string) string {

View file

@ -47,6 +47,7 @@ func Execute(ctx context.Context, version string) {
rootCmd.Flags().StringVarP(&input.eventPath, "eventpath", "e", "", "path to event JSON file") rootCmd.Flags().StringVarP(&input.eventPath, "eventpath", "e", "", "path to event JSON file")
rootCmd.Flags().StringVar(&input.defaultBranch, "defaultbranch", "", "the name of the main branch") rootCmd.Flags().StringVar(&input.defaultBranch, "defaultbranch", "", "the name of the main branch")
rootCmd.Flags().BoolVar(&input.privileged, "privileged", false, "use privileged mode") rootCmd.Flags().BoolVar(&input.privileged, "privileged", false, "use privileged mode")
rootCmd.Flags().StringVar(&input.usernsMode, "userns", "", "user namespace to use")
rootCmd.PersistentFlags().StringVarP(&input.actor, "actor", "a", "nektos/act", "user that triggered the event") rootCmd.PersistentFlags().StringVarP(&input.actor, "actor", "a", "nektos/act", "user that triggered the event")
rootCmd.PersistentFlags().StringVarP(&input.workflowsPath, "workflows", "W", "./.github/workflows/", "path to workflow file(s)") rootCmd.PersistentFlags().StringVarP(&input.workflowsPath, "workflows", "W", "./.github/workflows/", "path to workflow file(s)")
rootCmd.PersistentFlags().StringVarP(&input.workdir, "directory", "C", ".", "working directory") rootCmd.PersistentFlags().StringVarP(&input.workdir, "directory", "C", ".", "working directory")
@ -260,6 +261,7 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
InsecureSecrets: input.insecureSecrets, InsecureSecrets: input.insecureSecrets,
Platforms: input.newPlatforms(), Platforms: input.newPlatforms(),
Privileged: input.privileged, Privileged: input.privileged,
UsernsMode: input.usernsMode,
} }
r, err := runner.New(config) r, err := runner.New(config)
if err != nil { if err != nil {

View file

@ -44,6 +44,7 @@ type NewContainerInput struct {
Stderr io.Writer Stderr io.Writer
NetworkMode string NetworkMode string
Privileged bool Privileged bool
UsernsMode string
} }
// FileEntry is a file to copy to a container // FileEntry is a file to copy to a container
@ -271,6 +272,7 @@ func (cr *containerReference) create() common.Executor {
Mounts: mounts, Mounts: mounts,
NetworkMode: container.NetworkMode(input.NetworkMode), NetworkMode: container.NetworkMode(input.NetworkMode),
Privileged: input.Privileged, Privileged: input.Privileged,
UsernsMode: container.UsernsMode(input.UsernsMode),
}, nil, input.Name) }, nil, input.Name)
if err != nil { if err != nil {
return errors.WithStack(err) return errors.WithStack(err)

View file

@ -106,6 +106,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
Stdout: logWriter, Stdout: logWriter,
Stderr: logWriter, Stderr: logWriter,
Privileged: rc.Config.Privileged, Privileged: rc.Config.Privileged,
UsernsMode: rc.Config.UsernsMode,
}) })
var copyWorkspace bool var copyWorkspace bool

View file

@ -31,6 +31,7 @@ type Config struct {
InsecureSecrets bool // switch hiding output when printing to terminal InsecureSecrets bool // switch hiding output when printing to terminal
Platforms map[string]string // list of platforms Platforms map[string]string // list of platforms
Privileged bool // use privileged mode Privileged bool // use privileged mode
UsernsMode string // user namespace to use
} }
type runnerImpl struct { type runnerImpl struct {

View file

@ -234,6 +234,7 @@ func (sc *StepContext) newStepContainer(ctx context.Context, image string, cmd [
Stdout: logWriter, Stdout: logWriter,
Stderr: logWriter, Stderr: logWriter,
Privileged: rc.Config.Privileged, Privileged: rc.Config.Privileged,
UsernsMode: rc.Config.UsernsMode,
}) })
return stepContainer return stepContainer
} }