megalinter
megalinter copied to clipboard
oxsecurity
Error: Command failed: rm -rf "/home/runners/runner-1/_work/REPO/REPO/.mypy_cache"
Describe the bug
We use self-hosted github runners and it seems megalinter writes on filesystem as root, making future runs impossible. When a github runner tries to delete the old repo to clone a new one, it failes with the error message: Error: Command failed: rm -rf "/home/runners/runner-1/_work/REPO/REPO/.mypy_cache"
To Reproduce
- have self-hosted github runners
- trigger an action. It will pass, however some files will be written on the filesystem with
rootpermissions - Trigger the action again. This time it will fail because github runners cannot delete some directories.
Expected behavior Megalinter should either clean those files up, or it shouldn't be writing those files with root permissions.
Screenshots [ not provided due to the company policy ]
I unfortunately do not have access to my own GitHub runners :/
Please can you try to add in your .mega-linter.yml:
PYTHON_MYPY_ARGUMENTS:
- "--no-incremental"
It should prevent mypy cache to be created
We ran into the same issue and created ScribeMD/rootless-docker for this purpose. Simply run that action before running MegaLinter, and MegaLinter will not run as root at all.
We ran into the same issue and created ScribeMD/rootless-docker for this purpose. Simply run that action before running MegaLinter, and MegaLinter will not run as root at all.
Thanks for the suggestion. Unfortunately, the action you suggested is a resolute NO for us, because it seems to be stopping the docker daemon entirely, which is unacceptable to us as the build machine(s) have running containers for other purposes ://
Please can you try to add in your .mega-linter.yml:
Thank you, I'll let you know what happens tmrw! :smile:
Ah, yeah, ScribeMD/rootless-docker would need to be run before anything that uses Docker, so if you have long-lived processes that rely on the daemon, that would mean restarting them one time. Fingers crossed that disabling mypy caching resolves your issue.
I encountered something similar the other weekend, when I ran megalinter locally, but forgot so save a Python file when starting it. So I saved during the run, but after a first linter changed the contents. When wanting to save after that, it wasn't possible, it was owned by root then.
I saw that the megalinter-reports files (logs at least) were also own by root. I had to sudo rm -r to clear the reports folder.
For the 4 files that changed owner to root, that were code, I had to sudo chown myusername:myusername thefilename.py to be able to edit again.
Since it was Python, yes there is still mypy involved, but it don't see why it should be limited to mypy if the folder is mounted in the Docker container when editing the files (applying fixes)
I unfortunately do not have access to my own GitHub runners :/
@nvuillam It's quite easy to set up, if you have a machine, VM, or something to run the GitHub runner application. I managed to set up a self hosted windows Docker container (running Windows not Linux) for a WPF project. Running inside Docker is doable.
If it's for debugging this issue (files writing as root, not deleting the folder correctly), maybe a VM is a good idea to not delete the bad thing, and to not add some error sources with a Docker in Docker setup.
The environnement must be able to run the runner (https://github.com/actions/runner), and we register it to either the repo or organization
I'm sure it's easy... at work i setup gitlab runners because I need them, but unfortunately I don't have the time to setup all configurations of all MegaLinter users to reproduce bugs... that's why having such a great community to help is great :)
@echoix, yes, there are often multiple file ownership issues related to running Docker as root. For those who are unable to use rootless Docker and whose issues extend beyond mypy caching, maintaining a list of files to chown or remove is the top alternative I am aware of. I have seen others deal with this by elevating the runner to root, which is bad security practice.
@nvuillam It works! mypy cache was successfully disabled. :smile:
however the job failed with another error:
Command failed: rm -rf "/home/runners/runner/_work/mlops/mlops/megalinter-reports"
So I went in a bit of an adventure in solving this
I discovered REPORT_OUTPUT_FOLDER: none config, but that did not work too because instead of not creating any reports, it created folder literally named none (the docs may be wrong or a bug?)
setting REPORT_OUTPUT_FOLDER: null also did not work :( it failed with:
[MegaLinter init] ONE-SHOT RUN
Traceback (most recent call last):
File "/usr/local/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/local/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/usr/local/lib/python3.10/site-packages/megalinter-0.1-py3.10.egg/megalinter/run.py", line 9, in <module>
linter = megalinter.Megalinter({"cli": True})
File "/usr/local/lib/python3.10/site-packages/megalinter-0.1-py3.10.egg/megalinter/MegaLinter.py", line 60, in __init__
self.initialize_output()
File "/usr/local/lib/python3.10/site-packages/megalinter-0.1-py3.10.egg/megalinter/MegaLinter.py", line 736, in initialize_output
os.makedirs(self.report_folder, exist_ok=True)
File "/usr/local/lib/python3.10/os.py", line [21](https://github.com/REPO/REPO/actions/runs/3051385047/jobs/4919555435#step:4:22)0, in makedirs
head, tail = path.split(name)
File "/usr/local/lib/python3.10/posixpath.py", line 103, in split
p = os.fspath(p)
TypeError: expected str, bytes or os.PathLike object, not NoneType
which was kinda expected
What finally worked was REPORT_OUTPUT_FOLDER: /tmp and now runs are repeatedly successful. :tada:
For completion, the portion of config relevant for this is:
# .mega-linter.yaml
PYTHON_MYPY_ARGUMENTS:
- "--no-incremental"
REPORT_OUTPUT_FOLDER: /tmp
REPORT_OUTPUT_FOLDER=none should indeed create nothing, this is a MegaLinter bug ^^
Glad you found a workaround :)
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}