Issue: Unable to execute docker build within a Github Action workflow

[jaypipes]

Act version

act version 0.2.20

Note this is on Fedora 33 with Docker version 19.03.13.

Expected behaviour

I want to be able to execute docker build from a github action workflow without getting permissions failure.

Actual behaviour

Workflow and/or repository

workflow

name: build-docker

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2

    - run: docker build -f hack/Dockerfile.build -t my-build .

Steps to reproduce

act output

Log

[jaypipes@thelio sqltoast]$ act
[build-docker/build] 🚀  Start image=catthehacker/ubuntu:act-latest
[build-docker/build]   🐳  docker run image=catthehacker/ubuntu:act-latest entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[build-docker/build]   🐳  docker cp src=/home/jaypipes/src/github.com/jaypipes/sqltoast/. dst=/github/workspace
[build-docker/build] ⭐  Run actions/checkout@v2
[build-docker/build]   ✅  Success - actions/checkout@v2
[build-docker/build] ⭐  Run docker build -f hack/Dockerfile.build -t my-build .
| Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=hack%2FDockerfile.build&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=my-build&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied
[build-docker/build]   ❌  Failure - docker build -f hack/Dockerfile.build -t my-build .
Error: exit with `FAILURE`: 1

[catthehacker]

Could you provide output of ls -l /var/run/docker.sock?

[jaypipes]

Could you provide output of ls -l /var/run/docker.sock?

Hi @catthehacker, thanks for looking into this!

[jaypipes@thelio ~]$ ls -l /var/run/docker.sock 
srw-rw----. 1 root docker 0 Mar  8 05:18 /var/run/docker.sock

[jaypipes]

@catthehacker also, FWIW, running docker on Fedora, I almost always have to pass the :z flag at the end of any volume mounts, otherwise I get permissions errors from selinux content labels not being properly applied from host to container filesystem. See https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ for more details. Adding :z or :Z to my mount specs always fixes the problem.

I looked in the act codebase briefly and think that adding the :z flag here:

act/pkg/runner/step_context.go

Line 214 in 8de7b95

fmt.Sprintf("%s:%s", "/var/run/docker.sock", "/var/run/docker.sock"),

and here:

act/pkg/runner/run_context.go

Line 86 in 8de7b95

fmt.Sprintf("%s:%s", "/var/run/docker.sock", "/var/run/docker.sock"),

might do the trick...

[catthehacker]

Seems like using :Z is not an option or we could break a lot of stuff and :z/:Z/:ro require to be volumes and not bind mounts otherwise those are ignored (https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). I'll try to set up Fedora environment for myself and test it out how to deal with it.

Although from documentation and this comment it seems that the proper way is to modify host paths instead of using :z.

[jaypipes]

Seems like using :Z is not an option or we could break a lot of stuff and :z/:Z/:ro require to be volumes and not bind mounts otherwise those are ignored (https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). I'll try to set up Fedora environment for myself and test it out how to deal with it.

Any particular reason the code uses bind mounts instead of (or, rather, in addition to) volumes?

Although from documentation and this comment it seems that the proper way is to modify host paths instead of using :z.

Sorry, I read that issue and particular comment a number of times and I'm still scratching my head as to what the solution actually would entail here. Mind elaborating?

Thanks again for your help @catthehacker!

[jaypipes]

Sorry, I read that issue and particular comment a number of times and I'm still scratching my head as to what the solution actually would entail here. Mind elaborating?

@catthehacker any updates on this?

[catthehacker]

@jaypipes Sorry, I never used Linux distro with selinux so can't help with that. As for the mounts/binds I have yet to try and figure it out since I didn't had much time lately.

[jaypipes]

@catthehacker OK, so I ended up just turning off SELinux entirely and that has solved this issue. Honestly, for development desktops, I have a feeling that SELinux is just more bother than anything useful. :) Closing issue out...

[LouKordos]

I'm on Arch Linux and the issue is still present for me... Is there any quick fix for this? I'm on the latest master commit.

[catthehacker]

Turn off SELinux

[LouKordos]

I'm running Arch Linux, and sestatus says command not found, so I'm 99% sure it's not installed, which makes sense since it's not Redhat.

[catthehacker]

Please create new issue then

[LouKordos]

Done