check for your own process pid instead

[peterromfeldhk]

fix issue where you get

Error: Could not find a part of the path '/proc/1/cgroup'.

when trying to use service with a less privileged runner

[peterromfeldhk]

fixes #2007

[readefries]

Hey @ilyakooo0, is there something preventing this PR from getting merged?

[ilyakooo0]

I don't have write access

[readefries]

Ah, you where mentioned as reviewer :)
I'll look around then. Thanks!

[buurro]

Would be great to have this merged!

[paksk-pcs]

Is there any workaround for this issue?

[peterromfeldhk]

@paksk-pcs here is how i use it on NixOS:

{ config, pkgs, lib, ... }:
let
  github-runner = pkgs.github-runner.overrideAttrs(old: rec {
    version = "2.307.4";
    src = pkgs.fetchFromGitHub {
      owner = "peterromfeldhk";
      repo = "actions-runner";
      rev = "v${version}";
      hash = "sha256-g+0lF628s9uGNwDR8kpxxNBEBBnPMmu+S5Ue7+MDsSk=";
      leaveDotGit = true;
      postFetch = ''
        git -C $out rev-parse --short HEAD > $out/.git-revision
        rm -rf $out/.git
      '';
    };
  });

in {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;

  nixpkgs.config.permittedInsecurePackages = [ "nodejs-16.20.1" ];

  users.groups.github-runner = {};
  users.users.github-runner = {
    isSystemUser = true;
    shell = pkgs.bash;
    group = config.users.groups.github-runner.name;
    extraGroups = [ "wheel" "docker" ];
  };

  sops.secrets.peter-github-runner-token = {
    owner = config.users.users.github-runner.name;
    group = config.users.users.github-runner.group;
  };

  services.github-runners = let
    runner-defaults = {
      enable = true;
      name = "nix";
      replace = true;
      extraLabels = [ "nixos" ];
      user = config.users.users.github-runner.name;

      package = github-runner;

      extraPackages = [
        pkgs.docker
      ];

      extraEnvironment = {
        NIX_PATH = "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos";
      };

      # serviceOverrides = {};
    };
  in {
    peter-romfeld-bcw = runner-defaults // {
      tokenFile = config.sops.secrets.peter-github-runner-token.path;
      url = "https://github.com/peterromfeldhk/pyshortly";
    };
  };

  services.cron = {
    enable = true;
    systemCronJobs = [
      "@hourly root ${pkgs.docker-gc}/bin/docker-gc"
    ];
  };
}

[philipbalinov]

@TingluoHuang this fixes an issue on systems where the /proc filesystem is mounted with the hidepid option won't see /proc/1 unless the actions runner is running under the root user. It would be nice to get this PR in.

[artslob]

@peterromfeldhk there is my workaround for nix with flakes. This way you don't need to fork runner repo. It uses overlay to patch package from nixpkgs and use it in configuration.nix.

diff --git a/configuration.nix b/configuration.nix
index a46a3a6..73d9958 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -188,6 +188,7 @@
       name = "test-github-runner";
       # user = "github-runner";
       # replace = true;
+      package = pkgs.patched-github-runner;
       tokenFile = config.age.secrets."test-github-runner-token".path;
       url = "https://github.com/artslob/test-github-runner";
       extraPackages = with pkgs; [ curl wget rustup gcc docker_27 ];
diff --git a/flake.nix b/flake.nix
index c399a46..f1dc993 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,17 @@
     nixosConfigurations.vps = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
+        {
+          nixpkgs.overlays = [
+            (final: prev: {
+              patched-github-runner = prev.github-runner.overrideAttrs
+                (oldAttrs: {
+                  patches = oldAttrs.patches or [ ]
+                    ++ [ ./github-runner.patch ];
+                });
+            })
+          ];
+        }
         # Import the previous configuration.nix we used,
         # so the old configuration file still takes effect
         ./configuration.nix
diff --git a/github-runner.patch b/github-runner.patch
new file mode 100644
index 0000000..b278d77
--- /dev/null
+++ b/github-runner.patch
@@ -0,0 +1,11 @@
+--- a/src/Runner.Worker/ContainerOperationProvider.cs
++++ b/src/Runner.Worker/ContainerOperationProvider.cs
+@@ -527,7 +527,7 @@ private async Task AssertCompatibleOS(IExecutionContext executionContext)
+             }
+ #pragma warning restore CA1416
+ #else
+-            var initProcessCgroup = File.ReadLines("/proc/1/cgroup");
++            var initProcessCgroup = File.ReadLines("/proc/self/cgroup");
+             if (initProcessCgroup.Any(x => x.IndexOf(":/docker/", StringComparison.OrdinalIgnoreCase) >= 0))
+             {
+                 throw new NotSupportedException("Container feature is not supported when runner is already running inside container.");
\ No newline at end of file