Azure-pipelines-agent: Allow root user for `config.sh`
Agent Version and Platform
Agent version 2.131.0
Linux Ubuntu 4.13.0-37-generic #42~16.04.1-Ubuntu
VSTS Type and Version
VSTS -> msazure.visualstudio.com
What's not working?
Right now if you run config.sh with root permissions the script exits explicitly, failing because of this check
if [ $user_id -eq 0 ]; then
echo "Must not run with sudo"
exit 1
fi
I believe support for running the script under normal user permissions was added because of #277. Why was running config.sh as sudo disallowed then?
This is an issue for me as I'm trying to write a DevTest artifact to install VSTS agents on Linux machines, and the artifacts by default get launched as root. The service even runs as root, so it's strange the setup scripts must be run under a user.
samedder
All 24 comments
@bryanmacfarlane, can you give some insight here?
samedder
on 3 Apr 2018
I am also facing the same issue on Debian 9.4
andrei-ga
on 7 Apr 2018
@bryanmacfarlane I can't remember why we don't allow run the agent as root in Linux/Mac, do you remember the reason?
TingluoHuang
on 9 Apr 2018
Pinging @bryanmacfarlane
samedder
on 17 Apr 2018
It's a bit fuzzy but I remember it had something to do with running as root at config time would lead to all the files being owned by 0 then when configured as a service to run as an account (current logged on account) there were issues. So there was alignment - you configure as accountX, run as a service as accountX.
But perhaps now that the split has occured in #277 it's no longer required.
@samedder - have you tried your scenario E2E with that check commented out? Do you run as a service or interactive?
bryanmacfarlane
on 17 Apr 2018
@bryanmacfarlane
I tried it E2E but it seems to fail somewhere prior to launching the agent. I have to look more into the logs, seems like node was crashing somewhere. My artifact is designed to run as a service. I think the issue was that svc.sh wasn't getting generated correctly, the script then tried launching the agent as uid 100 and crashed.
samedder
on 17 Apr 2018
Cool. We can take up looking at supporting it. In the meantime, if you can send _diag logs to @TingluoHuang , we can narrow down exactly where it's failing.
Your description of config as root and then running the svc as an account (100) sounds like the issue we hit.
I'll touch base with folks soon. Is there any option to run as an account?
bryanmacfarlane
on 17 Apr 2018
I would like to avoid creating a user as part of the setup process. Considering that the build agent should run as root, I'd like to be able to run everything (config + agent) as root.
I have a project I need to finish first but I'll send logs shortly.
samedder
on 17 Apr 2018
@TingluoHuang I looked through the logs and the only thing I could find is this warning:
[2018-04-03 02:37:09Z INFO RSAFileKeyManager] Loading RSA key parameters from file /usr/share/vsts-agent-install/.credentials_rsaparams
[2018-04-03 02:37:09Z INFO Terminal] WRITE LINE: Connecting to the server.
[2018-04-03 02:37:09Z INFO MessageListener] Attempt to create session.
[2018-04-03 02:37:09Z INFO MessageListener] Connecting to the Agent Server...
[2018-04-03 02:37:09Z INFO VisualStudioServices] Starting operation Location.GetConnectionData
[2018-04-03 02:37:10Z WARN VisualStudioServices] Authentication failed with status code 401.
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
WWW-Authenticate: Bearer authorization_uri=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47, Basic realm="https://tfsprodwus22.app.visualstudio.com/", TFS-Federated
I'm trying to do PAT auth to the VSTS instance, but this seems like the auth is going elsewhere.
samedder
on 18 Apr 2018
I tried to repro this and got more logs. If I try to install the agent using ./svc.sh install everything completes without error. If I get the status, it says agent launched:
/etc/systemd/system/vsts.agent.msazure.myagent.service
โ vsts.agent.msazure.myagent.service - VSTS Agent (msazure.myagent)
Loaded: loaded (/etc/systemd/system/vsts.agent.msazure.myagent.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2018-04-17 18:51:39 PDT; 3min 19s ago
It also tries to launch, but crash appears to crash immediately:
Apr 17 18:54:55 parallels-vm runsvc.sh[6203]: Starting Agent listener
Apr 17 18:54:55 parallels-vm runsvc.sh[6203]: started listener process
Apr 17 18:54:55 parallels-vm runsvc.sh[6203]:
Apr 17 18:54:55 parallels-vm runsvc.sh[6203]:Apr 17 18:54:55 parallels-vm runsvc.sh[6203]: Agent listener exited with error code null
Apr 17 18:54:55 parallels-vm runsvc.sh[6203]: Agent listener exit with undefined return code, re-launch agent in 5 seconds.
The only time I can get the agent to stay alive is if in an interactive shell I launch ./runsvc.sh directly. Then the agent appears and online available in VSTS.
samedder
on 18 Apr 2018
@samedder <Buffer 53 79 73 74 65 6d 2e 55 6e 61 75 74 68 6f 72 69 7a 65 64 41 63 63 65 73 ->System.UnauthorizedAcces
make sure root has all permission to the agent root directory
TingluoHuang
on 18 Apr 2018
@TingluoHuang I see, you need to explicitly pass the username into the install script, it looks like the agent runs now, but I still see the same <Buffer logs in the status output. Is this expected?
vsts.agent.msazure.myagent.service - VSTS Agent (msazure.myagent)
Loaded: loaded (/etc/systemd/system/vsts.agent.msazure.myagent.service; enabl
Active: active (running) since Wed 2018-04-18 12:51:38 PDT; 1min 29s ago
Main PID: 853 (runsvc.sh)
CGroup: /system.slice/vsts.agent.msazure.myagent.service
โโ853 /bin/bash /home/parallels/Downloads/vsts_agent_install/runsvc.s
โโ858 ./externals/node/bin/node ./bin/AgentService.js
โโ898 /home/parallels/Downloads/vsts_agent_install/bin/Agent.Listener
Apr 18 12:51:38 parallels-vm systemd[1]: Started VSTS Agent (msazure.myagent).
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: .path=/usr/local/sbin:/usr/local/bi
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: Starting Agent listener
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: started listener process
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: started running service
Apr 18 12:51:39 parallels-vm runsvc.sh[853]:Apr 18 12:51:40 parallels-vm runsvc.sh[853]: Apr 18 12:51:41 parallels-vm runsvc.sh[853]:
samedder
on 18 Apr 2018
@samedder that's the normal STDOUT agent produced.
436f6e6e656374696e
323031382d30342d31
->
Scanning...
Connectin...
2018-04-1...
@bryanmacfarlane @TingluoHuang thanks for the help, it sounds like everything works then if we omit the requirement that config is run as non-root. Maybe we should replace that check with a warning: if config run as root, svc must be launched as root.
samedder
on 18 Apr 2018
apparently the script still does that check
phil123456
on 15 May 2018
@phil123456 - yes it does. It also isn't true that everything works. If you config as sudo/root and then run it as a service on osx / ubuntu, then it fails to start because the files are owned by root and the service won't start as the user it's running as. For example on osx it's a user daemon service.
We aren't going to remove the check but I suggested we allow an override envvar ALLOW_RUNASROOT and if you set that we let you through. Then the folks that want to run as root and their specific scenario runs as root, can set that envvar.
bryanmacfarlane
on 15 May 2018
I am going to close this issue as #1514 merged.
TingluoHuang
on 27 Jul 2018
@TingluoHuang I see, you need to explicitly pass the username into the install script, it looks like the agent runs now, but I still see the same
<Bufferlogs in the status output. Is this expected?vsts.agent.msazure.myagent.service - VSTS Agent (msazure.myagent)
Loaded: loaded (/etc/systemd/system/vsts.agent.msazure.myagent.service; enabl
Active: active (running) since Wed 2018-04-18 12:51:38 PDT; 1min 29s ago
Main PID: 853 (runsvc.sh)
CGroup: /system.slice/vsts.agent.msazure.myagent.service
โโ853 /bin/bash /home/parallels/Downloads/vsts_agent_install/runsvc.s
โโ858 ./externals/node/bin/node ./bin/AgentService.js
โโ898 /home/parallels/Downloads/vsts_agent_install/bin/Agent.ListenerApr 18 12:51:38 parallels-vm systemd[1]: Started VSTS Agent (msazure.myagent).
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: .path=/usr/local/sbin:/usr/local/bi
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: Starting Agent listener
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: started listener process
Apr 18 12:51:38 parallels-vm runsvc.sh[853]: started running service
Apr 18 12:51:39 parallels-vm runsvc.sh[853]:Apr 18 12:51:40 parallels-vm runsvc.sh[853]: Apr 18 12:51:41 parallels-vm runsvc.sh[853]:
How to explicitly pass the username in install script
aviansys
on 20 Nov 2019
Landed here. The envvar is now RUNNER_ALLOW_RUNASROOT as in the top os config.sh.
Just export RUNNER_ALLOW_RUNASROOT=1 and ./config.sh...... should work.
rslonik
on 21 May 2020
I can confirm it is a NIGHTMARE trying to get an agent without root permissions to run anything. 80% of our support issues boil down to the agent not having access to this directory, that file, or say, no permission to restart a systemd service.
cawoodm
on 10 Jun 2020
Unfortunately export RUNNER_ALLOW_RUNASROOT=1 has no effect 2.169.1:
cawoodm
on 10 Jun 2020
@cawoodm they have changed the script, its AGENT_ALLOW_RUNASROOT=1 now
atiffarrukh
on 1 Jul 2020
Ah, I have since used export AGENT_ALLOW_RUNASROOT="1" - is export AGENT_ALLOW_RUNASROOT=1 equivalent?
cawoodm
on 2 Jul 2020
No. for me this variable export AGENT_ALLOW_RUNASROOT="1" only work fine when running ./run.sh export and for ./svc.sh is necessary to setup to export AGENT_ALLOW_RUNASROOT=1
zottinor
on 21 Dec 2020
Related issues
rusergeev
ยท
4Comments
ActualReverend
ยท
3Comments
gitfool
ยท
4Comments
AceHack
ยท
3Comments
TLaborde
ยท
3Comments
Most helpful comment
Landed here. The envvar is now
RUNNER_ALLOW_RUNASROOTas in the top os config.sh.Just
export RUNNER_ALLOW_RUNASROOT=1and ./config.sh...... should work.