Is there a way to run an action step without networking?

[kinnison]

I would like to run a particular step of my workflow without access to networking (well without Internet access specifically).

This is a testing step and recently we had an issue where our tests were sometimes not being fully mocked and accidentally reached out to the Internet which is not ideal for reproducibility etc.

I would like to make it so that the testing step of our action is somehow blocked from accessing the Internet so that this kind of mistake is caught during PR review.

Does anyone have any recommendations of how to do that?

Thanks,

Daniel.

[airtower-luna]

My first thought: Run it in a container with networking disabled, e.g.:

docker run --network=none ...

[kinnison]

Is there a way to run in a ‘container’ which is just the host OS? I’d rather not complicate matters with another “platform” if I can avoid it.

[kinnison]

Also, will that kind of thing work on Windows and Mac runners too?

[airtower-luna]

kinnison:

Is there a way to run in a ‘container’ which is just the host OS? I’d rather not complicate matters with another “platform” if I can avoid it.

On Linux you could achieve that with unshare --net ..., to run a command in a network namespace of its own without starting a full container that’d also be separated in other ways (like file system).

I do something similar here, to run web server tests in separate network and IPC namespaces:

github.com

airtower-luna/mod_gnutls/blob/461fd384dbc08afc2fd1bd1b66cb357bfa074312/test/netns_py.bash#L21-L22

    exec "${UNSHARE}" --net --ipc -r /bin/bash -c \
	 "export MGS_NETNS_ACTIVE=1; ip link set up lo; exec ${UNSHARE} --user ${PYTHON} -u ${*}"

I don’t know if there’s anything similar for Windows or Mac.

[kinnison]

Ooh unshare is definitely an interesting option, I could look at doing that on Linux for sure. My hope was there’d be a networking: false or somesuch for the shell step, but I guess that’s not something others have asked for 😃

[chrispat]

A container is going to be the only option here as that would be isolated from the host. Disabling networking on the host during a step would cause the runner to lose connection to github.com and your job would fail.

[kinnison]

@chrispat Thanks for that input, it’s useful to prevent me trying down that route for sure. Is there any way that a container / generic solution could be worked out which the runner could enforce on the processes used in the step, without limiting the runner itself, across all the platforms? I figure this is getting into the realms of ‘not easy to make cross-platform’ but if anyone know what the runners are capable of, it’ll be someone like you :slight_smile: .

[chrispat]

I don’t think it is possible in a cross platform way. The only model I can think of where this could be possible in a straight forward way would be using a container. Maybe there is something you can do with HyperKit or virtual box on MacOS.

[kinnison]

Okay, thanks Chris. I’ll see what I can get up to with unshare in my Linux builds and trust that my other platform’s code won’t vary too much :slight_smile: