Title
#arm-architecture
Paul Roberts

Paul Roberts

04/26/2021, 3:46 PM
@alessandrogario @seph, @David Gibb, and I had a discussion recently and due to security concerns with GitHub Actions we believe the current model will persist. Additionally, the lack of broader control (job start, job queue, etc) via GH APIs is another challenge today. However, based on the above change we can take another look at this.
a

alessandrogario

04/26/2021, 5:21 PM
What are the concerns exactly? I would have liked to store the credentials elsewhere
5:23 PM
and from the osquery org use a request to start an instance for us; this would ensure that at the very worst a bad PR would never be able to steal the credentials
5:27 PM
More specifically, I wanted to know what were the added difficulties compared to the built-in GitHub Actions runners
s

seph

04/26/2021, 5:28 PM
I don’t have this well written. So an ugly braindump: github hosted stuff has some additional steps around minting a token for the runner, running, and then destroying. But those hooks aren’t really exposed for the self hosted ones. You can mint tokens, yes. But you cannot ensure a runner only runs once.
5:29 PM
You can kinda, in that there are some wholly unsupported command line arguments that they left behind due to sloppy code. but thre’s some large github issues where they talk about how that can cause the servers to get confused and dispatch to dead runners
5:30 PM
The crux of it. is that there is no github supported way to have a runner be ephemeral, or run only once.
5:30 PM
There are ways to hack it. and ways to reduce the timing window where things might go badly, but it just doesn’t feel good. And it feels like we’re fighting github for it.
5:31 PM
I think it’s clear this isn’t something they’re going to support. They’ve had an internal PR languishing for a year.
a

alessandrogario

04/26/2021, 5:33 PM
what are exactly the security concerns we inherit from the self-hosted runners that are not present in built-in GitHub runners?
5:34 PM
(other than the AWS credentials, that we can move outside the org)
s

seph

04/26/2021, 5:34 PM
There is no way to ensure the hosts state is reset between test runs.
a

alessandrogario

04/26/2021, 5:36 PM
And what is the reason we can't use the codebuild alternative?
5:36 PM
I thought we were going to move to it but it seems like that is no longer the case
s

seph

04/26/2021, 5:37 PM
Oh, that’s the current plan — use the AWS codebuild for the arm builds.
5:38 PM
I don’t think GitHub’s changes really address our concerns
a

alessandrogario

04/26/2021, 5:38 PM
I may have read it wrong, I thought 'the current model will persist' meant we would have kept what we have now
s

seph

04/26/2021, 5:38 PM
Yeah, I’m not sure I agree.
a

alessandrogario

04/26/2021, 5:39 PM
the GitHub changes are not that useful IMHO, one could just make a legit PR first and then a rogue PR next
s

seph

04/26/2021, 5:39 PM
Exactly.
a

alessandrogario

04/26/2021, 5:39 PM
once their name has been allowlisted
s

seph

04/26/2021, 5:40 PM
They’re targetting simple drive by crypto mining. Where the vulnerability we see requires a careful attack.
a

alessandrogario

04/26/2021, 5:40 PM
I'm still in favor of moving to codebuild if it works better
s

seph

04/26/2021, 5:40 PM
I expect to move to codebuild, just no time.
5:41 PM
And the current stop gap is okay
5:46 PM
(last week was school vacation, so it was rough)
Paul Roberts

Paul Roberts

04/27/2021, 3:58 PM
If we want to move to CodeBuild...we can help put together some example code that you all can take a look at
3:59 PM
Candidly, really disappointed that the GitHub APIs aren't more flexible so we could do this with Self Hosted Runners 😞
m

Marcello Golfieri

04/28/2021, 10:46 PM