Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non Portable binary, doesn't work with sudo or without LD_LIBRARY_PATH #871

Open
2 of 5 tasks
jaswanthikolla opened this issue May 19, 2024 · 12 comments
Open
2 of 5 tasks
Assignees
Labels
bug Something isn't working

Comments

@jaswanthikolla
Copy link

jaswanthikolla commented May 19, 2024

Description:
Python binary is compiled with rpath that's /opt/hostedtoolcache/Python. Now, latest github runners define RUNNER_TOOL_CACHE/AGENT_TOOLSDIRECTORY differently than /opt/hostedtoolcache and that installs python at /home/runner/_work/_tool/Python/. So, with this, there are 2 issues.

  1. sudo python --version doesn't work ( See Error section) because most systems's doesn't allow passing LD_LIBRARY_PATH due to security issues.
  2. python --version doesn't work without setting environment variable LD_LIBRARY_PATH

output of ldd :

runner@arss-runner-xxxx-runner-5jvhz:~/_work/_tool/Python/3.12.3/x64/bin$ ldd python3
	linux-vdso.so.1 (0x00007ffceb776000)
	libpython3.12.so.1.0 => not found
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7ccc75c000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f7ccc991000)

Error:

python: error while loading shared libraries: libpython3.9.so.1.0: 
cannot open shared object file: No such file or directory

What could be the reason:

rpath is hardcoded to /opt/hostedtoolcache/Python. if we use $ORIGIN, binaries will be portable. Fix is raised here actions/python-versions#275

Action version:
v5.1.0

Platform:

  • Ubuntu
  • macOS
  • Windows

Runner type:

  • Hosted
  • Self-hosted

Tools version:
All versions of Python 3.9.x, 3.10.x, etc.

Repro steps:
You can easily reproduce using following steps. And also, you can unset LD_LIBRARY_PATH and just use without sudo

    steps:
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - run: |
          sudo python --version

Expected behavior:
There are times we need to use sudo python and Most system ( also not acceptable to pass) doesn't pass LD_LIBRARY_PATH as environment variable due to security issues.

Actual behavior:
sudo python --version to work.

@aparnajyothi-y
Copy link
Contributor

Hello @jaswanthikolla, Thank you for creating this issue and we will get back to you once we have some feedback on this :)

@jaswanthikolla
Copy link
Author

jaswanthikolla commented May 20, 2024

@aparnajyothi-y I raised the issue just for documentation. PR is already raised to fix this issue, Can you review that.

@navarro967
Copy link

@jaswanthikolla thank you for your efforts thus far, it's a shame there hasn't been more movement on this.

@aparnajyothi-y This is affecting certain ansible modules as well now. I am unable to run my checks now due to this.

@priya-kinthali priya-kinthali self-assigned this Jul 10, 2024
@jaswanthikolla
Copy link
Author

jaswanthikolla commented Jul 19, 2024

@priya-kinthali Any update on the PR as it's been 2 months? I see reduced activity with so many open PRs, also see that It's outsourced to some other company. Is this repo still maintained, if not better to handover to other companies which can manage it.

@priya-kinthali
Copy link
Contributor

priya-kinthali commented Jul 19, 2024

Hello @jaswanthikolla 👋,
Thank you for providing a detailed description of your issue, and we apologize for the delayed response.
For GitHub runners, the default path is /opt/hostedtoolcache, whereas for self-hosted runners, the runner downloads and installs tools into the folder set up by the RUNNER_TOOL_CACHE environment variable. On Linux self-hosted runners, you can change this location by setting the AGENT_TOOLSDIRECTORY environment variable. This allows you to specify any custom directory to install Python on your self-hosted runner using this variable. For more details, refer to the advanced usage documentation.

Here is a potential workaround that you might consider.

- name: Create Python temp_script.sh  and check python version
  run: |
    PYTHON_PATH=$(which python3)
    PYTHON_DIR=$(dirname $PYTHON_PATH)
    echo "export LD_LIBRARY_PATH=$PYTHON_DIR/../lib" >> temp_script.sh
    echo "export PATH=$PYTHON_DIR:\$PATH" >> temp_script.sh
    echo "python --version" >> temp_script.sh
    chmod +x temp_script.sh
    sudo ./temp_script.sh       

Thank you again for the PR. We have already started reviewing it, and testing is underway to check its impact on the overall build environment for both GitHub and self-hosted runners. We will provide feedback once we have tested all possible scenarios.

@maxim-lobanov
Copy link
Contributor

Hi @jaswanthikolla ,
side question re

Now, latest github runners define RUNNER_TOOL_CACHE/AGENT_TOOLSDIRECTORY differently than /opt/hostedtoolcache and that installs python at /home/runner/_work/_tool/Python/

On which runners do you see such behaviour? I would expect all github hosted runners to have tool cache under /opt/hostedtoolcache

@priya-kinthali
Copy link
Contributor

Hello @jaswanthi,
Just a gentle ping to follow up on the previous conversations. Have you had a chance to try the suggested workaround?

On which runners do you see such behaviour? I would expect all github hosted runners to have tool cache under /opt/hostedtoolcache

Additionally could you please confirm?
Thankyou!

@jaswanthikolla
Copy link
Author

@maxim-lobanov For ARSS runners, the default path is /home/runner/_work/_tool/Python/ .

Yes, that workaround will work, but we pursued another workaround internally. Following up if there are any updates on the PR as It's been 3 months. I can't maintain context on it forever to address review comments and so I guess it's time to abandon/close the PR.

@klalumiere
Copy link

I'm not exactly sure why there is a lengthy discussion around this issue. Using ORIGIN is typical in the *nix world, and using hardcoded path (except maybe the standard one like /usr/local/lib) is usually seen as an anti-pattern. In the current case, using a hardcoded path prevents actions/setup-python from being used easily on self-hosted GitHub runners (our case).

Of course there are workarounds, but they decrease the quality of user experience and they increase the maintenance burden of users for their actions and workflows. So let's reverse the question: what are the downsides of starting to use ORIGIN as already implemented in the pull request when compared to the status quo? 🤔

If there is no significant downsides, why not just benefit from the community's work and merge the pull request ASAP? 😎 :shipit:

@navarro967
Copy link

@klalumiere I've resorted to forking both repositories and using that for now. It's been months without a resolution despite @jaswanthikolla's efforts. Her PR works and should be merged.

@WTPOptAxe
Copy link

Here is a potential workaround that you might consider.

- name: Create Python temp_script.sh  and check python version
  run: |
    PYTHON_PATH=$(which python3)
    PYTHON_DIR=$(dirname $PYTHON_PATH)
    echo "export LD_LIBRARY_PATH=$PYTHON_DIR/../lib" >> temp_script.sh
    echo "export PATH=$PYTHON_DIR:\$PATH" >> temp_script.sh
    echo "python --version" >> temp_script.sh
    chmod +x temp_script.sh
    sudo ./temp_script.sh       

Thank you again for the PR. We have already started reviewing it, and testing is underway to check its impact on the overall build environment for both GitHub and self-hosted runners. We will provide feedback once we have tested all possible scenarios.

This workaround does not work on self-hosted runners with pantsbuild.

@leofang
Copy link

leofang commented Dec 5, 2024

We're also affected by this (with our self-hosted runners), did not realize by the end of 2024 there are still real-world Python compiled without relocatability 😢 This is very frustrating for people trying to rely more on GHA and less on custom Python distros (ex: conda)...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

8 participants