From c0347b0e9bc43f561aec45b6019cacbd126c9301 Mon Sep 17 00:00:00 2001
From: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Date: Tue, 27 Jun 2023 07:15:31 +0000
Subject: [PATCH] Use su to install the runner

This change executes the runner install script provided via userdata using
su. The script itself has also been changed to assume it's running as the
runner user.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
---
 cloudconfig/templates.go | 14 +++++++-------
 util/util.go             |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cloudconfig/templates.go b/cloudconfig/templates.go
index 7fea8c97..e02c9c77 100644
--- a/cloudconfig/templates.go
+++ b/cloudconfig/templates.go
@@ -94,10 +94,10 @@ function downloadAndExtractRunner() {
 	TEMP_TOKEN="Authorization: Bearer {{ .TempDownloadToken }}"
 	fi
 	curl --retry 5 --retry-delay 5 --retry-connrefused --fail -L -H "${TEMP_TOKEN}" -o "/home/{{ .RunnerUsername }}/{{ .FileName }}" "{{ .DownloadURL }}" || fail "failed to download tools"
-	mkdir -p /home/runner/actions-runner || fail "failed to create actions-runner folder"
+	mkdir -p /home/{{ .RunnerUsername }}/actions-runner || fail "failed to create actions-runner folder"
 	sendStatus "extracting runner"
 	tar xf "/home/{{ .RunnerUsername }}/{{ .FileName }}" -C /home/{{ .RunnerUsername }}/actions-runner/ || fail "failed to extract runner"
-	chown {{ .RunnerUsername }}:{{ .RunnerGroup }} -R /home/{{ .RunnerUsername }}/actions-runner/ || fail "failed to change owner"
+	# chown {{ .RunnerUsername }}:{{ .RunnerGroup }} -R /home/{{ .RunnerUsername }}/actions-runner/ || fail "failed to change owner"
 }
 
 TEMP_TOKEN=""
@@ -119,8 +119,8 @@ if [ -z "$CACHED_RUNNER" ];then
 else
 	sendStatus "using cached runner found in $CACHED_RUNNER"
 	sudo cp -a "$CACHED_RUNNER"  "/home/{{ .RunnerUsername }}/actions-runner"
+	sudo chown {{ .RunnerUsername }}:{{ .RunnerGroup }} -R "/home/{{ .RunnerUsername }}/actions-runner" || fail "failed to change owner"
 	cd /home/{{ .RunnerUsername }}/actions-runner
-	chown {{ .RunnerUsername }}:{{ .RunnerGroup }} -R "/home/{{ .RunnerUsername }}/actions-runner" || fail "failed to change owner"
 fi
 
 
@@ -129,7 +129,7 @@ set +e
 attempt=1
 while true; do
 	ERROUT=$(mktemp)
-	sudo -u {{ .RunnerUsername }} -- ./config.sh --unattended --url "{{ .RepoURL }}" --token "$GITHUB_TOKEN" $RUNNER_GROUP_OPT --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --ephemeral 2>$ERROUT
+	./config.sh --unattended --url "{{ .RepoURL }}" --token "$GITHUB_TOKEN" $RUNNER_GROUP_OPT --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --ephemeral 2>$ERROUT
 	if [ $? -eq 0 ]; then
 		rm $ERROUT || true
 		sendStatus "runner successfully configured after $attempt attempt(s)"
@@ -140,7 +140,7 @@ while true; do
 
 	# if the runner is already configured, remove it and try again. In the past configuring a runner
 	# managed to register it but timed out later, resulting in an error.
-	sudo -u {{ .RunnerUsername }} -- ./config.sh remove --token "$GITHUB_TOKEN" || true
+	./config.sh remove --token "$GITHUB_TOKEN" || true
 
 	if [ $attempt -gt 5 ];then
 		rm $ERROUT || true
@@ -155,7 +155,7 @@ done
 set -e
 
 sendStatus "installing runner service"
-./svc.sh install {{ .RunnerUsername }} || fail "failed to install service"
+sudo ./svc.sh install {{ .RunnerUsername }} || fail "failed to install service"
 
 if [ -e "/sys/fs/selinux" ];then
 	sudo chcon -h user_u:object_r:bin_t /home/runner/ || fail "failed to change selinux context"
@@ -163,7 +163,7 @@ if [ -e "/sys/fs/selinux" ];then
 fi
 
 sendStatus "starting service"
-./svc.sh start || fail "failed to start service"
+sudo ./svc.sh start || fail "failed to start service"
 
 set +e
 AGENT_ID=$(grep "agentId" /home/{{ .RunnerUsername }}/actions-runner/.runner |  tr -d -c 0-9)
diff --git a/util/util.go b/util/util.go
index f1e040c7..bf8f29ac 100644
--- a/util/util.go
+++ b/util/util.go
@@ -277,7 +277,7 @@ func GetCloudConfig(bootstrapParams params.BootstrapInstance, tools github.Runne
 
 		cloudCfg.AddSSHKey(bootstrapParams.SSHKeys...)
 		cloudCfg.AddFile(installScript, "/install_runner.sh", "root:root", "755")
-		cloudCfg.AddRunCmd("/install_runner.sh")
+		cloudCfg.AddRunCmd(fmt.Sprintf("su -l -c /install_runner.sh %s", appdefaults.DefaultUser))
 		cloudCfg.AddRunCmd("rm -f /install_runner.sh")
 		if bootstrapParams.CACertBundle != nil && len(bootstrapParams.CACertBundle) > 0 {
 			if err := cloudCfg.AddCACert(bootstrapParams.CACertBundle); err != nil {