Skip to content

Commit a2e24b0

Browse files
committed
entrypoint: skip chown -R on /actions-runner/{bin,externals}
The Dockerfile (and the actions-runner tarball it extracts) ships /actions-runner/ fully runner-owned, including ~50 MB of bin/ and ~330 MB of externals/ that contain node / .NET runtime libs used by actions like setup-node and setup-python. Verify on a pristine image: docker run --rm --entrypoint sh myoung34/github-runner:ubuntu-noble \ -c 'find /actions-runner -not -user runner' # => prints nothing Yet `chown -R runner "${_RUNNER_WORKDIR}" /actions-runner` in entrypoint.sh walks 9100+ files on every start. On overlayfs each chown triggers copy-up regardless of whether ownership actually changes, so the walk costs real disk I/O to flip exactly nothing. Under parallel starts (e.g. 12 containers on one host) the resulting storage-driver contention dominates time-to-healthy. The files that do need flipping are the ones config.sh writes as root earlier in this same entrypoint (.runner, .credentials, .credentials_rsaparams, .env, .path, svc.sh, and eventually _diag/). Enumerating them is fragile if config.sh ever adds an output, so instead blacklist the two known-heavy dirs and chown everything else under /actions-runner at depth 1: - chown runner /actions-runner "${_RUNNER_WORKDIR}" (non-recursive) - find /actions-runner -mindepth 1 -maxdepth 1 \ ! -name bin ! -name externals -exec chown -R runner {} + This catches every top-level config-written file/dir (plus anything new that may appear), skips the two bulk runtime dirs, and leaves -R on the small subtrees that may legitimately need it (e.g. _diag/). Unchanged: - _CONFIGURED_ACTIONS_RUNNER_FILES_DIR chown on the preceding line - toolcache flat-chown on the following line - the RUN_AS_ROOT=true and non-root branches Observed impact on a host running 12 parallel runners (ZFS-backed LXC on Proxmox): time-to-all-healthy dropped from ~5 minutes to ~25 seconds; per-container `docker compose up -d` returns in ~1 s instead of racing 11 peers for overlay copy-up I/O.
1 parent e323dd3 commit a2e24b0

1 file changed

Lines changed: 8 additions & 1 deletion

File tree

entrypoint.sh

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -290,7 +290,14 @@ if [[ ${_RUN_AS_ROOT} == "true" ]]; then
290290
else
291291
if [[ $(id -u) -eq 0 ]]; then
292292
[[ -n "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
293-
chown -R runner "${_RUNNER_WORKDIR}" /actions-runner
293+
# /actions-runner/{bin,externals} ship runner-owned from the image
294+
# (~380 MB / 9k+ files). Recursing over them triggers overlay copy-up
295+
# per file even when ownership already matches, which dominates startup
296+
# under parallel runners. Only config.sh (run as root earlier) may have
297+
# written new root-owned files at the top level — chown those plus
298+
# /actions-runner itself and ${_RUNNER_WORKDIR}, but not the big dirs.
299+
chown runner /actions-runner "${_RUNNER_WORKDIR}"
300+
find /actions-runner -mindepth 1 -maxdepth 1 ! -name bin ! -name externals -exec chown -R runner {} + 2>/dev/null || true
294301
# The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images
295302
chown runner /opt/hostedtoolcache/
296303
if [[ ${_DEBUG_ONLY} == "true" ]] || [[ ${_DEBUG_OUTPUT} == "true" ]] ; then

0 commit comments

Comments
 (0)