From 1b69c279f5d9e1d9531fbc16a39208dc277f75bf Mon Sep 17 00:00:00 2001 From: Thomas Boop <52323235+thboop@users.noreply.github.com> Date: Mon, 13 Sep 2021 03:53:20 -0400 Subject: [PATCH] Networking TSG (#1325) * Update Network Troubleshooting doc * fix list * Update network.md --- docs/checks/network.md | 43 +++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/docs/checks/network.md b/docs/checks/network.md index 1cf74b378..14b4d37da 100644 --- a/docs/checks/network.md +++ b/docs/checks/network.md @@ -2,17 +2,19 @@ ### Common things that can cause the runner to not working properly -- Bug in the runner or the dotnet framework that causes actions runner can't make Http request in a certain network environment. +- A bug in the runner or the dotnet framework that causes the actions runner to be unable to make Http requests in a certain network environment. -- Proxy/Firewall block certain HTTP method, like it block all POST and PUT calls which the runner will use to upload logs. +- A Proxy or Firewall may block certain HTTP method, such as blocking all POST and PUT calls which the runner will use to upload logs. -- Proxy/Firewall only allows requests with certain user-agent to pass through and the actions runner user-agent is not in the allow list. +- A Proxy or Firewall may only allows requests with certain user-agent to pass through and the actions runner user-agent is not in the allow list. -- Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA. +- A Proxy try to decrypt and exam HTTPS traffic for security purpose but cause the actions-runner to fail to finish SSL handshake due to the lack of trusting proxy's CA. -- Proxy try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081) +- The SSL handshake may fail if the client and server do not support the same TLS version, or the same cipher suites. -- Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc. +- A Proxy may try to modify the HTTPS request (like add or change some http headers) and causes the request become incompatible with the Actions Service (ASP.NetCore), Ex: [Nginx](https://github.com/dotnet/aspnetcore/issues/17081) + +- Firewall rules that block action runner from accessing certain hosts, ex: `*.github.com`, `*.actions.githubusercontent.com`, etc ### Identify and solve these problems @@ -29,4 +31,31 @@ Use a 3rd party tool to make the same requests as the runner did would be a good If the 3rd party tool is also experiencing the same error as the runner does, then you might want to contact your network administrator for help. -Otherwise, contact GitHub customer support or log an issue at https://github.com/actions/runner \ No newline at end of file +Otherwise, contact GitHub customer support or log an issue at https://github.com/actions/runner + +### Troubleshooting: Why can't I configure a runner? + +If you are having trouble connecting, try these steps: + +1. Validate you can reach our endpoints from your web browser. If not, double check your local network connection + - For hosted Github: + - https://api.github.com/ + - https://vstoken.actions.githubusercontent.com/_apis/health + - https://pipelines.actions.githubusercontent.com/_apis/health + - For GHES/GHAE + - https://myGHES.com/_services/vstoken/_apis/health + - https://myGHES.com/_services/pipelines/_apis/health + - https://myGHES.com/api/v3 +2. Validate you can reach those endpoints in powershell core + - The runner runs on .net core, lets validate the local settings for that stack + - Open up `pwsh` + - Run the command using the urls above `Invoke-WebRequest {url}` +3. If not, get a packet trace using a tool like wireshark and start looking at the TLS handshake. + - If you see a Client Hello followed by a Server RST: + - You may need to configure your TLS settings to use the correct version + - You should support TLS version 1.2 or later + - You may need to configure your TLS settings to have up to date cipher suites, this may be solved by system updates and patches. + - Your firewall, proxy or network configuration may be blocking the connection + - You will want to reach out to whoever is in charge of your network with these pcap files to further troubleshoot + - If you see a failure later in the handshake: + - Try the fix in the [SSLCert Fix](./sslcert.md)