implement act_runner rootless image #208
|
@ -11,6 +11,6 @@ FROM alpine:3.18
|
|||
RUN apk add --no-cache git bash tini
|
||||
|
||||
COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
|
||||
COPY run.sh /opt/act/run.sh
|
||||
COPY scripts/run.sh /opt/act/run.sh
|
||||
|
||||
ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"]
|
||||
|
|
24
Dockerfile.rootless
Normal file
|
@ -0,0 +1,24 @@
|
|||
FROM golang:1.20-alpine3.18 as builder
|
||||
ccureau marked this conversation as resolved
Outdated
|
||||
# Do not remove `git` here, it is required for getting runner version when executing `make build`
|
||||
RUN apk add --no-cache make git
|
||||
wolfogre marked this conversation as resolved
Outdated
techknowlogick
commented
no need to target specific versions of packages no need to target specific versions of packages
wolfogre
commented
hadolint-action asks for it, see #190 (comment) hadolint-action asks for it, see https://gitea.com/gitea/act_runner/pulls/190#issuecomment-740325
techknowlogick
commented
until we get renovate up and running, I think we should skip hardcoding then. until we get renovate up and running, I think we should skip hardcoding then.
wolfogre
commented
I see, so should we remove I see, so should we remove `hadolint-action`?
appleboy
commented
Yes. maybe we should remove the Yes. maybe we should remove the `hadolint-action`
wolfogre
commented
#234
|
||||
|
||||
COPY . /opt/src/act_runner
|
||||
WORKDIR /opt/src/act_runner
|
||||
|
||||
RUN make clean && make build
|
||||
|
||||
FROM docker:dind-rootless
|
||||
USER root
|
||||
RUN apk add --no-cache \
|
||||
git bash supervisor
|
||||
|
||||
ccureau marked this conversation as resolved
wolfogre
commented
Just a question, do we need Just a question, do we need `rm -rf /var/cache/apk/*` when there's `--no-cache`?
ccureau
commented
Nope. I'll remove it. This was in in the original Dockerfile, so I left it as is. Nope. I'll remove it. This was in in the original Dockerfile, so I left it as is.
|
||||
COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
|
||||
COPY /scripts/supervisord.conf /etc/supervisord.conf
|
||||
COPY /scripts/run.sh /opt/act/run.sh
|
||||
wolfogre
commented
Why is the source file an absolute path? I mean maybe people want to build on their local env. Why is the source file an absolute path? I mean maybe people want to build on their local env.
ccureau
commented
I was going back and forth with this one too. It makes sense to build it once and then copy the image into the container image, but at the same time the way it is now sets up for completely clean builds each time without a dependency on golang being installed. Six of one, half dozen of the other. What do you think? I was going back and forth with this one too. It makes sense to build it once and then copy the image into the container image, but at the same time the way it is now sets up for completely clean builds each time without a dependency on golang being installed. Six of one, half dozen of the other.
What do you think?
wolfogre
commented
How about
The files exist in the builder too, right? How about
```dockerfile
COPY --from=builder /opt/src/act_runner/act_runner/scripts/supervisord.conf /etc/supervisord.conf
COPY --from=builder /opt/src/act_runner/act_runner/scripts/run.sh /opt/act/run.sh
```
The files exist in the builder too, right?
ccureau
commented
They do, but if the builder doesn't change, there's a chance that older files can make it into the newer image. They do, but if the builder doesn't change, there's a chance that older files can make it into the newer image.
|
||||
COPY /scripts/rootless.sh /opt/act/rootless.sh
|
||||
|
||||
RUN mkdir /data \
|
||||
&& chown rootless:rootless /data
|
||||
|
||||
USER rootless
|
||||
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
|
2
Makefile
|
@ -19,6 +19,7 @@ GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "genera
|
|||
DOCKER_IMAGE ?= gitea/act_runner
|
||||
DOCKER_TAG ?= nightly
|
||||
DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
|
||||
DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE)_rootless:$(DOCKER_TAG)
|
||||
|
||||
ifneq ($(shell uname), Darwin)
|
||||
EXTLDFLAGS = -extldflags "-static" $(null)
|
||||
|
@ -169,6 +170,7 @@ docker:
|
|||
ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
|
||||
fi; \
|
||||
docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
|
||||
docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless .
|
||||
|
||||
clean:
|
||||
$(GO) clean -x -i ./...
|
||||
|
|
|
@ -6,3 +6,6 @@ Files in this directory:
|
|||
|
||||
- [`dind-docker.yaml`](dind-docker.yaml)
|
||||
How to create a Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
|
||||
|
||||
- [`rootless-docker.yaml`](rootless-docker.yaml)
|
||||
How to create a rootless Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
|
||||
|
|
68
examples/kubernetes/rootless-docker.yaml
Normal file
|
@ -0,0 +1,68 @@
|
|||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: act-runner-vol
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
storageClassName: standard
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
token: << runner registration token goes here >>
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: runner-secret
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: act-runner
|
||||
name: act-runner
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: act-runner
|
||||
strategy: {}
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
app: act-runner
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: runner-data
|
||||
persistentVolumeClaim:
|
||||
claimName: act-runner-vol
|
||||
containers:
|
||||
- name: runner
|
||||
image: gitea/act_runner:nightly-rootless
|
||||
imagePullPolicy: Always
|
||||
# command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://localhost:2376
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/client
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: http://gitea-http.gitea.svc.cluster.local:3000
|
||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: runner-secret
|
||||
key: token
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: runner-data
|
||||
mountPath: /data
|
||||
|
9
scripts/rootless.sh
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# wait for docker daemon
|
||||
while ! nc -z localhost 2376 </dev/null; do
|
||||
echo 'waiting for docker daemon...'
|
||||
sleep 5
|
||||
done
|
||||
|
||||
. /opt/act/run.sh
|
13
scripts/supervisord.conf
Normal file
|
@ -0,0 +1,13 @@
|
|||
[supervisord]
|
||||
nodaemon=true
|
||||
logfile=/dev/null
|
||||
logfile_maxbytes=0
|
||||
|
||||
[program:dockerd]
|
||||
command=/usr/local/bin/dockerd-entrypoint.sh
|
||||
|
||||
[program:act_runner]
|
||||
stdout_logfile=/dev/fd/1
|
||||
stdout_logfile_maxbytes=0
|
||||
redirect_stderr=true
|
||||
command=/opt/act/rootless.sh
|
please target alpine 3.18