gitea/act_runner
61
107
Fork 81
Code Issues 140 Pull Requests 10 Actions Releases 21 Activity

implement act_runner rootless image #208

Merged
wolfogre merged 6 commits from :feat/rootless-runner into main 2023-06-12 06:35:29 +00:00
Conversation 3 Commits 6 Files Changed 8 +120 -1
8 changed files with 120 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -11,6 +11,6 @@ FROM alpine:3.18
RUN apk add --no-cache git bash tini
COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
COPY run.sh /opt/act/run.sh
COPY scripts/run.sh /opt/act/run.sh
ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"]

24
Dockerfile.rootless Normal file
View File

@ -0,0 +1,24 @@
FROM golang:1.20-alpine3.18 as builder
ccureau marked this conversation as resolved Outdated
techknowlogick commented 2023-06-05 14:48:32 +00:00
Outdated
Review
Copy Link

please target alpine 3.18

please target alpine 3.18
👍 1
# Do not remove `git` here, it is required for getting runner version when executing `make build`
RUN apk add --no-cache make git
wolfogre marked this conversation as resolved Outdated
techknowlogick commented 2023-06-05 14:48:23 +00:00
Outdated
Review
Copy Link

no need to target specific versions of packages

no need to target specific versions of packages
👍 1
wolfogre commented 2023-06-06 03:25:05 +00:00
Outdated
Review
Copy Link

hadolint-action asks for it, see #190 (comment)

hadolint-action asks for it, see https://gitea.com/gitea/act_runner/pulls/190#issuecomment-740325
techknowlogick commented 2023-06-06 03:29:45 +00:00
Outdated
Review
Copy Link

until we get renovate up and running, I think we should skip hardcoding then.

until we get renovate up and running, I think we should skip hardcoding then.
wolfogre commented 2023-06-06 04:14:39 +00:00
Outdated
Review
Copy Link

I see, so should we remove hadolint-action?

I see, so should we remove `hadolint-action`?
appleboy commented 2023-06-06 23:13:07 +00:00
Outdated
Review
Copy Link

Yes. maybe we should remove the hadolint-action

Yes. maybe we should remove the `hadolint-action`
wolfogre commented 2023-06-08 04:11:20 +00:00
Outdated
Review
Copy Link

#234

#234
COPY . /opt/src/act_runner
WORKDIR /opt/src/act_runner
RUN make clean && make build
FROM docker:dind-rootless
USER root
RUN apk add --no-cache \
git bash supervisor
ccureau marked this conversation as resolved
wolfogre commented 2023-06-05 06:57:51 +00:00
Review
Copy Link

Just a question, do we need rm -rf /var/cache/apk/* when there's --no-cache?

Just a question, do we need `rm -rf /var/cache/apk/*` when there's `--no-cache`?
ccureau commented 2023-06-05 14:17:33 +00:00
Review
Copy Link

Nope. I'll remove it. This was in in the original Dockerfile, so I left it as is.

Nope. I'll remove it. This was in in the original Dockerfile, so I left it as is.
COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
COPY /scripts/supervisord.conf /etc/supervisord.conf
COPY /scripts/run.sh /opt/act/run.sh
wolfogre commented 2023-06-05 06:56:21 +00:00
Review
Copy Link

Why is the source file an absolute path? I mean maybe people want to build on their local env.

Why is the source file an absolute path? I mean maybe people want to build on their local env.
ccureau commented 2023-06-05 14:19:25 +00:00
Review
Copy Link

I was going back and forth with this one too. It makes sense to build it once and then copy the image into the container image, but at the same time the way it is now sets up for completely clean builds each time without a dependency on golang being installed. Six of one, half dozen of the other.

What do you think?

I was going back and forth with this one too. It makes sense to build it once and then copy the image into the container image, but at the same time the way it is now sets up for completely clean builds each time without a dependency on golang being installed. Six of one, half dozen of the other. What do you think?
wolfogre commented 2023-06-09 03:00:15 +00:00
Review
Copy Link

How about

COPY --from=builder /opt/src/act_runner/act_runner/scripts/supervisord.conf /etc/supervisord.conf
COPY --from=builder /opt/src/act_runner/act_runner/scripts/run.sh /opt/act/run.sh

The files exist in the builder too, right?

How about ```dockerfile COPY --from=builder /opt/src/act_runner/act_runner/scripts/supervisord.conf /etc/supervisord.conf COPY --from=builder /opt/src/act_runner/act_runner/scripts/run.sh /opt/act/run.sh ``` The files exist in the builder too, right?
ccureau commented 2023-06-10 12:35:34 +00:00
Review
Copy Link

They do, but if the builder doesn't change, there's a chance that older files can make it into the newer image.

They do, but if the builder doesn't change, there's a chance that older files can make it into the newer image.
COPY /scripts/rootless.sh /opt/act/rootless.sh
RUN mkdir /data \
&& chown rootless:rootless /data
USER rootless
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

2
Makefile
View File

@ -19,6 +19,7 @@ GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "genera
DOCKER_IMAGE ?= gitea/act_runner
DOCKER_TAG ?= nightly
DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE)_rootless:$(DOCKER_TAG)
ifneq ($(shell uname), Darwin)
EXTLDFLAGS = -extldflags "-static" $(null)
@ -169,6 +170,7 @@ docker:
ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
fi; \
docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless .
clean:
$(GO) clean -x -i ./...

3
examples/kubernetes/README.md
View File

@ -6,3 +6,6 @@ Files in this directory:
- [`dind-docker.yaml`](dind-docker.yaml)
How to create a Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
- [`rootless-docker.yaml`](rootless-docker.yaml)
How to create a rootless Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.

68
examples/kubernetes/rootless-docker.yaml Normal file
View File

@ -0,0 +1,68 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: act-runner-vol
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: standard
---
apiVersion: v1
data:
token: << runner registration token goes here >>
kind: Secret
metadata:
name: runner-secret
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: act-runner
name: act-runner
spec:
replicas: 1
selector:
matchLabels:
app: act-runner
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: act-runner
spec:
restartPolicy: Always
volumes:
- name: runner-data
persistentVolumeClaim:
claimName: act-runner-vol
containers:
- name: runner
image: gitea/act_runner:nightly-rootless
imagePullPolicy: Always
# command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- name: GITEA_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: runner-secret
key: token
securityContext:
privileged: true
volumeMounts:
- name: runner-data
mountPath: /data

9
scripts/rootless.sh Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
# wait for docker daemon
while ! nc -z localhost 2376 </dev/null; do
echo 'waiting for docker daemon...'
sleep 5
done
. /opt/act/run.sh

0
run.sh → scripts/run.sh
View File

13
scripts/supervisord.conf Normal file
View File

@ -0,0 +1,13 @@
[supervisord]
nodaemon=true
logfile=/dev/null
logfile_maxbytes=0
[program:dockerd]
command=/usr/local/bin/dockerd-entrypoint.sh
[program:act_runner]
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
command=/opt/act/rootless.sh