I guess it works now

sorry for the unprofessional commit message, I have been working on this effectively non-stop since the previous commit, and have been fighting docker networking being inconsistent as well as filepermisson issues,

end me
This commit is contained in:
merith-xyz 2024-09-26 19:00:54 -07:00
parent f9ff5dce17
commit 00584cc415
2 changed files with 74 additions and 54 deletions

107
entrypoint.sh Normal file → Executable file
View file

@ -4,17 +4,28 @@ set -e
run_command() { run_command() {
local cmd="$1" local cmd="$1"
redacted_cmd=$(echo "$cmd" | sed -E 's/(--secret\s+|--token\s+)[^ ]+/--\1[REDACTED]/g')
decho "Running command: $redacted_cmd" # Replace any --token <value> or --secret <value> with [REDACTED]
local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
decho "Running command: $safe_cmd"
if [[ "$ISROOT" == true ]]; then if [[ "$ISROOT" == true ]]; then
decho "Running as forgejo-runner" decho "Running as forgejo-runner"
su -c "$cmd" forgejo-runner su -c "$cmd" forgejo-runner
else else
decho "Running as RUNNER_USER: ${RUNNER_USER}" decho "Running as $(whoami)"
eval "$cmd" eval "$cmd"
fi fi
} }
makeUser() {
adduser -u ${RUNNER_USER} -h /data -s /bin/bash -D forgejo-runner
}
makeGroup() {
addgroup -g ${RUNNER_USER} forgejo-runner
}
decho() { decho() {
if [[ "${DEBUG}" == "true" ]]; then if [[ "${DEBUG}" == "true" ]]; then
echo "[entrypoint] $@" echo "[entrypoint] $@"
@ -33,27 +44,37 @@ if [[ $(id -u) -eq 0 ]]; then
fi fi
if [[ "$ISROOT" == true ]]; then if [[ "$ISROOT" == true ]]; then
# Check if the forgejo-runner user exists # Check if the forgejo-runner user exists, if not, create it
if id "forgejo-runner" &>/dev/null; then if ! id -u forgejo-runner >/dev/null 2>&1; then
echo "forgejo-runner user exists." decho "Creating user forgejo-runner with UID ${RUNNER_USER}"
makeUser
# Change the user ID if needed
CURRENT_UID=$(id -u forgejo-runner)
decho "CURRENT_UID: ${CURRENT_UID}"
if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
echo "Changing UID of forgejo-runner to ${RUNNER_USER}"
sed -i "s/^forgejo-runner:[^:]*:[^:]*:/forgejo-runner:x:${RUNNER_USER}:/" /etc/passwd
fi
else else
echo "Creating user forgejo-runner with UID ${RUNNER_USER}" CURRENT_UID=$(id -u forgejo-runner)
adduser --uid "${RUNNER_USER}" --home /home/forgejo-runner --disabled-password --gecos "" forgejo-runner if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
decho "Changing UID of forgejo-runner from ${CURRENT_UID} to ${RUNNER_USER}"
deluser forgejo-runner
makeUser
fi
fi
# Check if the forgejo-runner group exists, if not, create it
if ! getent group forgejo-runner >/dev/null 2>&1; then
decho "Creating group forgejo-runner with GID ${RUNNER_USER}"
makeGroup
else
CURRENT_GID=$(getent group forgejo-runner | cut -d: -f3)
if [[ "${CURRENT_GID}" -ne "${RUNNER_USER}" ]]; then
decho "Changing GID of forgejo-runner from ${CURRENT_GID} to ${RUNNER_USER}"
delgroup forgejo-runner
makeGroup
fi
fi fi
# Ensure /data is owned by the runner user # Ensure /data is owned by the runner user
if [[ $(stat -c "%u" /data) != "${RUNNER_USER}" ]]; then # yes this can slow things down but is 100% nessecary for the runner to function
decho "Changing ownership of /data to ${RUNNER_USER}" # when running as a root user, because for some reason the runner create files as
# root and then cant access them
chown -R forgejo-runner:forgejo-runner /data chown -R forgejo-runner:forgejo-runner /data
fi
fi fi
# Handle and alter the config file # Handle and alter the config file
@ -65,33 +86,33 @@ CONFIG_ARG="--config ${CONFIG_FILE}"
decho "CONFIG: ${CONFIG_ARG}" decho "CONFIG: ${CONFIG_ARG}"
DOCKER_HOST=${DOCKER_HOST:-docker} DOCKER_HOST=${DOCKER_HOST:-docker}
DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR:-"/certs/client"} DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0} DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0}
decho "DOCKER_HOST: ${DOCKER_HOST}" decho "DOCKER_HOST: ${DOCKER_HOST}"
decho "DOCKER_TLS_CERTDIR: ${DOCKER_TLS_CERTDIR}" decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}" decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
if [[ ! -f "${CONFIG_FILE}" ]]; then if [[ ! -f "${CONFIG_FILE}" ]]; then
echo "Creating ${CONFIG_FILE}" echo "Creating ${CONFIG_FILE}"
run_command "forgejo-runner generate-config > ${CONFIG_FILE}" forgejo-runner run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
# Remove test environment variables if they exist in the config file # Remove test environment variables if they exist in the config file
sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE} sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE} sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
# Apply default values for docker # Apply default values for docker
sed -i "/^ labels:/c\ \"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE} sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
sed -i "/^ network:/c\ network: host" ${CONFIG_FILE} sed -i "/^ network:/c\ network: host" ${CONFIG_FILE}
sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE} sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE}
if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then
decho "Docker TLS diabled" decho "Docker TLS diabled"
sed -i "/^ docker_host:/c\ docker_host: tcp://${DOCKER_HOST}:2375" ${CONFIG_FILE} sed -i "/^ docker_host:/c\ docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
else else
decho "Docker TLS enabled" decho "Docker TLS enabled"
sed -i "/^ docker_host:/c\ docker_host: tcp://${DOCKER_HOST}:2376" ${CONFIG_FILE} sed -i "/^ docker_host:/c\ docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
sed -i "/^ valid_volumes:/c\ valid_volumes:\n - ${DOCKER_TLS_CERTDIR}" ${CONFIG_FILE} sed -i "/^ valid_volumes:/c\ valid_volumes:\n - ${DOCKER_CERT_PATH}" ${CONFIG_FILE}
sed -i "/^ options:/c\ options: -v ${DOCKER_TLS_CERTDIR}:${DOCKER_TLS_CERTDIR}" ${CONFIG_FILE} sed -i "/^ options:/c\ options: -v ${DOCKER_CERT_PATH}:${DOCKER_CERT_PATH}" ${CONFIG_FILE}
fi fi
fi fi
@ -104,7 +125,7 @@ if [[ ! -f "${ENV_FILE}" ]]; then
touch ${ENV_FILE} touch ${ENV_FILE}
echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE} echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE} echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
echo "DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR}" >> ${ENV_FILE} echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
fi fi
EXTRA_ARGS="" EXTRA_ARGS=""
@ -131,30 +152,28 @@ if [[ ! -s "${RUNNER_FILE}" ]]; then
success=0 success=0
decho "try: ${try}, success: ${success}" decho "try: ${try}, success: ${success}"
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
EXTRA_ARGS="${EXTRA_ARGS} --secret ${FORGEJO_SECRET}"
echo "Registering with SECRET"
else
if [[ -z "${RUNNER_TOKEN}" ]]; then
echo "RUNNER_TOKEN is not set"
exit 1
fi
EXTRA_ARGS="${EXTRA_ARGS} --token ${RUNNER_TOKEN}"
echo "Registering with TOKEN"
fi
decho "EXTRA_ARGS after secret/token: ${EXTRA_ARGS}"
# The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker, # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
# for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within # for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within
# the context of a single docker-compose, something similar could be done via healthchecks, but # the context of a single docker-compose, something similar could be done via healthchecks, but
# this is more flexible. # this is more flexible.
while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
run_command "forgejo-runner create-runner-file --connect \ run_command "forgejo-runner create-runner-file --connect \
--instance \"${FORGEJO_URL:-http://forgejo:3000}\" \ --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
--name \"${RUNNER_NAME:-$(hostname)}\" \ --name \"${RUNNER_NAME:-$(hostname)}\" \
${CONFIG_ARG} ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log" --secret \"${FORGEJO_SECRET}\" \
${CONFIG_ARG}\
cat /tmp/reg.log | grep 'connection successful' >/dev/null ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
else
run_command "forgejo-runner register \
--instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
--name \"${RUNNER_NAME:-$(hostname)}\" \
--token \"${RUNNER_TOKEN}\" \
--no-interactive \
${CONFIG_ARG}\
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
fi
cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
echo "SUCCESS" echo "SUCCESS"
success=1 success=1

View file

@ -23,13 +23,13 @@ volumes:
services: services:
docker-in-docker: docker-in-docker:
image: code.forgejo.org/oci/docker:dind image: code.forgejo.org/oci/docker:dind
# container_name: docker # Must set container_name to docker for both internal DNS and TLS to work hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
hostname: docker
privileged: true privileged: true
networks: networks:
- forgejo - forgejo
environment: environment:
DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375 DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
DOCKER_HOST: "docker" # remove aswell to disable TLS
volumes: volumes:
- docker_certs:/certs - docker_certs:/certs
@ -39,7 +39,7 @@ services:
networks: networks:
- forgejo - forgejo
volumes: volumes:
- ./forgejo:/data - /srv/forgejo-data:/data
ports: ports:
- 8080:3000 - 8080:3000
command: >- command: >-
@ -54,15 +54,16 @@ services:
# all values that have defaults listed are optional # all values that have defaults listed are optional
# only FORGEJO_SECRET or RUNNER_TOKEN is required # only FORGEJO_SECRET or RUNNER_TOKEN is required
# FORGEJO_URL is required if forgejo is in this compose file or docker network # FORGEJO_URL is required if forgejo is in this compose file or docker network
forgejo-runner: runner-daemon:
## TODO: Update image to the the release ## TODO: Update image to the the release
## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283 ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
# image: code.forgejo.org/forgejo/runner:3.4.1 # image: code.forgejo.org/forgejo/runner:3.4.1
build: ../../ build: ../../
# user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership # user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership
restart: unless-stopped # needed for fixing file ownership on restart
volumes: volumes:
- ./forgejo-runner:/data - /srv/runner-data:/data
- docker_certs:/certs - docker_certs:/certs
networks: networks:
- forgejo - forgejo
@ -72,16 +73,16 @@ services:
environment: environment:
CONFIG_FILE: config.yml # defaults to /data/config.yml CONFIG_FILE: config.yml # defaults to /data/config.yml
DOCKER_HOST: "docker" # defaults to docker DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
DOCKER_TLS_CERTDIR: "/certs/client" # defaults to /certs/client DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS
FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000 FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
RUNNER_FILE: .runner # defaults to /data/runner.json RUNNER_FILE: .runner # defaults to /data/runner.json
RUNNER_NAME: forgejo-runner # defaults to forgejo-runner, used for registration RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
RUNNER_TOKEN: "${RUNNER_TOKEN}" RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership
DEBUG: "true" # defaults to false, set to true to enable debug logging DEBUG: "true" # defaults to false, set to true to enable debug logging