diff --git a/.forgejo/workflows/example-docker-compose.yml b/.forgejo/workflows/example-docker-compose.yml index ca435bb..4e2f547 100644 --- a/.forgejo/workflows/example-docker-compose.yml +++ b/.forgejo/workflows/example-docker-compose.yml @@ -14,22 +14,19 @@ jobs: - name: Install docker run: | apt-get update -qq - export DOCKER_TLS_VERIFY="" - export DOCKER_HOST="unix:///var/run/docker.sock" export DEBIAN_FRONTEND=noninteractive apt-get install -qq -y ca-certificates curl gnupg install -m 0755 -d /etc/apt/keyrings - curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg - echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg + echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null apt-get update -qq apt-get install -qq -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin=2.20.2-1~debian.11~bullseye + docker version + # + # docker compose is prone to non backward compatible changes, pin it + # apt-get install -qq -y docker-compose-plugin=2.20.2-1~debian.11~bullseye - - - name: Start Docker Daemon in the Background - run: | - nohup dockerd > /dev/null 2>&1 & - sleep 10 # Wait for Docker to initialize - docker info # Verify Docker is running + docker compose version - name: run the example run: | @@ -38,7 +35,6 @@ jobs: secret=$(openssl rand -hex 20) sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml cli="docker compose --progress quiet -f compose-forgejo-and-runner.yml" - chown -R 1000:1000 /srv # # Launch Forgejo & the runner # diff --git a/Dockerfile b/Dockerfile index af507da..50f1965 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx -FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env +FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env # # Transparently cross compile for the target platform @@ -40,10 +40,8 @@ ENV HOME=/data USER 1000:1000 -COPY --chmod=555 entrypoint.sh /entrypoint.sh - WORKDIR /data VOLUME ["/data"] -ENTRYPOINT ["/entrypoint.sh"] +CMD ["/bin/forgejo-runner"] diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index 712227e..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,132 +0,0 @@ -#!/usr/bin/env bash - -set -e - -# Technically not nessecary but it cleans up the logs from having token/secret values -run_command() { - local cmd="$@" - # Replace any --token or --secret with [REDACTED] - local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g') - decho "Running command: $safe_cmd" - eval $cmd -} - -decho() { - if [[ "${DEBUG}" == "true" ]]; then - echo "[entrypoint] $@" - fi -} -decho $PWD - -# Check if the script is running as root -if [[ $(id -u) -eq 0 ]]; then - ISROOT=true - decho "[WARNING] Running as root user" -fi - -# Handle if `command` is passed, as command appends arguments to the entrypoint -if [ "$#" -gt 0 ]; then - run_command $@ - exit -fi - -# Handle and alter the config file -if [[ -z "${CONFIG_FILE}" ]]; then - echo "CONFIG_FILE is not set" - CONFIG_FILE="/data/config.yml" -fi -CONFIG_ARG="--config ${CONFIG_FILE}" -decho "CONFIG: ${CONFIG_ARG}" - -DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"} -DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"} -DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1} -decho "DOCKER_HOST: ${DOCKER_HOST}" -decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}" -decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}" -if [[ ! -f "${CONFIG_FILE}" ]]; then - echo "Creating ${CONFIG_FILE}" - run_command "forgejo-runner generate-config > ${CONFIG_FILE}" - - # Remove test environment variables if they exist in the config file - sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE} - sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE} - - # Apply default values for docker - sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE} - sed -i "/^ network:/c\ network: host" ${CONFIG_FILE} - -fi - -ENV_FILE=${ENV_FILE:-"/data/.env"} -decho "ENV_FILE: ${ENV_FILE}" -sed -i "/^ env_file:/c\ env_file: ${ENV_FILE}" ${CONFIG_FILE} - -if [[ ! -f "${ENV_FILE}" ]]; then - echo "Creating ${ENV_FILE}" - touch ${ENV_FILE} - echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE} - echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE} - echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE} -fi - -EXTRA_ARGS="" -if [[ ! -z "${RUNNER_LABELS}" ]]; then - EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}" -fi -decho "EXTRA_ARGS: ${EXTRA_ARGS}" - -# Set the runner file -RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight -decho "RUNNER_FILE: ${RUNNER_FILE}" -sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE} - -if [[ "${SKIP_WAIT}" != "true" ]]; then - echo "Waiting 10s to allow other services to start up..." - sleep 10 -fi - -if [[ ! -s "${RUNNER_FILE}" ]]; then - touch ${RUNNER_FILE} - try=$((try + 1)) - success=0 - decho "try: ${try}, success: ${success}" - - # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker, - # for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within - # the context of a single docker-compose, something similar could be done via healthchecks, but - # this is more flexible. - while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do - if [[ ! -z "${FORGEJO_SECRET}" ]]; then - run_command forgejo-runner create-runner-file --connect \ - --instance "${FORGEJO_URL:-http://forgejo:3000}" \ - --name "${RUNNER_NAME:-$(hostname)}" \ - --secret "${FORGEJO_SECRET}" \ - ${CONFIG_ARG}\ - ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log - else - run_command forgejo-runner register \ - --instance "${FORGEJO_URL:-http://forgejo:3000}" \ - --name "${RUNNER_NAME:-$(hostname)}" \ - --token "${RUNNER_TOKEN}" \ - --no-interactive \ - ${CONFIG_ARG}\ - ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log - fi - cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null - if [[ $? -eq 0 ]]; then - echo "SUCCESS" - success=1 - else - echo "Waiting to retry ..." - sleep 5 - fi - decho "try: ${try}, success: ${success}" - done -fi - -# Prevent reading the token from the forgejo-runner process -unset RUNNER_TOKEN -unset FORGEJO_SECRET - -run_command forgejo-runner daemon ${CONFIG_ARG} diff --git a/examples/docker-compose/.gitignore b/examples/docker-compose/.gitignore deleted file mode 100644 index 94bf3ec..0000000 --- a/examples/docker-compose/.gitignore +++ /dev/null @@ -1 +0,0 @@ -srv diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml index 6431893..4794985 100644 --- a/examples/docker-compose/compose-forgejo-and-runner.yml +++ b/examples/docker-compose/compose-forgejo-and-runner.yml @@ -11,82 +11,83 @@ # NOTE: a token obtained from the Forgejo web interface cannot be used # as a shared secret. # -# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface. +# Replace {ROOT_PASSWORD} with a secure password # -# Replace ROOT_PASSWORD with a secure password. -# -networks: - forgejo: volumes: docker_certs: services: + docker-in-docker: image: code.forgejo.org/oci/docker:dind - hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost - restart: unless-stopped + hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost privileged: true - networks: - - forgejo environment: - DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375 - DOCKER_HOST: "docker" # remove aswell to disable TLS + DOCKER_TLS_CERTDIR: /certs + DOCKER_HOST: docker-in-docker volumes: - docker_certs:/certs forgejo: image: codeberg.org/forgejo/forgejo:1.21 - hostname: forgejo - networks: - - forgejo - volumes: - - /srv/forgejo-data:/data - ports: - - 8080:3000 - environment: - FORGEJO__security__INSTALL_LOCK: "true" # remove in production command: >- bash -c ' /bin/s6-svscan /etc/s6 & sleep 10 ; - su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ; su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ; + su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ; sleep infinity ' - - # all values that have defaults listed are optional - # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized - # FORGEJO_URL is required if forgejo is not in this compose file or docker network - runner-daemon: - ## TODO: Update image to the the release - ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283 - - # image: code.forgejo.org/forgejo/runner:3.4.1 - build: ../../ - user: "1000" # defaults to 1000, - restart: unless-stopped # needed for fixing file ownership on restart + environment: + FORGEJO__security__INSTALL_LOCK: "true" + FORGEJO__log__LEVEL: "debug" + FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" + FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" + FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions" volumes: - - /srv/runner-data:/data - - docker_certs:/certs - networks: - - forgejo - depends_on: + - /srv/forgejo-data:/data + ports: + - 8080:3000 + + runner-register: + image: code.forgejo.org/forgejo/runner:3.4.1 + links: - docker-in-docker - forgejo environment: - CONFIG_FILE: config.yml # defaults to /data/config.yml + DOCKER_HOST: tcp://docker-in-docker:2376 + volumes: + - /srv/runner-data:/data + user: 0:0 + command: >- + bash -ec ' + while : ; do + forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ; + sleep 1 ; + done ; + sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ; + forgejo-runner generate-config > config.yml ; + sed -i -e "s|network: .*|network: host|" config.yml ; + sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ; + sed -i -e "s|^ options:| options: -v /certs/client:/certs/client|" config.yml ; + sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ; + chown -R 1000:1000 /data + ' - DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376 - DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client - DOCKER_TLS_VERIFY: "1" # defaults to 1 - - FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000 - FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN - - RUNNER_FILE: .runner # defaults to /data/runner.json - RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration - RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface - - DEBUG: "true" # defaults to false, set to true to enable debug logging - SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start + runner-daemon: + image: code.forgejo.org/forgejo/runner:3.4.1 + links: + - docker-in-docker + - forgejo + environment: + DOCKER_HOST: tcp://docker:2376 + DOCKER_CERT_PATH: /certs/client + DOCKER_TLS_VERIFY: "1" + volumes: + - /srv/runner-data:/data + - docker_certs:/certs + command: >- + bash -c ' + while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done + '