Compare commits
20 commits
main
...
wip-entryp
Author | SHA1 | Date | |
---|---|---|---|
1b0d2a6c70 | |||
343b90056b | |||
89807efc92 | |||
6b3d20382e | |||
9308fe37c6 | |||
be3d0891f1 | |||
c8382f44a8 | |||
890778d33a | |||
|
95fb2cafff | ||
|
42078da550 | ||
00584cc415 | |||
f9ff5dce17 | |||
|
ea96696f10 | ||
|
2c4a1d43be | ||
|
1e6e1cb3c2 | ||
|
c1654806c5 | ||
|
3c5ba1c1d2 | ||
|
16e18662a0 | ||
|
190607cf35 | ||
5a0579f03a |
5 changed files with 200 additions and 62 deletions
|
@ -14,19 +14,22 @@ jobs:
|
|||
- name: Install docker
|
||||
run: |
|
||||
apt-get update -qq
|
||||
export DOCKER_TLS_VERIFY=""
|
||||
export DOCKER_HOST="unix:///var/run/docker.sock"
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get install -qq -y ca-certificates curl gnupg
|
||||
install -m 0755 -d /etc/apt/keyrings
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update -qq
|
||||
apt-get install -qq -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin=2.20.2-1~debian.11~bullseye
|
||||
docker version
|
||||
#
|
||||
# docker compose is prone to non backward compatible changes, pin it
|
||||
#
|
||||
apt-get install -qq -y docker-compose-plugin=2.20.2-1~debian.11~bullseye
|
||||
docker compose version
|
||||
|
||||
- name: Start Docker Daemon in the Background
|
||||
run: |
|
||||
nohup dockerd > /dev/null 2>&1 &
|
||||
sleep 10 # Wait for Docker to initialize
|
||||
docker info # Verify Docker is running
|
||||
|
||||
- name: run the example
|
||||
run: |
|
||||
|
@ -35,6 +38,7 @@ jobs:
|
|||
secret=$(openssl rand -hex 20)
|
||||
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
|
||||
cli="docker compose --progress quiet -f compose-forgejo-and-runner.yml"
|
||||
chown -R 1000:1000 /srv
|
||||
#
|
||||
# Launch Forgejo & the runner
|
||||
#
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
|
||||
|
||||
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
|
||||
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env
|
||||
|
||||
#
|
||||
# Transparently cross compile for the target platform
|
||||
|
@ -40,8 +40,10 @@ ENV HOME=/data
|
|||
|
||||
USER 1000:1000
|
||||
|
||||
COPY --chmod=555 entrypoint.sh /entrypoint.sh
|
||||
|
||||
WORKDIR /data
|
||||
|
||||
VOLUME ["/data"]
|
||||
|
||||
CMD ["/bin/forgejo-runner"]
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
|
132
entrypoint.sh
Executable file
132
entrypoint.sh
Executable file
|
@ -0,0 +1,132 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
# Technically not nessecary but it cleans up the logs from having token/secret values
|
||||
run_command() {
|
||||
local cmd="$@"
|
||||
# Replace any --token <value> or --secret <value> with [REDACTED]
|
||||
local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
|
||||
decho "Running command: $safe_cmd"
|
||||
eval $cmd
|
||||
}
|
||||
|
||||
decho() {
|
||||
if [[ "${DEBUG}" == "true" ]]; then
|
||||
echo "[entrypoint] $@"
|
||||
fi
|
||||
}
|
||||
decho $PWD
|
||||
|
||||
# Check if the script is running as root
|
||||
if [[ $(id -u) -eq 0 ]]; then
|
||||
ISROOT=true
|
||||
decho "[WARNING] Running as root user"
|
||||
fi
|
||||
|
||||
# Handle if `command` is passed, as command appends arguments to the entrypoint
|
||||
if [ "$#" -gt 0 ]; then
|
||||
run_command $@
|
||||
exit
|
||||
fi
|
||||
|
||||
# Handle and alter the config file
|
||||
if [[ -z "${CONFIG_FILE}" ]]; then
|
||||
echo "CONFIG_FILE is not set"
|
||||
CONFIG_FILE="/data/config.yml"
|
||||
fi
|
||||
CONFIG_ARG="--config ${CONFIG_FILE}"
|
||||
decho "CONFIG: ${CONFIG_ARG}"
|
||||
|
||||
DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
|
||||
DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
|
||||
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
|
||||
decho "DOCKER_HOST: ${DOCKER_HOST}"
|
||||
decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
|
||||
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
|
||||
if [[ ! -f "${CONFIG_FILE}" ]]; then
|
||||
echo "Creating ${CONFIG_FILE}"
|
||||
run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
|
||||
|
||||
# Remove test environment variables if they exist in the config file
|
||||
sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
|
||||
sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
|
||||
|
||||
# Apply default values for docker
|
||||
sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
|
||||
sed -i "/^ network:/c\ network: host" ${CONFIG_FILE}
|
||||
|
||||
fi
|
||||
|
||||
ENV_FILE=${ENV_FILE:-"/data/.env"}
|
||||
decho "ENV_FILE: ${ENV_FILE}"
|
||||
sed -i "/^ env_file:/c\ env_file: ${ENV_FILE}" ${CONFIG_FILE}
|
||||
|
||||
if [[ ! -f "${ENV_FILE}" ]]; then
|
||||
echo "Creating ${ENV_FILE}"
|
||||
touch ${ENV_FILE}
|
||||
echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
|
||||
echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
|
||||
echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
|
||||
fi
|
||||
|
||||
EXTRA_ARGS=""
|
||||
if [[ ! -z "${RUNNER_LABELS}" ]]; then
|
||||
EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}"
|
||||
fi
|
||||
decho "EXTRA_ARGS: ${EXTRA_ARGS}"
|
||||
|
||||
# Set the runner file
|
||||
RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
|
||||
decho "RUNNER_FILE: ${RUNNER_FILE}"
|
||||
sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE}
|
||||
|
||||
if [[ "${SKIP_WAIT}" != "true" ]]; then
|
||||
echo "Waiting 10s to allow other services to start up..."
|
||||
sleep 10
|
||||
fi
|
||||
|
||||
if [[ ! -s "${RUNNER_FILE}" ]]; then
|
||||
touch ${RUNNER_FILE}
|
||||
try=$((try + 1))
|
||||
success=0
|
||||
decho "try: ${try}, success: ${success}"
|
||||
|
||||
# The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
|
||||
# for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within
|
||||
# the context of a single docker-compose, something similar could be done via healthchecks, but
|
||||
# this is more flexible.
|
||||
while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
|
||||
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
|
||||
run_command forgejo-runner create-runner-file --connect \
|
||||
--instance "${FORGEJO_URL:-http://forgejo:3000}" \
|
||||
--name "${RUNNER_NAME:-$(hostname)}" \
|
||||
--secret "${FORGEJO_SECRET}" \
|
||||
${CONFIG_ARG}\
|
||||
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
|
||||
else
|
||||
run_command forgejo-runner register \
|
||||
--instance "${FORGEJO_URL:-http://forgejo:3000}" \
|
||||
--name "${RUNNER_NAME:-$(hostname)}" \
|
||||
--token "${RUNNER_TOKEN}" \
|
||||
--no-interactive \
|
||||
${CONFIG_ARG}\
|
||||
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
|
||||
fi
|
||||
cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "SUCCESS"
|
||||
success=1
|
||||
else
|
||||
echo "Waiting to retry ..."
|
||||
sleep 5
|
||||
fi
|
||||
decho "try: ${try}, success: ${success}"
|
||||
done
|
||||
fi
|
||||
|
||||
# Prevent reading the token from the forgejo-runner process
|
||||
unset RUNNER_TOKEN
|
||||
unset FORGEJO_SECRET
|
||||
|
||||
run_command forgejo-runner daemon ${CONFIG_ARG}
|
1
examples/docker-compose/.gitignore
vendored
Normal file
1
examples/docker-compose/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
srv
|
|
@ -11,83 +11,82 @@
|
|||
# NOTE: a token obtained from the Forgejo web interface cannot be used
|
||||
# as a shared secret.
|
||||
#
|
||||
# Replace {ROOT_PASSWORD} with a secure password
|
||||
# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
|
||||
#
|
||||
# Replace ROOT_PASSWORD with a secure password.
|
||||
#
|
||||
networks:
|
||||
forgejo:
|
||||
|
||||
volumes:
|
||||
docker_certs:
|
||||
|
||||
services:
|
||||
|
||||
docker-in-docker:
|
||||
image: code.forgejo.org/oci/docker:dind
|
||||
hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost
|
||||
hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
|
||||
restart: unless-stopped
|
||||
privileged: true
|
||||
networks:
|
||||
- forgejo
|
||||
environment:
|
||||
DOCKER_TLS_CERTDIR: /certs
|
||||
DOCKER_HOST: docker-in-docker
|
||||
DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
|
||||
DOCKER_HOST: "docker" # remove aswell to disable TLS
|
||||
volumes:
|
||||
- docker_certs:/certs
|
||||
|
||||
forgejo:
|
||||
image: codeberg.org/forgejo/forgejo:1.21
|
||||
command: >-
|
||||
bash -c '
|
||||
/bin/s6-svscan /etc/s6 &
|
||||
sleep 10 ;
|
||||
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
|
||||
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
|
||||
sleep infinity
|
||||
'
|
||||
environment:
|
||||
FORGEJO__security__INSTALL_LOCK: "true"
|
||||
FORGEJO__log__LEVEL: "debug"
|
||||
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
|
||||
FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false"
|
||||
FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
|
||||
hostname: forgejo
|
||||
networks:
|
||||
- forgejo
|
||||
volumes:
|
||||
- /srv/forgejo-data:/data
|
||||
ports:
|
||||
- 8080:3000
|
||||
|
||||
runner-register:
|
||||
image: code.forgejo.org/forgejo/runner:3.4.1
|
||||
links:
|
||||
- docker-in-docker
|
||||
- forgejo
|
||||
environment:
|
||||
DOCKER_HOST: tcp://docker-in-docker:2376
|
||||
volumes:
|
||||
- /srv/runner-data:/data
|
||||
user: 0:0
|
||||
FORGEJO__security__INSTALL_LOCK: "true" # remove in production
|
||||
command: >-
|
||||
bash -ec '
|
||||
while : ; do
|
||||
forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
|
||||
sleep 1 ;
|
||||
done ;
|
||||
sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ;
|
||||
forgejo-runner generate-config > config.yml ;
|
||||
sed -i -e "s|network: .*|network: host|" config.yml ;
|
||||
sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ;
|
||||
sed -i -e "s|^ options:| options: -v /certs/client:/certs/client|" config.yml ;
|
||||
sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ;
|
||||
chown -R 1000:1000 /data
|
||||
bash -c '
|
||||
/bin/s6-svscan /etc/s6 &
|
||||
sleep 10 ;
|
||||
su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
|
||||
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
|
||||
sleep infinity
|
||||
'
|
||||
|
||||
# all values that have defaults listed are optional
|
||||
# only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
|
||||
# FORGEJO_URL is required if forgejo is not in this compose file or docker network
|
||||
runner-daemon:
|
||||
image: code.forgejo.org/forgejo/runner:3.4.1
|
||||
links:
|
||||
- docker-in-docker
|
||||
- forgejo
|
||||
environment:
|
||||
DOCKER_HOST: tcp://docker:2376
|
||||
DOCKER_CERT_PATH: /certs/client
|
||||
DOCKER_TLS_VERIFY: "1"
|
||||
## TODO: Update image to the the release
|
||||
## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
|
||||
|
||||
# image: code.forgejo.org/forgejo/runner:3.4.1
|
||||
build: ../../
|
||||
user: "1000" # defaults to 1000,
|
||||
restart: unless-stopped # needed for fixing file ownership on restart
|
||||
volumes:
|
||||
- /srv/runner-data:/data
|
||||
- docker_certs:/certs
|
||||
command: >-
|
||||
bash -c '
|
||||
while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done
|
||||
'
|
||||
networks:
|
||||
- forgejo
|
||||
depends_on:
|
||||
- docker-in-docker
|
||||
- forgejo
|
||||
environment:
|
||||
CONFIG_FILE: config.yml # defaults to /data/config.yml
|
||||
|
||||
DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
|
||||
DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
|
||||
DOCKER_TLS_VERIFY: "1" # defaults to 1
|
||||
|
||||
FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
|
||||
FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
|
||||
|
||||
RUNNER_FILE: .runner # defaults to /data/runner.json
|
||||
RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
|
||||
RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
|
||||
|
||||
DEBUG: "true" # defaults to false, set to true to enable debug logging
|
||||
SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start
|
||||
|
|
Loading…
Reference in a new issue