Compare commits

..

No commits in common. "wip-entrypoint" and "main" have entirely different histories.

5 changed files with 57 additions and 199 deletions

View file

@ -31,8 +31,6 @@ jobs:
- name: run the example - name: run the example
run: | run: |
set -x set -x
mkdir -p /srv/runner-data
chown 1000:1000 /srv/runner-data
cd examples/docker-compose cd examples/docker-compose
secret=$(openssl rand -hex 20) secret=$(openssl rand -hex 20)
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
@ -40,7 +38,7 @@ jobs:
# #
# Launch Forgejo & the runner # Launch Forgejo & the runner
# #
$cli up -d --remove-orphans $cli up -d
for delay in $(seq 60) ; do test -f /srv/runner-data/.runner && break ; sleep 30 ; done for delay in $(seq 60) ; do test -f /srv/runner-data/.runner && break ; sleep 30 ; done
test -f /srv/runner-data/.runner test -f /srv/runner-data/.runner
# #

View file

@ -1,6 +1,6 @@
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
# #
# Transparently cross compile for the target platform # Transparently cross compile for the target platform
@ -40,10 +40,8 @@ ENV HOME=/data
USER 1000:1000 USER 1000:1000
COPY --chmod=555 entrypoint.sh /entrypoint.sh
WORKDIR /data WORKDIR /data
VOLUME ["/data"] VOLUME ["/data"]
ENTRYPOINT ["/entrypoint.sh"] CMD ["/bin/forgejo-runner"]

View file

@ -1,138 +0,0 @@
#!/usr/bin/env bash
set -e
# Technically not nessecary but it cleans up the logs from having token/secret values
run_command() {
local cmd="$@"
# Replace any --token <value> or --secret <value> with [REDACTED]
local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
decho "Running command: $safe_cmd"
eval $cmd
}
decho() {
if [[ "${DEBUG}" == "true" ]]; then
echo "[entrypoint] $@"
fi
}
decho $PWD
# Check if the script is running as root
if [[ $(id -u) -eq 0 ]]; then
ISROOT=true
decho "[WARNING] Running as root user"
fi
# Handle if `command` is passed, as command appends arguments to the entrypoint
if [ "$#" -gt 0 ]; then
run_command $@
exit
fi
# Handle and alter the config file
if [[ -z "${CONFIG_FILE}" ]]; then
echo "CONFIG_FILE is not set"
CONFIG_FILE="/data/config.yml"
fi
CONFIG_ARG="--config ${CONFIG_FILE}"
decho "CONFIG: ${CONFIG_ARG}"
DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
decho "DOCKER_HOST: ${DOCKER_HOST}"
decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
if [[ ! -f "${CONFIG_FILE}" ]]; then
echo "Creating ${CONFIG_FILE}"
run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
# Remove test environment variables if they exist in the config file
sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
# Apply default values for docker
sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
sed -i "/^ network:/c\ network: host" ${CONFIG_FILE}
if [[ "${DOCKER_PRIVILEGED}" == "true" ]]; then
sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE}
sed -i "/^ options:/c\ options:-v /certs/client:/certs/client" ${CONFIG_FILE}
sed -i "/^ valid_volumes:/c\ valid_volumes:\n - /certs/client" ${CONFIG_FILE}
fi
fi
ENV_FILE=${ENV_FILE:-"/data/.env"}
decho "ENV_FILE: ${ENV_FILE}"
sed -i "/^ env_file:/c\ env_file: ${ENV_FILE}" ${CONFIG_FILE}
if [[ ! -f "${ENV_FILE}" ]]; then
echo "Creating ${ENV_FILE}"
touch ${ENV_FILE}
echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
fi
EXTRA_ARGS=""
if [[ ! -z "${RUNNER_LABELS}" ]]; then
EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}"
fi
decho "EXTRA_ARGS: ${EXTRA_ARGS}"
# Set the runner file
RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
decho "RUNNER_FILE: ${RUNNER_FILE}"
sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE}
if [[ "${SKIP_WAIT}" != "true" ]]; then
echo "Waiting 10s to allow other services to start up..."
sleep 10
fi
if [[ ! -s "${RUNNER_FILE}" ]]; then
touch ${RUNNER_FILE}
try=$((try + 1))
success=0
decho "try: ${try}, success: ${success}"
# The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
# for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within
# the context of a single docker-compose, something similar could be done via healthchecks, but
# this is more flexible.
while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
run_command forgejo-runner create-runner-file --connect \
--instance "${FORGEJO_URL:-http://forgejo:3000}" \
--name "${RUNNER_NAME:-$(hostname)}" \
--secret "${FORGEJO_SECRET}" \
${CONFIG_ARG}\
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
else
run_command forgejo-runner register \
--instance "${FORGEJO_URL:-http://forgejo:3000}" \
--name "${RUNNER_NAME:-$(hostname)}" \
--token "${RUNNER_TOKEN}" \
--no-interactive \
${CONFIG_ARG}\
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
fi
cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
if [[ $? -eq 0 ]]; then
echo "SUCCESS"
success=1
else
echo "Waiting to retry ..."
sleep 5
fi
decho "try: ${try}, success: ${success}"
done
fi
# Prevent reading the token from the forgejo-runner process
unset RUNNER_TOKEN
unset FORGEJO_SECRET
run_command forgejo-runner daemon ${CONFIG_ARG}

View file

@ -1 +0,0 @@
srv

View file

@ -11,82 +11,83 @@
# NOTE: a token obtained from the Forgejo web interface cannot be used # NOTE: a token obtained from the Forgejo web interface cannot be used
# as a shared secret. # as a shared secret.
# #
# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface. # Replace {ROOT_PASSWORD} with a secure password
#
# Replace {ROOT_PASSWORD} with a secure password.
# #
volumes: volumes:
docker_certs: docker_certs:
services: services:
docker-in-docker: docker-in-docker:
image: code.forgejo.org/oci/docker:dind image: code.forgejo.org/oci/docker:dind
hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost
restart: unless-stopped
privileged: true privileged: true
environment: environment:
DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375 DOCKER_TLS_CERTDIR: /certs
DOCKER_HOST: "docker" # remove aswell to disable TLS DOCKER_HOST: docker-in-docker
volumes: volumes:
- docker_certs:/certs - docker_certs:/certs
forgejo: forgejo:
image: codeberg.org/forgejo/forgejo:1.21 image: codeberg.org/forgejo/forgejo:1.21
hostname: forgejo
volumes:
- /srv/forgejo-data:/data
ports:
- 8080:3000
environment:
FORGEJO__security__INSTALL_LOCK: "true" # remove in production
FORGEJO__log__LEVEL: "debug" # remove in production
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" # enables the ability to create a repo when pushing
FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" # defaults above to public
FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
# `command` is not neecessary, but can be used to create an admin user as shown below when combined with INSTALL_LOCK
command: >- command: >-
bash -c ' bash -c '
/bin/s6-svscan /etc/s6 & /bin/s6-svscan /etc/s6 &
sleep 10 ; sleep 10 ;
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ; su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
sleep infinity sleep infinity
' '
environment:
FORGEJO__security__INSTALL_LOCK: "true"
FORGEJO__log__LEVEL: "debug"
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false"
FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
volumes:
- /srv/forgejo-data:/data
ports:
- 8080:3000
runner-register:
image: code.forgejo.org/forgejo/runner:3.4.1
links:
- docker-in-docker
- forgejo
environment:
DOCKER_HOST: tcp://docker-in-docker:2376
volumes:
- /srv/runner-data:/data
user: 0:0
command: >-
bash -ec '
while : ; do
forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
sleep 1 ;
done ;
sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ;
forgejo-runner generate-config > config.yml ;
sed -i -e "s|network: .*|network: host|" config.yml ;
sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ;
sed -i -e "s|^ options:| options: -v /certs/client:/certs/client|" config.yml ;
sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ;
chown -R 1000:1000 /data
'
# all values that have defaults listed are optional
# only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
# FORGEJO_URL is required if forgejo is not in this compose file or docker network
runner-daemon: runner-daemon:
## TODO: Update image to the the release image: code.forgejo.org/forgejo/runner:3.4.1
## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283 links:
- docker-in-docker
# image: code.forgejo.org/forgejo/runner:3.4.1 - forgejo
build: ../../ environment:
user: "1000" # defaults to 1000, DOCKER_HOST: tcp://docker:2376
restart: unless-stopped # needed for fixing file ownership on restart DOCKER_CERT_PATH: /certs/client
DOCKER_TLS_VERIFY: "1"
volumes: volumes:
- /srv/runner-data:/data - /srv/runner-data:/data
- docker_certs:/certs - docker_certs:/certs
depends_on: command: >-
- docker-in-docker bash -c '
- forgejo while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done
links: '
- forgejo
- docker-in-docker
environment:
CONFIG_FILE: config.yml # defaults to /data/config.yml
DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
DOCKER_TLS_VERIFY: "1" # defaults to 1
DOCKER_PRIVILEGED: "true" # defaults to false for security reasons
FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
RUNNER_FILE: .runner # defaults to /data/runner.json
RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
DEBUG: "true" # defaults to false, set to true to enable debug logging
SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start