diff --git a/.forgejo/workflows/example-docker-compose.yml b/.forgejo/workflows/example-docker-compose.yml index 4e2f547..e84400f 100644 --- a/.forgejo/workflows/example-docker-compose.yml +++ b/.forgejo/workflows/example-docker-compose.yml @@ -31,6 +31,8 @@ jobs: - name: run the example run: | set -x + mkdir -p /srv/runner-data + chown 1000:1000 /srv/runner-data cd examples/docker-compose secret=$(openssl rand -hex 20) sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml @@ -38,7 +40,7 @@ jobs: # # Launch Forgejo & the runner # - $cli up -d + $cli up -d --remove-orphans for delay in $(seq 60) ; do test -f /srv/runner-data/.runner && break ; sleep 30 ; done test -f /srv/runner-data/.runner # diff --git a/Dockerfile b/Dockerfile index 50f1965..af507da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx -FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env +FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env # # Transparently cross compile for the target platform @@ -40,8 +40,10 @@ ENV HOME=/data USER 1000:1000 +COPY --chmod=555 entrypoint.sh /entrypoint.sh + WORKDIR /data VOLUME ["/data"] -CMD ["/bin/forgejo-runner"] +ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..355bdd9 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,138 @@ +#!/usr/bin/env bash + +set -e + +# Technically not nessecary but it cleans up the logs from having token/secret values +run_command() { + local cmd="$@" + # Replace any --token or --secret with [REDACTED] + local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g') + decho "Running command: $safe_cmd" + eval $cmd +} + +decho() { + if [[ "${DEBUG}" == "true" ]]; then + echo "[entrypoint] $@" + fi +} +decho $PWD + +# Check if the script is running as root +if [[ $(id -u) -eq 0 ]]; then + ISROOT=true + decho "[WARNING] Running as root user" +fi + +# Handle if `command` is passed, as command appends arguments to the entrypoint +if [ "$#" -gt 0 ]; then + run_command $@ + exit +fi + +# Handle and alter the config file +if [[ -z "${CONFIG_FILE}" ]]; then + echo "CONFIG_FILE is not set" + CONFIG_FILE="/data/config.yml" +fi +CONFIG_ARG="--config ${CONFIG_FILE}" +decho "CONFIG: ${CONFIG_ARG}" + +DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"} +DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"} +DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1} +decho "DOCKER_HOST: ${DOCKER_HOST}" +decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}" +decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}" +if [[ ! -f "${CONFIG_FILE}" ]]; then + echo "Creating ${CONFIG_FILE}" + run_command "forgejo-runner generate-config > ${CONFIG_FILE}" + + # Remove test environment variables if they exist in the config file + sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE} + sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE} + + # Apply default values for docker + sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE} + sed -i "/^ network:/c\ network: host" ${CONFIG_FILE} + + if [[ "${DOCKER_PRIVILEGED}" == "true" ]]; then + sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE} + sed -i "/^ options:/c\ options:-v /certs/client:/certs/client" ${CONFIG_FILE} + sed -i "/^ valid_volumes:/c\ valid_volumes:\n - /certs/client" ${CONFIG_FILE} + fi + +fi + +ENV_FILE=${ENV_FILE:-"/data/.env"} +decho "ENV_FILE: ${ENV_FILE}" +sed -i "/^ env_file:/c\ env_file: ${ENV_FILE}" ${CONFIG_FILE} + +if [[ ! -f "${ENV_FILE}" ]]; then + echo "Creating ${ENV_FILE}" + touch ${ENV_FILE} + echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE} + echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE} + echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE} +fi + +EXTRA_ARGS="" +if [[ ! -z "${RUNNER_LABELS}" ]]; then + EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}" +fi +decho "EXTRA_ARGS: ${EXTRA_ARGS}" + +# Set the runner file +RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight +decho "RUNNER_FILE: ${RUNNER_FILE}" +sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE} + +if [[ "${SKIP_WAIT}" != "true" ]]; then + echo "Waiting 10s to allow other services to start up..." + sleep 10 +fi + +if [[ ! -s "${RUNNER_FILE}" ]]; then + touch ${RUNNER_FILE} + try=$((try + 1)) + success=0 + decho "try: ${try}, success: ${success}" + + # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker, + # for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within + # the context of a single docker-compose, something similar could be done via healthchecks, but + # this is more flexible. + while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do + if [[ ! -z "${FORGEJO_SECRET}" ]]; then + run_command forgejo-runner create-runner-file --connect \ + --instance "${FORGEJO_URL:-http://forgejo:3000}" \ + --name "${RUNNER_NAME:-$(hostname)}" \ + --secret "${FORGEJO_SECRET}" \ + ${CONFIG_ARG}\ + ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log + else + run_command forgejo-runner register \ + --instance "${FORGEJO_URL:-http://forgejo:3000}" \ + --name "${RUNNER_NAME:-$(hostname)}" \ + --token "${RUNNER_TOKEN}" \ + --no-interactive \ + ${CONFIG_ARG}\ + ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log + fi + cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null + if [[ $? -eq 0 ]]; then + echo "SUCCESS" + success=1 + else + echo "Waiting to retry ..." + sleep 5 + fi + decho "try: ${try}, success: ${success}" + done +fi + +# Prevent reading the token from the forgejo-runner process +unset RUNNER_TOKEN +unset FORGEJO_SECRET + +run_command forgejo-runner daemon ${CONFIG_ARG} diff --git a/examples/docker-compose/.gitignore b/examples/docker-compose/.gitignore new file mode 100644 index 0000000..94bf3ec --- /dev/null +++ b/examples/docker-compose/.gitignore @@ -0,0 +1 @@ +srv diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml index 4794985..018d956 100644 --- a/examples/docker-compose/compose-forgejo-and-runner.yml +++ b/examples/docker-compose/compose-forgejo-and-runner.yml @@ -11,83 +11,82 @@ # NOTE: a token obtained from the Forgejo web interface cannot be used # as a shared secret. # -# Replace {ROOT_PASSWORD} with a secure password +# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface. +# +# Replace {ROOT_PASSWORD} with a secure password. # - volumes: docker_certs: services: - docker-in-docker: image: code.forgejo.org/oci/docker:dind - hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost + hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost + restart: unless-stopped privileged: true environment: - DOCKER_TLS_CERTDIR: /certs - DOCKER_HOST: docker-in-docker + DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375 + DOCKER_HOST: "docker" # remove aswell to disable TLS volumes: - docker_certs:/certs forgejo: image: codeberg.org/forgejo/forgejo:1.21 - command: >- - bash -c ' - /bin/s6-svscan /etc/s6 & - sleep 10 ; - su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ; - su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ; - sleep infinity - ' - environment: - FORGEJO__security__INSTALL_LOCK: "true" - FORGEJO__log__LEVEL: "debug" - FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" - FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" - FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions" + hostname: forgejo volumes: - /srv/forgejo-data:/data ports: - 8080:3000 - - runner-register: - image: code.forgejo.org/forgejo/runner:3.4.1 - links: - - docker-in-docker - - forgejo environment: - DOCKER_HOST: tcp://docker-in-docker:2376 - volumes: - - /srv/runner-data:/data - user: 0:0 + FORGEJO__security__INSTALL_LOCK: "true" # remove in production + FORGEJO__log__LEVEL: "debug" # remove in production + FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" # enables the ability to create a repo when pushing + FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" # defaults above to public + FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions" + # `command` is not neecessary, but can be used to create an admin user as shown below when combined with INSTALL_LOCK command: >- - bash -ec ' - while : ; do - forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ; - sleep 1 ; - done ; - sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ; - forgejo-runner generate-config > config.yml ; - sed -i -e "s|network: .*|network: host|" config.yml ; - sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ; - sed -i -e "s|^ options:| options: -v /certs/client:/certs/client|" config.yml ; - sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ; - chown -R 1000:1000 /data + bash -c ' + /bin/s6-svscan /etc/s6 & + sleep 10 ; + su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ; + su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ; + sleep infinity ' + # all values that have defaults listed are optional + # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized + # FORGEJO_URL is required if forgejo is not in this compose file or docker network runner-daemon: - image: code.forgejo.org/forgejo/runner:3.4.1 - links: - - docker-in-docker - - forgejo - environment: - DOCKER_HOST: tcp://docker:2376 - DOCKER_CERT_PATH: /certs/client - DOCKER_TLS_VERIFY: "1" + ## TODO: Update image to the the release + ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283 + + # image: code.forgejo.org/forgejo/runner:3.4.1 + build: ../../ + user: "1000" # defaults to 1000, + restart: unless-stopped # needed for fixing file ownership on restart volumes: - /srv/runner-data:/data - docker_certs:/certs - command: >- - bash -c ' - while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done - ' + depends_on: + - docker-in-docker + - forgejo + links: + - forgejo + - docker-in-docker + environment: + CONFIG_FILE: config.yml # defaults to /data/config.yml + + DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376 + DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client + DOCKER_TLS_VERIFY: "1" # defaults to 1 + DOCKER_PRIVILEGED: "true" # defaults to false for security reasons + + FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000 + FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN + + RUNNER_FILE: .runner # defaults to /data/runner.json + RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration + RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface + + DEBUG: "true" # defaults to false, set to true to enable debug logging + SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start