entrypoint.sh

@@ -4,17 +4,28 @@ set -e
 
 run_command() {
   local cmd="$1"
-  redacted_cmd=$(echo "$cmd" | sed -E 's/(--secret\s+|--token\s+)[^ ]+/--\1[REDACTED]/g')
-  decho "Running command: $redacted_cmd"
+
+  # Replace any --token <value> or --secret <value> with [REDACTED]
+  local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
+
+  decho "Running command: $safe_cmd"
+
   if [[ "$ISROOT" == true ]]; then
     decho "Running as forgejo-runner"
     su -c "$cmd" forgejo-runner
   else
-    decho "Running as RUNNER_USER: ${RUNNER_USER}"
+    decho "Running as $(whoami)"
     eval "$cmd"
   fi
 }
 
+makeUser() {
+  adduser -u ${RUNNER_USER} -h /data -s /bin/bash -D forgejo-runner
+}
+makeGroup() {
+  addgroup -g ${RUNNER_USER} forgejo-runner
+}
+
 decho() {
   if [[ "${DEBUG}" == "true" ]]; then
     echo "[entrypoint] $@"
@@ -33,27 +44,37 @@ if [[ $(id -u) -eq 0 ]]; then
 fi
 
 if [[ "$ISROOT" == true ]]; then
-  # Check if the forgejo-runner user exists
-  if id "forgejo-runner" &>/dev/null; then
-    echo "forgejo-runner user exists."
-
-    # Change the user ID if needed
-    CURRENT_UID=$(id -u forgejo-runner)
-    decho "CURRENT_UID: ${CURRENT_UID}"
-    if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
-      echo "Changing UID of forgejo-runner to ${RUNNER_USER}"
-      sed -i "s/^forgejo-runner:[^:]*:[^:]*:/forgejo-runner:x:${RUNNER_USER}:/" /etc/passwd
-    fi
+  # Check if the forgejo-runner user exists, if not, create it
+  if ! id -u forgejo-runner >/dev/null 2>&1; then
+    decho "Creating user forgejo-runner with UID ${RUNNER_USER}"
+    makeUser
   else
-    echo "Creating user forgejo-runner with UID ${RUNNER_USER}"
-    adduser --uid "${RUNNER_USER}" --home /home/forgejo-runner --disabled-password --gecos "" forgejo-runner
+      CURRENT_UID=$(id -u forgejo-runner)
+      if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
+        decho "Changing UID of forgejo-runner from ${CURRENT_UID} to ${RUNNER_USER}"
+        deluser forgejo-runner
+        makeUser
+      fi
+  fi
+
+  # Check if the forgejo-runner group exists, if not, create it
+  if ! getent group forgejo-runner >/dev/null 2>&1; then
+    decho "Creating group forgejo-runner with GID ${RUNNER_USER}"
+    makeGroup
+  else
+    CURRENT_GID=$(getent group forgejo-runner | cut -d: -f3)
+    if [[ "${CURRENT_GID}" -ne "${RUNNER_USER}" ]]; then
+      decho "Changing GID of forgejo-runner from ${CURRENT_GID} to ${RUNNER_USER}"
+      delgroup forgejo-runner
+      makeGroup
+    fi
   fi
 
   # Ensure /data is owned by the runner user
-  if [[ $(stat -c "%u" /data) != "${RUNNER_USER}" ]]; then
-    decho "Changing ownership of /data to ${RUNNER_USER}"
-    chown -R forgejo-runner:forgejo-runner /data
-  fi
+  # yes this can slow things down but is 100% nessecary for the runner to function
+  # when running as a root user, because for some reason the runner create files as
+  # root and then cant access them
+  chown -R forgejo-runner:forgejo-runner /data
 fi
 
 # Handle and alter the config file
@@ -65,33 +86,33 @@ CONFIG_ARG="--config ${CONFIG_FILE}"
 decho "CONFIG: ${CONFIG_ARG}"
 
 DOCKER_HOST=${DOCKER_HOST:-docker}
-DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR:-"/certs/client"}
+DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
 DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0}
 decho "DOCKER_HOST: ${DOCKER_HOST}"
-decho "DOCKER_TLS_CERTDIR: ${DOCKER_TLS_CERTDIR}"
+decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
 decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
 if [[ ! -f "${CONFIG_FILE}" ]]; then
   echo "Creating ${CONFIG_FILE}"
-  run_command "forgejo-runner generate-config > ${CONFIG_FILE}" forgejo-runner
+  run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
 
   # Remove test environment variables if they exist in the config file
   sed -i "/^    A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
   sed -i "/^    A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
 
   # Apply default values for docker
-  sed -i "/^  labels:/c\  \"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
+  sed -i "/^  labels:/c\  labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
   sed -i "/^  network:/c\  network: host" ${CONFIG_FILE}
   sed -i "/^  privileged:/c\  privileged: true" ${CONFIG_FILE}
 
 
   if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then
     decho "Docker TLS diabled"
-    sed -i "/^  docker_host:/c\  docker_host: tcp://${DOCKER_HOST}:2375" ${CONFIG_FILE}
+    sed -i "/^  docker_host:/c\  docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
   else
     decho "Docker TLS enabled"
-    sed -i "/^  docker_host:/c\  docker_host: tcp://${DOCKER_HOST}:2376" ${CONFIG_FILE}
-    sed -i "/^  valid_volumes:/c\  valid_volumes:\n    - ${DOCKER_TLS_CERTDIR}" ${CONFIG_FILE}
-    sed -i "/^  options:/c\  options: -v ${DOCKER_TLS_CERTDIR}:${DOCKER_TLS_CERTDIR}" ${CONFIG_FILE}
+    sed -i "/^  docker_host:/c\  docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
+    sed -i "/^  valid_volumes:/c\  valid_volumes:\n    - ${DOCKER_CERT_PATH}" ${CONFIG_FILE}
+    sed -i "/^  options:/c\  options: -v ${DOCKER_CERT_PATH}:${DOCKER_CERT_PATH}" ${CONFIG_FILE}
   fi
 fi
 
@@ -104,7 +125,7 @@ if [[ ! -f "${ENV_FILE}" ]]; then
   touch ${ENV_FILE}
   echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
   echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
-  echo "DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR}" >> ${ENV_FILE}
+  echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
 fi
 
 EXTRA_ARGS=""
@@ -131,30 +152,28 @@ if [[ ! -s "${RUNNER_FILE}" ]]; then
   success=0
   decho "try: ${try}, success: ${success}"
 
-  if [[ ! -z "${FORGEJO_SECRET}" ]]; then
-    EXTRA_ARGS="${EXTRA_ARGS} --secret ${FORGEJO_SECRET}"
-    echo "Registering with SECRET"
-  else
-    if [[ -z "${RUNNER_TOKEN}" ]]; then
-      echo "RUNNER_TOKEN is not set"
-      exit 1
-    fi
-    EXTRA_ARGS="${EXTRA_ARGS} --token ${RUNNER_TOKEN}"
-    echo "Registering with TOKEN"
-  fi
-  decho "EXTRA_ARGS after secret/token: ${EXTRA_ARGS}"
-
   # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
   # for the forgejo-runner to wait a moment for gitea to become available before erroring out.  Within
   # the context of a single docker-compose, something similar could be done via healthchecks, but
   # this is more flexible.
   while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
+  if [[ ! -z "${FORGEJO_SECRET}" ]]; then
     run_command "forgejo-runner create-runner-file --connect \
     --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
     --name \"${RUNNER_NAME:-$(hostname)}\" \
-    ${CONFIG_ARG} ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
-
-    cat /tmp/reg.log | grep 'connection successful' >/dev/null
+    --secret \"${FORGEJO_SECRET}\" \
+    ${CONFIG_ARG}\
+    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
+  else
+    run_command "forgejo-runner register \
+    --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
+    --name \"${RUNNER_NAME:-$(hostname)}\" \
+    --token \"${RUNNER_TOKEN}\" \
+    --no-interactive \
+    ${CONFIG_ARG}\
+    ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
+  fi
+    cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
     if [[ $? -eq 0 ]]; then
       echo "SUCCESS"
       success=1

examples/docker-compose/compose-forgejo-and-runner.yml

@@ -23,13 +23,13 @@ volumes:
 services:
   docker-in-docker:
     image: code.forgejo.org/oci/docker:dind
-    # container_name: docker # Must set container_name to docker for both internal DNS and TLS to work
-    hostname: docker
+    hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
     privileged: true
     networks:
       - forgejo
     environment:
       DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
+      DOCKER_HOST: "docker"        # remove aswell to disable TLS
     volumes:
       - docker_certs:/certs
 
@@ -39,7 +39,7 @@ services:
     networks:
       - forgejo
     volumes:
-      - ./forgejo:/data
+      - /srv/forgejo-data:/data
     ports:
       - 8080:3000
     command: >-
@@ -54,15 +54,16 @@ services:
   # all values that have defaults listed are optional
   # only FORGEJO_SECRET or RUNNER_TOKEN is required
   # FORGEJO_URL is required if forgejo is in this compose file or docker network
-  forgejo-runner:
+  runner-daemon:
     ## TODO: Update image to the the release
     ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
 
     # image: code.forgejo.org/forgejo/runner:3.4.1
     build: ../../
     # user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership
+    restart: unless-stopped # needed for fixing file ownership on restart
     volumes:
-      - ./forgejo-runner:/data
+      - /srv/runner-data:/data
       - docker_certs:/certs
     networks:
       - forgejo
@@ -72,16 +73,16 @@ services:
     environment:
       CONFIG_FILE: config.yml # defaults to /data/config.yml
 
-      DOCKER_HOST: "docker" # defaults to docker
-      DOCKER_TLS_CERTDIR: "/certs/client" # defaults to /certs/client
+      DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
+      DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
       DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS
 
       FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
       FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
 
       RUNNER_FILE: .runner # defaults to /data/runner.json
-      RUNNER_NAME: forgejo-runner # defaults to forgejo-runner, used for registration
-      RUNNER_TOKEN: "${RUNNER_TOKEN}"
+      RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
+      RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
       RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership
 
       DEBUG: "true" # defaults to false, set to true to enable debug logging