WIP: wip-entrypoint #2
5 changed files with 26 additions and 89 deletions
|
@ -38,6 +38,8 @@ LABEL maintainer="contact@forgejo.org" \
|
||||||
|
|
||||||
ENV HOME=/data
|
ENV HOME=/data
|
||||||
|
|
||||||
|
USER 1000:1000
|
||||||
|
|
||||||
COPY --chmod=555 entrypoint.sh /entrypoint.sh
|
COPY --chmod=555 entrypoint.sh /entrypoint.sh
|
||||||
|
|
||||||
WORKDIR /data
|
WORKDIR /data
|
||||||
|
|
|
@ -2,28 +2,13 @@
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
# Technically not nessecary but it cleans up the logs from having token/secret values
|
||||||
run_command() {
|
run_command() {
|
||||||
local cmd="$1"
|
local cmd="$1"
|
||||||
|
|
||||||
# Replace any --token <value> or --secret <value> with [REDACTED]
|
# Replace any --token <value> or --secret <value> with [REDACTED]
|
||||||
local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
|
local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
|
||||||
|
|
||||||
decho "Running command: $safe_cmd"
|
decho "Running command: $safe_cmd"
|
||||||
|
eval "$cmd"
|
||||||
if [[ "$ISROOT" == true ]]; then
|
|
||||||
decho "Running as forgejo-runner"
|
|
||||||
su -c "$cmd" forgejo-runner
|
|
||||||
else
|
|
||||||
decho "Running as $(whoami)"
|
|
||||||
eval "$cmd"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
makeUser() {
|
|
||||||
adduser -u ${RUNNER_USER} -h /data -s /bin/bash -D forgejo-runner
|
|
||||||
}
|
|
||||||
makeGroup() {
|
|
||||||
addgroup -g ${RUNNER_USER} forgejo-runner
|
|
||||||
}
|
}
|
||||||
|
|
||||||
decho() {
|
decho() {
|
||||||
|
@ -32,49 +17,10 @@ decho() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Initial setup
|
|
||||||
cd /data
|
|
||||||
|
|
||||||
decho "RUNNER_USER: ${RUNNER_USER}"
|
|
||||||
RUNNER_USER="${RUNNER_USER:-1000}"
|
|
||||||
# Check if the script is running as root
|
# Check if the script is running as root
|
||||||
if [[ $(id -u) -eq 0 ]]; then
|
if [[ $(id -u) -eq 0 ]]; then
|
||||||
ISROOT=true
|
ISROOT=true
|
||||||
decho "Running as root"
|
decho "[WARNING] Running as root user"
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$ISROOT" == true ]]; then
|
|
||||||
# Check if the forgejo-runner user exists, if not, create it
|
|
||||||
if ! id -u forgejo-runner >/dev/null 2>&1; then
|
|
||||||
decho "Creating user forgejo-runner with UID ${RUNNER_USER}"
|
|
||||||
makeUser
|
|
||||||
else
|
|
||||||
CURRENT_UID=$(id -u forgejo-runner)
|
|
||||||
if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
|
|
||||||
decho "Changing UID of forgejo-runner from ${CURRENT_UID} to ${RUNNER_USER}"
|
|
||||||
deluser forgejo-runner
|
|
||||||
makeUser
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if the forgejo-runner group exists, if not, create it
|
|
||||||
if ! getent group forgejo-runner >/dev/null 2>&1; then
|
|
||||||
decho "Creating group forgejo-runner with GID ${RUNNER_USER}"
|
|
||||||
makeGroup
|
|
||||||
else
|
|
||||||
CURRENT_GID=$(getent group forgejo-runner | cut -d: -f3)
|
|
||||||
if [[ "${CURRENT_GID}" -ne "${RUNNER_USER}" ]]; then
|
|
||||||
decho "Changing GID of forgejo-runner from ${CURRENT_GID} to ${RUNNER_USER}"
|
|
||||||
delgroup forgejo-runner
|
|
||||||
makeGroup
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Ensure /data is owned by the runner user
|
|
||||||
# yes this can slow things down but is 100% nessecary for the runner to function
|
|
||||||
# when running as a root user, because for some reason the runner create files as
|
|
||||||
# root and then cant access them
|
|
||||||
chown -R forgejo-runner:forgejo-runner /data
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Handle and alter the config file
|
# Handle and alter the config file
|
||||||
|
@ -85,9 +31,9 @@ fi
|
||||||
CONFIG_ARG="--config ${CONFIG_FILE}"
|
CONFIG_ARG="--config ${CONFIG_FILE}"
|
||||||
decho "CONFIG: ${CONFIG_ARG}"
|
decho "CONFIG: ${CONFIG_ARG}"
|
||||||
|
|
||||||
DOCKER_HOST=${DOCKER_HOST:-docker}
|
DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
|
||||||
DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
|
DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
|
||||||
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0}
|
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
|
||||||
decho "DOCKER_HOST: ${DOCKER_HOST}"
|
decho "DOCKER_HOST: ${DOCKER_HOST}"
|
||||||
decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
|
decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
|
||||||
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
|
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
|
||||||
|
@ -102,18 +48,7 @@ if [[ ! -f "${CONFIG_FILE}" ]]; then
|
||||||
# Apply default values for docker
|
# Apply default values for docker
|
||||||
sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
|
sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
|
||||||
sed -i "/^ network:/c\ network: host" ${CONFIG_FILE}
|
sed -i "/^ network:/c\ network: host" ${CONFIG_FILE}
|
||||||
sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE}
|
|
||||||
|
|
||||||
|
|
||||||
if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then
|
|
||||||
decho "Docker TLS diabled"
|
|
||||||
sed -i "/^ docker_host:/c\ docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
|
|
||||||
else
|
|
||||||
decho "Docker TLS enabled"
|
|
||||||
sed -i "/^ docker_host:/c\ docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
|
|
||||||
sed -i "/^ valid_volumes:/c\ valid_volumes:\n - ${DOCKER_CERT_PATH}" ${CONFIG_FILE}
|
|
||||||
sed -i "/^ options:/c\ options: -v ${DOCKER_CERT_PATH}:${DOCKER_CERT_PATH}" ${CONFIG_FILE}
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ENV_FILE=${ENV_FILE:-"/data/.env"}
|
ENV_FILE=${ENV_FILE:-"/data/.env"}
|
||||||
|
@ -135,9 +70,7 @@ fi
|
||||||
decho "EXTRA_ARGS: ${EXTRA_ARGS}"
|
decho "EXTRA_ARGS: ${EXTRA_ARGS}"
|
||||||
|
|
||||||
# Set the runner file
|
# Set the runner file
|
||||||
if [[ -z "${RUNNER_FILE}" ]]; then
|
RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
|
||||||
RUNNER_FILE="runner.json" # use json so editors know how to highlight
|
|
||||||
fi
|
|
||||||
decho "RUNNER_FILE: ${RUNNER_FILE}"
|
decho "RUNNER_FILE: ${RUNNER_FILE}"
|
||||||
sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE}
|
sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE}
|
||||||
|
|
||||||
|
@ -157,22 +90,22 @@ if [[ ! -s "${RUNNER_FILE}" ]]; then
|
||||||
# the context of a single docker-compose, something similar could be done via healthchecks, but
|
# the context of a single docker-compose, something similar could be done via healthchecks, but
|
||||||
# this is more flexible.
|
# this is more flexible.
|
||||||
while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
|
while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
|
||||||
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
|
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
|
||||||
run_command "forgejo-runner create-runner-file --connect \
|
run_command "forgejo-runner create-runner-file --connect \
|
||||||
--instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
|
--instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
|
||||||
--name \"${RUNNER_NAME:-$(hostname)}\" \
|
--name \"${RUNNER_NAME:-$(hostname)}\" \
|
||||||
--secret \"${FORGEJO_SECRET}\" \
|
--secret \"${FORGEJO_SECRET}\" \
|
||||||
${CONFIG_ARG}\
|
${CONFIG_ARG}\
|
||||||
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
|
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
|
||||||
else
|
else
|
||||||
run_command "forgejo-runner register \
|
run_command "forgejo-runner register \
|
||||||
--instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
|
--instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
|
||||||
--name \"${RUNNER_NAME:-$(hostname)}\" \
|
--name \"${RUNNER_NAME:-$(hostname)}\" \
|
||||||
--token \"${RUNNER_TOKEN}\" \
|
--token \"${RUNNER_TOKEN}\" \
|
||||||
--no-interactive \
|
--no-interactive \
|
||||||
${CONFIG_ARG}\
|
${CONFIG_ARG}\
|
||||||
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
|
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
|
||||||
fi
|
fi
|
||||||
cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
|
cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
echo "SUCCESS"
|
echo "SUCCESS"
|
||||||
|
|
3
examples/docker-compose/.gitignore
vendored
3
examples/docker-compose/.gitignore
vendored
|
@ -1,2 +1 @@
|
||||||
forgejo/
|
srv
|
||||||
forgejo-runner/
|
|
||||||
|
|
|
@ -13,7 +13,8 @@
|
||||||
#
|
#
|
||||||
# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
|
# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
|
||||||
#
|
#
|
||||||
|
# Replace ROOT_PASSWORD with a secure password.
|
||||||
|
#
|
||||||
networks:
|
networks:
|
||||||
forgejo:
|
forgejo:
|
||||||
|
|
||||||
|
@ -24,12 +25,13 @@ services:
|
||||||
docker-in-docker:
|
docker-in-docker:
|
||||||
image: code.forgejo.org/oci/docker:dind
|
image: code.forgejo.org/oci/docker:dind
|
||||||
hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
|
hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
|
||||||
|
restart: unless-stopped
|
||||||
privileged: true
|
privileged: true
|
||||||
networks:
|
networks:
|
||||||
- forgejo
|
- forgejo
|
||||||
environment:
|
environment:
|
||||||
DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
|
DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
|
||||||
DOCKER_HOST: "docker" # remove aswell to disable TLS
|
DOCKER_HOST: "docker" # remove aswell to disable TLS
|
||||||
volumes:
|
volumes:
|
||||||
- docker_certs:/certs
|
- docker_certs:/certs
|
||||||
|
|
||||||
|
@ -42,25 +44,27 @@ services:
|
||||||
- /srv/forgejo-data:/data
|
- /srv/forgejo-data:/data
|
||||||
ports:
|
ports:
|
||||||
- 8080:3000
|
- 8080:3000
|
||||||
|
environment:
|
||||||
|
FORGEJO__security__INSTALL_LOCK: "true" # remove in production
|
||||||
command: >-
|
command: >-
|
||||||
bash -c '
|
bash -c '
|
||||||
/bin/s6-svscan /etc/s6 &
|
/bin/s6-svscan /etc/s6 &
|
||||||
sleep 10 ;
|
sleep 10 ;
|
||||||
su -c "forgejo admin user create --admin --username root --password examplepassword --email root@example.com" git ;
|
su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
|
||||||
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
|
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
|
||||||
sleep infinity
|
sleep infinity
|
||||||
'
|
'
|
||||||
|
|
||||||
# all values that have defaults listed are optional
|
# all values that have defaults listed are optional
|
||||||
# only FORGEJO_SECRET or RUNNER_TOKEN is required
|
# only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
|
||||||
# FORGEJO_URL is required if forgejo is in this compose file or docker network
|
# FORGEJO_URL is required if forgejo is not in this compose file or docker network
|
||||||
runner-daemon:
|
runner-daemon:
|
||||||
## TODO: Update image to the the release
|
## TODO: Update image to the the release
|
||||||
## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
|
## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
|
||||||
|
|
||||||
# image: code.forgejo.org/forgejo/runner:3.4.1
|
# image: code.forgejo.org/forgejo/runner:3.4.1
|
||||||
build: ../../
|
build: ../../
|
||||||
# user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership
|
user: "1000" # defaults to 1000,
|
||||||
restart: unless-stopped # needed for fixing file ownership on restart
|
restart: unless-stopped # needed for fixing file ownership on restart
|
||||||
volumes:
|
volumes:
|
||||||
- /srv/runner-data:/data
|
- /srv/runner-data:/data
|
||||||
|
@ -75,7 +79,7 @@ services:
|
||||||
|
|
||||||
DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
|
DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
|
||||||
DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
|
DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
|
||||||
DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS
|
DOCKER_TLS_VERIFY: "1" # defaults to 1
|
||||||
|
|
||||||
FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
|
FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
|
||||||
FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
|
FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
|
||||||
|
@ -83,7 +87,6 @@ services:
|
||||||
RUNNER_FILE: .runner # defaults to /data/runner.json
|
RUNNER_FILE: .runner # defaults to /data/runner.json
|
||||||
RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
|
RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
|
||||||
RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
|
RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
|
||||||
RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership
|
|
||||||
|
|
||||||
DEBUG: "true" # defaults to false, set to true to enable debug logging
|
DEBUG: "true" # defaults to false, set to true to enable debug logging
|
||||||
SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start
|
SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start
|
||||||
|
|
Loading…
Reference in a new issue