From b165aeab81a35fa17dddd4d404a27ca61175acdd Mon Sep 17 00:00:00 2001 From: merith-xyz Date: Thu, 26 Sep 2024 19:00:54 -0700 Subject: [PATCH] I guess it works now sorry for the unprofessional commit message, I have been working on this effectively non-stop since the previous commit, and have been fighting docker networking being inconsistent as well as filepermisson issues, end me --- entrypoint.sh | 109 ++++++++++-------- .../compose-forgejo-and-runner.yml | 19 +-- 2 files changed, 74 insertions(+), 54 deletions(-) mode change 100644 => 100755 entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh old mode 100644 new mode 100755 index 60622c4..bb72004 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,17 +4,28 @@ set -e run_command() { local cmd="$1" - redacted_cmd=$(echo "$cmd" | sed -E 's/(--secret\s+|--token\s+)[^ ]+/--\1[REDACTED]/g') - decho "Running command: $redacted_cmd" + + # Replace any --token or --secret with [REDACTED] + local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g') + + decho "Running command: $safe_cmd" + if [[ "$ISROOT" == true ]]; then decho "Running as forgejo-runner" su -c "$cmd" forgejo-runner else - decho "Running as RUNNER_USER: ${RUNNER_USER}" + decho "Running as $(whoami)" eval "$cmd" fi } +makeUser() { + adduser -u ${RUNNER_USER} -h /data -s /bin/bash -D forgejo-runner +} +makeGroup() { + addgroup -g ${RUNNER_USER} forgejo-runner +} + decho() { if [[ "${DEBUG}" == "true" ]]; then echo "[entrypoint] $@" @@ -33,27 +44,37 @@ if [[ $(id -u) -eq 0 ]]; then fi if [[ "$ISROOT" == true ]]; then - # Check if the forgejo-runner user exists - if id "forgejo-runner" &>/dev/null; then - echo "forgejo-runner user exists." - - # Change the user ID if needed - CURRENT_UID=$(id -u forgejo-runner) - decho "CURRENT_UID: ${CURRENT_UID}" - if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then - echo "Changing UID of forgejo-runner to ${RUNNER_USER}" - sed -i "s/^forgejo-runner:[^:]*:[^:]*:/forgejo-runner:x:${RUNNER_USER}:/" /etc/passwd - fi + # Check if the forgejo-runner user exists, if not, create it + if ! id -u forgejo-runner >/dev/null 2>&1; then + decho "Creating user forgejo-runner with UID ${RUNNER_USER}" + makeUser else - echo "Creating user forgejo-runner with UID ${RUNNER_USER}" - adduser --uid "${RUNNER_USER}" --home /home/forgejo-runner --disabled-password --gecos "" forgejo-runner + CURRENT_UID=$(id -u forgejo-runner) + if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then + decho "Changing UID of forgejo-runner from ${CURRENT_UID} to ${RUNNER_USER}" + deluser forgejo-runner + makeUser + fi + fi + + # Check if the forgejo-runner group exists, if not, create it + if ! getent group forgejo-runner >/dev/null 2>&1; then + decho "Creating group forgejo-runner with GID ${RUNNER_USER}" + makeGroup + else + CURRENT_GID=$(getent group forgejo-runner | cut -d: -f3) + if [[ "${CURRENT_GID}" -ne "${RUNNER_USER}" ]]; then + decho "Changing GID of forgejo-runner from ${CURRENT_GID} to ${RUNNER_USER}" + delgroup forgejo-runner + makeGroup + fi fi # Ensure /data is owned by the runner user - if [[ $(stat -c "%u" /data) != "${RUNNER_USER}" ]]; then - decho "Changing ownership of /data to ${RUNNER_USER}" - chown -R forgejo-runner:forgejo-runner /data - fi + # yes this can slow things down but is 100% nessecary for the runner to function + # when running as a root user, because for some reason the runner create files as + # root and then cant access them + chown -R forgejo-runner:forgejo-runner /data fi # Handle and alter the config file @@ -65,33 +86,33 @@ CONFIG_ARG="--config ${CONFIG_FILE}" decho "CONFIG: ${CONFIG_ARG}" DOCKER_HOST=${DOCKER_HOST:-docker} -DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR:-"/certs/client"} +DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"} DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0} decho "DOCKER_HOST: ${DOCKER_HOST}" -decho "DOCKER_TLS_CERTDIR: ${DOCKER_TLS_CERTDIR}" +decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}" decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}" if [[ ! -f "${CONFIG_FILE}" ]]; then echo "Creating ${CONFIG_FILE}" - run_command "forgejo-runner generate-config > ${CONFIG_FILE}" forgejo-runner + run_command "forgejo-runner generate-config > ${CONFIG_FILE}" # Remove test environment variables if they exist in the config file sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE} sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE} # Apply default values for docker - sed -i "/^ labels:/c\ \"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE} + sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE} sed -i "/^ network:/c\ network: host" ${CONFIG_FILE} sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE} if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then decho "Docker TLS diabled" - sed -i "/^ docker_host:/c\ docker_host: tcp://${DOCKER_HOST}:2375" ${CONFIG_FILE} + sed -i "/^ docker_host:/c\ docker_host: ${DOCKER_HOST}" ${CONFIG_FILE} else decho "Docker TLS enabled" - sed -i "/^ docker_host:/c\ docker_host: tcp://${DOCKER_HOST}:2376" ${CONFIG_FILE} - sed -i "/^ valid_volumes:/c\ valid_volumes:\n - ${DOCKER_TLS_CERTDIR}" ${CONFIG_FILE} - sed -i "/^ options:/c\ options: -v ${DOCKER_TLS_CERTDIR}:${DOCKER_TLS_CERTDIR}" ${CONFIG_FILE} + sed -i "/^ docker_host:/c\ docker_host: ${DOCKER_HOST}" ${CONFIG_FILE} + sed -i "/^ valid_volumes:/c\ valid_volumes:\n - ${DOCKER_CERT_PATH}" ${CONFIG_FILE} + sed -i "/^ options:/c\ options: -v ${DOCKER_CERT_PATH}:${DOCKER_CERT_PATH}" ${CONFIG_FILE} fi fi @@ -104,7 +125,7 @@ if [[ ! -f "${ENV_FILE}" ]]; then touch ${ENV_FILE} echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE} echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE} - echo "DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR}" >> ${ENV_FILE} + echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE} fi EXTRA_ARGS="" @@ -131,30 +152,28 @@ if [[ ! -s "${RUNNER_FILE}" ]]; then success=0 decho "try: ${try}, success: ${success}" - if [[ ! -z "${FORGEJO_SECRET}" ]]; then - EXTRA_ARGS="${EXTRA_ARGS} --secret ${FORGEJO_SECRET}" - echo "Registering with SECRET" - else - if [[ -z "${RUNNER_TOKEN}" ]]; then - echo "RUNNER_TOKEN is not set" - exit 1 - fi - EXTRA_ARGS="${EXTRA_ARGS} --token ${RUNNER_TOKEN}" - echo "Registering with TOKEN" - fi - decho "EXTRA_ARGS after secret/token: ${EXTRA_ARGS}" - # The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker, # for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within # the context of a single docker-compose, something similar could be done via healthchecks, but # this is more flexible. while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do + if [[ ! -z "${FORGEJO_SECRET}" ]]; then run_command "forgejo-runner create-runner-file --connect \ --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \ --name \"${RUNNER_NAME:-$(hostname)}\" \ - ${CONFIG_ARG} ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log" - - cat /tmp/reg.log | grep 'connection successful' >/dev/null + --secret \"${FORGEJO_SECRET}\" \ + ${CONFIG_ARG}\ + ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log" + else + run_command "forgejo-runner register \ + --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \ + --name \"${RUNNER_NAME:-$(hostname)}\" \ + --token \"${RUNNER_TOKEN}\" \ + --no-interactive \ + ${CONFIG_ARG}\ + ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log" + fi + cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null if [[ $? -eq 0 ]]; then echo "SUCCESS" success=1 diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml index e644a4f..a2d1fa5 100644 --- a/examples/docker-compose/compose-forgejo-and-runner.yml +++ b/examples/docker-compose/compose-forgejo-and-runner.yml @@ -23,13 +23,13 @@ volumes: services: docker-in-docker: image: code.forgejo.org/oci/docker:dind - # container_name: docker # Must set container_name to docker for both internal DNS and TLS to work - hostname: docker + hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost privileged: true networks: - forgejo environment: DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375 + DOCKER_HOST: "docker" # remove aswell to disable TLS volumes: - docker_certs:/certs @@ -39,7 +39,7 @@ services: networks: - forgejo volumes: - - ./forgejo:/data + - /srv/forgejo-data:/data ports: - 8080:3000 command: >- @@ -54,15 +54,16 @@ services: # all values that have defaults listed are optional # only FORGEJO_SECRET or RUNNER_TOKEN is required # FORGEJO_URL is required if forgejo is in this compose file or docker network - forgejo-runner: + runner-daemon: ## TODO: Update image to the the release ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283 # image: code.forgejo.org/forgejo/runner:3.4.1 build: ../../ # user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership + restart: unless-stopped # needed for fixing file ownership on restart volumes: - - ./forgejo-runner:/data + - /srv/runner-data:/data - docker_certs:/certs networks: - forgejo @@ -72,16 +73,16 @@ services: environment: CONFIG_FILE: config.yml # defaults to /data/config.yml - DOCKER_HOST: "docker" # defaults to docker - DOCKER_TLS_CERTDIR: "/certs/client" # defaults to /certs/client + DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376 + DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000 FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN RUNNER_FILE: .runner # defaults to /data/runner.json - RUNNER_NAME: forgejo-runner # defaults to forgejo-runner, used for registration - RUNNER_TOKEN: "${RUNNER_TOKEN}" + RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration + RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership DEBUG: "true" # defaults to false, set to true to enable debug logging