Compare commits

...

16 commits

Author SHA1 Message Date
9308fe37c6 remove useless sudo 2? 2024-09-27 23:15:40 -07:00
be3d0891f1 remove needless sudo? 2024-09-27 23:14:32 -07:00
c8382f44a8 update tests file new container 2024-09-27 22:56:38 -07:00
890778d33a resolve tag Kind/Breaks
Docker treats "command" as an agument to an entrypoint if it exists, now the entrypoint runs arguments as if they were a command
2024-09-27 11:08:56 -07:00
Merith
95fb2cafff fix Kind/Breaking tag 2024-09-27 10:46:35 -07:00
Merith
42078da550 dont use root-user by default 2024-09-27 10:38:59 -07:00
00584cc415 I guess it works now
sorry for the unprofessional commit message, I have been working on this effectively non-stop since the previous commit, and have been fighting docker networking being inconsistent as well as filepermisson issues,

end me
2024-09-26 19:00:54 -07:00
f9ff5dce17 echo, not secho 2024-09-26 15:16:51 -07:00
Merith
ea96696f10 remove rootless dockerfile, updatedate entrypoint, update docker compose
Removed the rootless dockerfile as upon further investigation into how a `rootless` container works, the entrypoint that has been written fully accomodates that

to reflect this the compose file has had the rootless config removed from it as it is no longer needed to test a seperate container image,

added a debug echo function `decho` to the entrypoint, when `DEBUG=true` it will print "[entrypoint] message content"

added a 10 second wait to the entrypoint to allow other services such as docker-in-docker and forgejo to finish launching before the runner is launched, this is bypassable by `SKIP_WAIT=true`

applied several modifications requested by viceice,
2024-09-26 15:08:31 -07:00
Merith
2c4a1d43be revert changes to workflow 2024-09-26 07:28:00 -07:00
Merith
1e6e1cb3c2 disabled TLS in example,
not needed for a closed docker network
2024-09-25 17:10:50 -07:00
Merith
c1654806c5 update entrypoint and dockerfile, fix test workflow
update dockerfile,

rework entrypoint execution,

update compose and test
2024-09-25 16:05:56 -07:00
Merith
3c5ba1c1d2 push example docker-compose for runner and forgejo 2024-09-25 14:07:09 -07:00
Merith
16e18662a0 add a root-user check, clean up some formatting 2024-09-25 13:34:18 -07:00
Merith
190607cf35 address dockerfile feedback, further work on entrypoint 2024-09-25 13:00:54 -07:00
5a0579f03a basic entrypoint, automatic registration of runner works 2024-09-25 09:46:06 -07:00
5 changed files with 192 additions and 57 deletions

View file

@ -17,8 +17,8 @@ jobs:
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get install -qq -y ca-certificates curl gnupg apt-get install -qq -y ca-certificates curl gnupg
install -m 0755 -d /etc/apt/keyrings install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update -qq apt-get update -qq
apt-get install -qq -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin=2.20.2-1~debian.11~bullseye apt-get install -qq -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin=2.20.2-1~debian.11~bullseye
docker version docker version
@ -35,6 +35,7 @@ jobs:
secret=$(openssl rand -hex 20) secret=$(openssl rand -hex 20)
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
cli="docker compose --progress quiet -f compose-forgejo-and-runner.yml" cli="docker compose --progress quiet -f compose-forgejo-and-runner.yml"
chown -R 1000:1000 /srv
# #
# Launch Forgejo & the runner # Launch Forgejo & the runner
# #

View file

@ -1,6 +1,6 @@
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 AS build-env
# #
# Transparently cross compile for the target platform # Transparently cross compile for the target platform
@ -40,8 +40,10 @@ ENV HOME=/data
USER 1000:1000 USER 1000:1000
COPY --chmod=555 entrypoint.sh /entrypoint.sh
WORKDIR /data WORKDIR /data
VOLUME ["/data"] VOLUME ["/data"]
CMD ["/bin/forgejo-runner"] ENTRYPOINT ["/entrypoint.sh"]

132
entrypoint.sh Executable file
View file

@ -0,0 +1,132 @@
#!/usr/bin/env bash
set -e
# Technically not nessecary but it cleans up the logs from having token/secret values
run_command() {
local cmd="$@"
# Replace any --token <value> or --secret <value> with [REDACTED]
local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
decho "Running command: $safe_cmd"
eval $cmd
}
decho() {
if [[ "${DEBUG}" == "true" ]]; then
echo "[entrypoint] $@"
fi
}
decho $PWD
# Check if the script is running as root
if [[ $(id -u) -eq 0 ]]; then
ISROOT=true
decho "[WARNING] Running as root user"
fi
# Handle if `command` is passed, as command appends arguments to the entrypoint
if [ "$#" -gt 0 ]; then
run_command $@
exit
fi
# Handle and alter the config file
if [[ -z "${CONFIG_FILE}" ]]; then
echo "CONFIG_FILE is not set"
CONFIG_FILE="/data/config.yml"
fi
CONFIG_ARG="--config ${CONFIG_FILE}"
decho "CONFIG: ${CONFIG_ARG}"
DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
decho "DOCKER_HOST: ${DOCKER_HOST}"
decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
if [[ ! -f "${CONFIG_FILE}" ]]; then
echo "Creating ${CONFIG_FILE}"
run_command "forgejo-runner generate-config > ${CONFIG_FILE}"
# Remove test environment variables if they exist in the config file
sed -i "/^ A_TEST_ENV_NAME_1:/d" ${CONFIG_FILE}
sed -i "/^ A_TEST_ENV_NAME_2:/d" ${CONFIG_FILE}
# Apply default values for docker
sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
sed -i "/^ network:/c\ network: host" ${CONFIG_FILE}
fi
ENV_FILE=${ENV_FILE:-"/data/.env"}
decho "ENV_FILE: ${ENV_FILE}"
sed -i "/^ env_file:/c\ env_file: ${ENV_FILE}" ${CONFIG_FILE}
if [[ ! -f "${ENV_FILE}" ]]; then
echo "Creating ${ENV_FILE}"
touch ${ENV_FILE}
echo "DOCKER_HOST=${DOCKER_HOST}" >> ${ENV_FILE}
echo "DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY}" >> ${ENV_FILE}
echo "DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" >> ${ENV_FILE}
fi
EXTRA_ARGS=""
if [[ ! -z "${RUNNER_LABELS}" ]]; then
EXTRA_ARGS="${EXTRA_ARGS} --labels ${RUNNER_LABELS}"
fi
decho "EXTRA_ARGS: ${EXTRA_ARGS}"
# Set the runner file
RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
decho "RUNNER_FILE: ${RUNNER_FILE}"
sed -i "/^ file:/c\ file: ${RUNNER_FILE}" ${CONFIG_FILE}
if [[ "${SKIP_WAIT}" != "true" ]]; then
echo "Waiting 10s to allow other services to start up..."
sleep 10
fi
if [[ ! -s "${RUNNER_FILE}" ]]; then
touch ${RUNNER_FILE}
try=$((try + 1))
success=0
decho "try: ${try}, success: ${success}"
# The point of this loop is to make it simple, when running both forgejo-runner and gitea in docker,
# for the forgejo-runner to wait a moment for gitea to become available before erroring out. Within
# the context of a single docker-compose, something similar could be done via healthchecks, but
# this is more flexible.
while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
if [[ ! -z "${FORGEJO_SECRET}" ]]; then
run_command forgejo-runner create-runner-file --connect \
--instance "${FORGEJO_URL:-http://forgejo:3000}" \
--name "${RUNNER_NAME:-$(hostname)}" \
--secret "${FORGEJO_SECRET}" \
${CONFIG_ARG}\
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
else
run_command forgejo-runner register \
--instance "${FORGEJO_URL:-http://forgejo:3000}" \
--name "${RUNNER_NAME:-$(hostname)}" \
--token "${RUNNER_TOKEN}" \
--no-interactive \
${CONFIG_ARG}\
${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log
fi
cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
if [[ $? -eq 0 ]]; then
echo "SUCCESS"
success=1
else
echo "Waiting to retry ..."
sleep 5
fi
decho "try: ${try}, success: ${success}"
done
fi
# Prevent reading the token from the forgejo-runner process
unset RUNNER_TOKEN
unset FORGEJO_SECRET
run_command forgejo-runner daemon ${CONFIG_ARG}

1
examples/docker-compose/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
srv

View file

@ -11,83 +11,82 @@
# NOTE: a token obtained from the Forgejo web interface cannot be used # NOTE: a token obtained from the Forgejo web interface cannot be used
# as a shared secret. # as a shared secret.
# #
# Replace {ROOT_PASSWORD} with a secure password # Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
# #
# Replace ROOT_PASSWORD with a secure password.
#
networks:
forgejo:
volumes: volumes:
docker_certs: docker_certs:
services: services:
docker-in-docker: docker-in-docker:
image: code.forgejo.org/oci/docker:dind image: code.forgejo.org/oci/docker:dind
hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
restart: unless-stopped
privileged: true privileged: true
networks:
- forgejo
environment: environment:
DOCKER_TLS_CERTDIR: /certs DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
DOCKER_HOST: docker-in-docker DOCKER_HOST: "docker" # remove aswell to disable TLS
volumes: volumes:
- docker_certs:/certs - docker_certs:/certs
forgejo: forgejo:
image: codeberg.org/forgejo/forgejo:1.21 image: codeberg.org/forgejo/forgejo:1.21
command: >- hostname: forgejo
bash -c ' networks:
/bin/s6-svscan /etc/s6 & - forgejo
sleep 10 ;
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
sleep infinity
'
environment:
FORGEJO__security__INSTALL_LOCK: "true"
FORGEJO__log__LEVEL: "debug"
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false"
FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
volumes: volumes:
- /srv/forgejo-data:/data - /srv/forgejo-data:/data
ports: ports:
- 8080:3000 - 8080:3000
runner-register:
image: code.forgejo.org/forgejo/runner:3.4.1
links:
- docker-in-docker
- forgejo
environment: environment:
DOCKER_HOST: tcp://docker-in-docker:2376 FORGEJO__security__INSTALL_LOCK: "true" # remove in production
volumes:
- /srv/runner-data:/data
user: 0:0
command: >- command: >-
bash -ec ' bash -c '
while : ; do /bin/s6-svscan /etc/s6 &
forgejo-runner create-runner-file --connect --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ; sleep 10 ;
sleep 1 ; su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
done ; su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
sed -i -e "s|\"labels\": null|\"labels\": [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]|" .runner ; sleep infinity
forgejo-runner generate-config > config.yml ;
sed -i -e "s|network: .*|network: host|" config.yml ;
sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ;
sed -i -e "s|^ options:| options: -v /certs/client:/certs/client|" config.yml ;
sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ;
chown -R 1000:1000 /data
' '
# all values that have defaults listed are optional
# only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
# FORGEJO_URL is required if forgejo is not in this compose file or docker network
runner-daemon: runner-daemon:
image: code.forgejo.org/forgejo/runner:3.4.1 ## TODO: Update image to the the release
links: ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
- docker-in-docker
- forgejo # image: code.forgejo.org/forgejo/runner:3.4.1
environment: build: ../../
DOCKER_HOST: tcp://docker:2376 user: "1000" # defaults to 1000,
DOCKER_CERT_PATH: /certs/client restart: unless-stopped # needed for fixing file ownership on restart
DOCKER_TLS_VERIFY: "1"
volumes: volumes:
- /srv/runner-data:/data - /srv/runner-data:/data
- docker_certs:/certs - docker_certs:/certs
command: >- networks:
bash -c ' - forgejo
while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done depends_on:
' - docker-in-docker
- forgejo
environment:
CONFIG_FILE: config.yml # defaults to /data/config.yml
DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
DOCKER_TLS_VERIFY: "1" # defaults to 1
FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
RUNNER_FILE: .runner # defaults to /data/runner.json
RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
DEBUG: "true" # defaults to false, set to true to enable debug logging
SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start