From 2acbca7298ad8ef1788ce52e859511075bb7f506 Mon Sep 17 00:00:00 2001 From: Denis Baryshev Date: Sat, 28 Dec 2024 13:27:39 +0700 Subject: [PATCH 1/2] feat: migrate to bitdeps/podman-static 5.x version Signed-off-by: Denis Baryshev --- .github/workflows/publish-runner.yaml | 11 +- runners/Containerfile | 143 ++++++++++++++++++ .../{buildah.sh => container-tools/buildah} | 0 .../podman} | 0 runners/containers/containers.conf | 12 +- runners/docker.json | 53 ------- runners/entrypoint.sh | 3 - runners/gcloud-artifacts-locations | 45 ++++++ runners/install-runner | 39 ----- runners/podman.containerfile | 122 --------------- runners/scripts/install-runner-packages | 61 -------- 11 files changed, 199 insertions(+), 290 deletions(-) create mode 100644 runners/Containerfile rename runners/{buildah.sh => container-tools/buildah} (100%) rename runners/{podman-remote.sh => container-tools/podman} (100%) delete mode 100644 runners/docker.json create mode 100644 runners/gcloud-artifacts-locations delete mode 100644 runners/install-runner delete mode 100644 runners/podman.containerfile delete mode 100755 runners/scripts/install-runner-packages diff --git a/.github/workflows/publish-runner.yaml b/.github/workflows/publish-runner.yaml index 87ffa47..c197d7b 100644 --- a/.github/workflows/publish-runner.yaml +++ b/.github/workflows/publish-runner.yaml @@ -1,6 +1,10 @@ name: Publish Runner Image on: + pull_request: + branches: + - main + workflow_dispatch: inputs: version: @@ -46,7 +50,7 @@ jobs: id: runner run: | version="${{ inputs.version }}"; version="${version#v}" - from_file="$(cat runners/podman.containerfile | + from_file="$(cat runners/Containerfile | sed -En '/ARG\s+RUNNER_VERSION/ { s/ARG\s+RUNNER_VERSION=//; p; }')" echo "version=${version:-$from_file}" >> $GITHUB_OUTPUT @@ -82,9 +86,10 @@ jobs: id: build-and-push uses: docker/build-push-action@v6 with: - file: runners/podman.containerfile + file: runners/Containerfile context: ./runners - push: true + # Publish image when the workflow is explicitly invoked + push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: | diff --git a/runners/Containerfile b/runners/Containerfile new file mode 100644 index 0000000..453e7fd --- /dev/null +++ b/runners/Containerfile @@ -0,0 +1,143 @@ +## --- Actions Runner Dist +FROM alpine as runner-dist +# renovate: datasource=github-releases depName=actions/runner +ARG RUNNER_VERSION=2.321.0 +# renovate: datasource=github-releases depName=actions/runner-container-hooks +ARG RUNNER_CONTAINER_HOOKS_VERSION=0.6.2 +# +ARG TARGETARCH="" +ARG TARGETOS="linux" + +# Fetch runner +# ref: https://github.com/actions/runner/blob/main/images/Dockerfile +# +RUN apk add --update curl gzip unzip +WORKDIR /dist + +RUN export RUNNER_ARCH=${TARGETARCH:-$(arch | sed 's/x86_64/amd64/')} \ + && if [ "$RUNNER_ARCH" = "amd64" ]; then export RUNNER_ARCH=x64 ; fi \ + && curl -f -L -o runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-${TARGETOS}-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz \ + && tar xzf ./runner.tar.gz \ + && rm runner.tar.gz + +RUN curl -f -L -o runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \ + && unzip ./runner-container-hooks.zip -d ./k8s \ + && rm runner-container-hooks.zip + +COPY gcloud-artifacts-locations /tmp/ +RUN mkdir -p /runner/tools/helpers \ + # create comma separated google docker registries list \ + && cat /tmp/gcloud-artifacts-locations | sed -ne '/^#/!{ s/$/-docker.pkg.dev/; p}' | sed ':a;N;$!ba;s/\n/,/g' > /runner/tools/helpers/gcr-registries.list + + + +## --- Actions Runner Image +FROM ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab +ARG TARGETARCH="${TARGETARCH}" +ARG TARGETOS="${TARGETOS:-linux}" + +# renovate: datasource=github-releases depName=bitdeps/podman-static +ARG PODMAN_VERSION=5.3.1 +# renovate: datasource=github-releases depName=cli/cli +ARG GH_CLI_VERSION=2.65.0 +# renovate: datasource=github-releases depName=GoogleCloudPlatform/docker-credential-gcr +ARG GCR_CREDSHELPER_VERSION=2.1.25 + +# Runner specific environment. RUNNER_TOOLS_BIN is mounted into job containers +# which provides static tools and scripts +ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache +ENV RUNNER_TOOLS_BIN=/runner/tools/bin + +COPY --from=runner-dist /runner/tools /runner/tools +COPY --chmod=755 container-tools/* $RUNNER_TOOLS_BIN/ +# Copy docker wrapper for podman providing compatibility for actions-runner +COPY --chmod=755 docker-compat.sh /usr/bin/docker + + +# Update and install essentials +RUN apt update -y \ + && apt install -y --no-install-recommends wget curl ca-certificates git lsb-release unzip uidmap libcap2-bin iptables tini \ + apt-transport-https gnupg \ + && rm -rf /var/lib/apt/lists/* /var/cache/apt + +# Install static podman +RUN export ARCH=${TARGETARCH:-$(arch | sed 's/x86_64/amd64/')}; \ + curl -sL https://github.com/bitdeps/podman-static/releases/download/v${PODMAN_VERSION}/podman-linux-${ARCH}.tar.gz | tar xzC /tmp \ + && dist=/tmp/podman-linux-${ARCH} \ + # clean up dist and copy \ + && rm ${dist}/usr/local/bin/runc && cp -r ${dist}/etc ${dist}/usr / \ + # Link podman as podman-static to runner tools, since jobs podman wrapper uses it \ + && ln /usr/local/bin/podman $RUNNER_TOOLS_BIN/podman-static \ + # clean up \ + && rm -rf /tmp/* + +# Create runner user (1001:1001) with subordinate id mappings +RUN useradd -u 1001 -Um -d /home/runner -s /bin/bash runner \ + && printf "runner:1:1000\nrunner:1002:64535\n" | tee /etc/subuid > /etc/subgid \ + && mkdir -p /run/user/1001 \ + && chown runner:runner /run/user/1001 \ + && chmod a+x /run/user/1001 \ + ## Volumes might be passed with nosuid flag, this doesn't work well on debian/ubuntu! \ + ## So suid/sgid bits are removed from uid mapping binaries and capabilities are set directly. \ + && chmod 0755 /usr/bin/newuidmap /usr/bin/newgidmap \ + && setcap cap_setuid+ep /usr/bin/newuidmap \ + && setcap cap_setgid+ep /usr/bin/newgidmap + +# Copy actions runner dist +COPY --chown=runner:runner --from=runner-dist /dist /home/runner + +# Setup and links directories +RUN mkdir /opt/hostedtoolcache && chgrp runner /opt/hostedtoolcache \ + && chmod g+rwx /opt/hostedtoolcache \ + && mkdir -p /home/runner/.local/bin /home/runner/.local/share/containers \ + && chown -R runner:runner /home/runner/.local \ + # switch to legacy iptables for better compatibility \ + && update-alternatives --set iptables /usr/sbin/iptables-legacy + +# Copy runner configuration and env +COPY containers /etc/containers +COPY runner/hooks /runner/hooks +COPY --chown=runner:runner runner/containers.conf /home/runner/.config/containers/ +COPY --chown=runner:runner runner/env /home/runner/.env +COPY --chmod=755 entrypoint.sh /usr/bin + +# Setup environment +ENV PATH="${PATH}:/home/runner/.local/bin:/home/runner/bin:${RUNNER_TOOLS_BIN}" +ENV ImageOS=ubuntu24 +ENV RUNNER_MANUALLY_TRAP_SIG=1 +ENV ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT=1 +ENV XDG_RUNTIME_DIR=/run/user/1001 +ENV DOCKER_HOST=unix:///run/user/1001/podman/podman.sock +ENV _CONTAINERS_USERNS_CONFIGURED="" +# Force container jobs only mode (i.e. runner does not support jobs without job..container set)! +ENV ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER=true +# Use the fix to mitigate startup on ubuntu 24.04 +ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 + +RUN echo "PATH=${PATH}" > /etc/environment \ + && echo "ImageOS=${ImageOS}" >> /etc/environment \ + && echo "DOCKER_HOST=${DOCKER_HOST}" >> /etc/environment \ + && echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> /etc/environment + + +# Install static tools +RUN cd /tmp; export ARCH=${TARGETARCH:-$(arch | sed 's/x86_64/amd64/')}; \ + # install static gh cli \ + curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_${TARGETOS}_${ARCH}.tar.gz | \ + tar -xz && mv gh_${GH_CLI_VERSION}_${TARGETOS}_${ARCH}/bin/gh $RUNNER_TOOLS_BIN \ + && rm -rf /tmp/* + +# Install docker credential helper for Google Artifact Registry +RUN export ARCH=${TARGETARCH:-$(arch | sed 's/x86_64/amd64/')}; \ + curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${GCR_CREDSHELPER_VERSION}/docker-credential-gcr_${TARGETOS}_${ARCH}-${GCR_CREDSHELPER_VERSION}.tar.gz" \ + | tar xz docker-credential-gcr \ + && chmod +x docker-credential-gcr && mv docker-credential-gcr /usr/local/bin/ + +WORKDIR /home/runner +VOLUME ["/home/runner/.local/share/containers"] +USER runner + +# User specific setup +RUN docker-credential-gcr configure-docker --registries=$(cat /runner/tools/helpers/gcr-registries.list) + +ENTRYPOINT ["tini", "--", "/usr/bin/entrypoint.sh"] diff --git a/runners/buildah.sh b/runners/container-tools/buildah similarity index 100% rename from runners/buildah.sh rename to runners/container-tools/buildah diff --git a/runners/podman-remote.sh b/runners/container-tools/podman similarity index 100% rename from runners/podman-remote.sh rename to runners/container-tools/podman diff --git a/runners/containers/containers.conf b/runners/containers/containers.conf index 7e8e636..a5a01b7 100644 --- a/runners/containers/containers.conf +++ b/runners/containers/containers.conf @@ -1,14 +1,8 @@ # See https://github.com/containers/common/blob/master/pkg/config/containers.conf -# and https://github.com/containers/podman/blob/master/contrib/podmanimage/stable/containers.conf -[containers] -netns="host" -userns="host" -ipcns="host" -utsns="host" -cgroupns="host" -cgroups="disabled" -unmask = "/proc/*" [engine] cgroup_manager = "cgroupfs" events_logger="file" runtime="crun" + +[network] +network_backend = "cni" diff --git a/runners/docker.json b/runners/docker.json deleted file mode 100644 index d443543..0000000 --- a/runners/docker.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "credHelpers": { - "gcr.io": "gcloud", - "us.gcr.io": "gcloud", - "eu.gcr.io": "gcloud", - "asia.gcr.io": "gcloud", - "staging-k8s.gcr.io": "gcloud", - "marketplace.gcr.io": "gcloud", - "africa-south1-docker.pkg.dev": "gcloud", - "asia-east1-docker.pkg.dev": "gcloud", - "asia-east2-docker.pkg.dev": "gcloud", - "asia-northeast1-docker.pkg.dev": "gcloud", - "asia-northeast2-docker.pkg.dev": "gcloud", - "asia-northeast3-docker.pkg.dev": "gcloud", - "asia-south1-docker.pkg.dev": "gcloud", - "asia-south2-docker.pkg.dev": "gcloud", - "asia-southeast1-docker.pkg.dev": "gcloud", - "asia-southeast2-docker.pkg.dev": "gcloud", - "australia-southeast1-docker.pkg.dev": "gcloud", - "australia-southeast2-docker.pkg.dev": "gcloud", - "europe-central2-docker.pkg.dev": "gcloud", - "europe-north1-docker.pkg.dev": "gcloud", - "europe-southwest1-docker.pkg.dev": "gcloud", - "europe-west1-docker.pkg.dev": "gcloud", - "europe-west10-docker.pkg.dev": "gcloud", - "europe-west12-docker.pkg.dev": "gcloud", - "europe-west2-docker.pkg.dev": "gcloud", - "europe-west3-docker.pkg.dev": "gcloud", - "europe-west4-docker.pkg.dev": "gcloud", - "europe-west6-docker.pkg.dev": "gcloud", - "europe-west8-docker.pkg.dev": "gcloud", - "europe-west9-docker.pkg.dev": "gcloud", - "me-central1-docker.pkg.dev": "gcloud", - "me-central2-docker.pkg.dev": "gcloud", - "me-west1-docker.pkg.dev": "gcloud", - "northamerica-northeast1-docker.pkg.dev": "gcloud", - "northamerica-northeast2-docker.pkg.dev": "gcloud", - "southamerica-east1-docker.pkg.dev": "gcloud", - "southamerica-west1-docker.pkg.dev": "gcloud", - "us-central1-docker.pkg.dev": "gcloud", - "us-east1-docker.pkg.dev": "gcloud", - "us-east4-docker.pkg.dev": "gcloud", - "us-east5-docker.pkg.dev": "gcloud", - "us-south1-docker.pkg.dev": "gcloud", - "us-west1-docker.pkg.dev": "gcloud", - "us-west2-docker.pkg.dev": "gcloud", - "us-west3-docker.pkg.dev": "gcloud", - "us-west4-docker.pkg.dev": "gcloud", - "asia-docker.pkg.dev": "gcloud", - "europe-docker.pkg.dev": "gcloud", - "us-docker.pkg.dev": "gcloud" - } -} diff --git a/runners/entrypoint.sh b/runners/entrypoint.sh index 2a93ed4..dc4711b 100755 --- a/runners/entrypoint.sh +++ b/runners/entrypoint.sh @@ -3,9 +3,6 @@ # Start podman socket podman system service --time=0 & -# Update and use the recent runner, it's preferrable for better API compatibility. -install-runner - if (! which "$1" 1>/dev/null 2>/dev/null ) && [ ! -x "$1" ]; then # expect script or bash commands set -- bash "$@" diff --git a/runners/gcloud-artifacts-locations b/runners/gcloud-artifacts-locations new file mode 100644 index 0000000..0b77c31 --- /dev/null +++ b/runners/gcloud-artifacts-locations @@ -0,0 +1,45 @@ +# gcloud artifacts locations list +africa-south1 +asia +asia-east1 +asia-east2 +asia-northeast1 +asia-northeast2 +asia-northeast3 +asia-south1 +asia-south2 +asia-southeast1 +asia-southeast2 +australia-southeast1 +australia-southeast2 +europe +europe-central2 +europe-north1 +europe-southwest1 +europe-west1 +europe-west10 +europe-west12 +europe-west2 +europe-west3 +europe-west4 +europe-west6 +europe-west8 +europe-west9 +me-central1 +me-central2 +me-west1 +northamerica-northeast1 +northamerica-northeast2 +northamerica-south1 +southamerica-east1 +southamerica-west1 +us +us-central1 +us-east1 +us-east4 +us-east5 +us-south1 +us-west1 +us-west2 +us-west3 +us-west4 diff --git a/runners/install-runner b/runners/install-runner deleted file mode 100644 index ad395ed..0000000 --- a/runners/install-runner +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -set -e -RUNNER_ARCH="${TARGETARCH:-$(arch)}" -RUNNER_HOME=/home/runner - -get_latest_tag() { - local github_repo="$1" - curl -I -s \ - --retry-max-time "${RETRY_MAX_TIME:-60}" \ - --retry "${RETRIES:-3}" \ - --retry-connrefused \ - "https://github.com/${github_repo}/releases/latest" 2>&1 | - sed -n '/^location:/ { s/location: https.*tag\///; p }' | tr -d '\n\r' -} - -## Installs or updates runner when invoked -install_runner() { - local arch="" version="" current_version="" latest_version="" - latest_version="$(get_latest_tag 'actions/runner')" - latest_version="${latest_version#v}" - current_version="$(cat "$RUNNER_HOME/.version" 2> /dev/null || :)" - version="$latest_version" - - if [ -n "$RUNNER_VERSION" ] && [ -z "$current_version" ]; then - version="$RUNNER_VERSION" - elif [ -n "$current_version" ]; then - if [ "$latest_version" = "$current_version" ]; then return 0; fi - echo "=> New runner version is available." - fi - - if [[ "$RUNNER_ARCH" = "amd64" || "$RUNNER_ARCH" = "x86_64" ]]; then arch=x64 ; fi - echo -n "=> Installing github actions runner version $version... " - mkdir -p /tmp/runnerdist - curl -sL "https://github.com/actions/runner/releases/download/v${version}/actions-runner-linux-${arch}-${version}.tar.gz" | tar xzC /tmp/runnerdist - chown -R runner:runner /tmp/runnerdist && mv -f /tmp/runnerdist/* "$RUNNER_HOME" - echo -n "$version" > "$RUNNER_HOME/.version" && echo "done." -} - -install_runner diff --git a/runners/podman.containerfile b/runners/podman.containerfile deleted file mode 100644 index 9c50d08..0000000 --- a/runners/podman.containerfile +++ /dev/null @@ -1,122 +0,0 @@ -FROM ubuntu:24.04@sha256:35b7fc72eb7c652dc1f4e5bfbdb9cdb308c3a6b1b96abc61317b931007b9aac8 - -ARG TARGETARCH -# renovate: datasource=github-releases depName=actions/runner -ARG RUNNER_VERSION=2.321.0 -# renovate: datasource=github-releases depName=mgoltzsche/podman-static -ARG PODMAN_VERSION=4.9.5 -# renovate: datasource=github-releases depName=containers/crun -ARG CRUN_VERSION=1.19.1 -# renovate: datasource=github-releases depName=cli/cli -ARG TOOL_GH_VERSION=2.63.1 - -ENV RUNNER_TOOLS_BIN=/runner/tools/bin - -# Fetch deps and prepare -RUN export DEBIAN_FRONTEND=noninteractive; apt-get -y update && apt-get install -y \ - wget curl git lsb-release unzip uidmap libcap2-bin iptables sudo tini \ - apt-transport-https gnupg \ - && mkdir -p $RUNNER_TOOLS_BIN \ - # clean up \ - && apt-get -y clean \ - && rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* - -## Create runner user (1001:1001) with subordinate id mappings -RUN useradd -u 1001 -Um -d /home/runner -s /bin/bash runner \ - && printf "runner:1:1000\nrunner:1002:64535\n" | tee /etc/subuid > /etc/subgid \ - && mkdir -p /run/user/1001 \ - && chown runner:runner /run/user/1001 \ - && chmod a+x /run/user/1001 \ - ## Volumes might be passed with nosuid flag, this doesn't work well on debian/ubuntu! \ - ## So suid/sgid bits are removed from uid mapping binaries and capabilites are set directly. \ - && chmod 0755 /usr/bin/newuidmap /usr/bin/newgidmap \ - && setcap cap_setuid+ep /usr/bin/newuidmap \ - && setcap cap_setgid+ep /usr/bin/newgidmap - -## Install static podman -RUN \ - curl -sL https://github.com/mgoltzsche/podman-static/releases/download/v${PODMAN_VERSION}/podman-linux-${TARGETARCH}.tar.gz | tar xzC /tmp \ - && curl -sL https://github.com/containers/crun/releases/download/${CRUN_VERSION}/crun-${CRUN_VERSION}-linux-${TARGETARCH}-disable-systemd -o \ - /usr/local/bin/crun && chmod 755 /usr/local/bin/crun \ - && dist=/tmp/podman-linux-${TARGETARCH}; cp -r ${dist}/etc ${dist}/usr / \ - # Make podman-static (intentional, so that container jobs don't invoke podman directly) \ - && ln /usr/local/bin/podman $RUNNER_TOOLS_BIN/podman-static \ - # remove runc and clean up \ - && rm /usr/local/bin/runc && rm -rf /tmp/* - -## Install Github Actions runner -ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache -COPY --chmod=755 install-runner /usr/bin -RUN RUNNER_VERSION=${RUNNER_VERSION} install-runner \ - && /home/runner/bin/installdependencies.sh \ - && apt-get -y clean && rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* \ - # Setup hosted toolcache directory \ - && mkdir /opt/hostedtoolcache \ - && chgrp runner /opt/hostedtoolcache \ - && chmod g+rwx /opt/hostedtoolcache - -## Setup container jobs tools and configuration -COPY --chmod=755 buildah.sh $RUNNER_TOOLS_BIN/buildah -RUN cd /tmp; \ - # install static gh cli \ - curl -sL https://github.com/cli/cli/releases/download/v${TOOL_GH_VERSION}/gh_${TOOL_GH_VERSION}_linux_${TARGETARCH}.tar.gz | \ - tar -xz && mv gh_${TOOL_GH_VERSION}_linux_${TARGETARCH}/bin/gh $RUNNER_TOOLS_BIN \ - && rm -rf /tmp/* - -## Remote wrappers used by container jobs podman/docker -COPY --chmod=755 podman-remote.sh $RUNNER_TOOLS_BIN/podman -RUN ln $RUNNER_TOOLS_BIN/podman $RUNNER_TOOLS_BIN/docker - -## Setup runner configuration and scripts -COPY --chmod=755 docker-compat.sh /usr/bin/docker -COPY containers /etc/containers -COPY runner/hooks /runner/hooks -COPY --chown=runner:runner runner/containers.conf /home/runner/.config/containers/ -COPY --chown=runner:runner runner/env /home/runner/.env -COPY --chmod=755 entrypoint.sh /usr/bin - -## Runner environment -## Note: runner_tools_bin contains podman and docker should not override those used -## by the runner, i.e have lower priority in the PATH -## -ENV PATH="${PATH}:/home/runner/.local/bin:/home/runner/bin:${RUNNER_TOOLS_BIN}" -ENV ImageOS=ubuntu22 -ENV RUNNER_MANUALLY_TRAP_SIG=1 -ENV ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT=1 -ENV XDG_RUNTIME_DIR=/run/user/1001 -ENV DOCKER_HOST=unix:///run/user/1001/podman/podman.sock -ENV _CONTAINERS_USERNS_CONFIGURED="" -## Note: Forces container jobs only mode! -ENV ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER=true -## Use the fix to mitigate startup on ubuntu 24.04 -ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 - -## Misc -RUN echo "PATH=${PATH}" > /etc/environment \ - && echo "ImageOS=${ImageOS}" >> /etc/environment \ - && echo "DOCKER_HOST=${DOCKER_HOST}" >> /etc/environment \ - && echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> /etc/environment \ - && mkdir -p /home/runner/.local/bin /home/runner/.local/share/containers \ - && chown -R runner:runner /home/runner/.local \ - # switch to legacy iptables for better compatibility \ - && update-alternatives --set iptables /usr/sbin/iptables-legacy - -# install docker registry auth providers -RUN \ - # gcloud \ - curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | \ - gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg \ - && echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | \ - tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \ - && apt-get -y update && apt-get install -y google-cloud-cli \ - # clean up \ - && apt-get -y clean \ - && rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* - -# configure docker auth -COPY --chown=runner:runner docker.json /home/runner/.docker/config.json - -WORKDIR /home/runner -VOLUME ["/home/runner/.local/share/containers"] -USER runner -ENTRYPOINT ["tini", "--", "/usr/bin/entrypoint.sh"] diff --git a/runners/scripts/install-runner-packages b/runners/scripts/install-runner-packages deleted file mode 100755 index a3c96de..0000000 --- a/runners/scripts/install-runner-packages +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash -set -e -: "${RUNNER_IMAGES_VERSION:?Must be provided}" - -ubuntu_version="2204" -checkout_dir=/runner-images -osdir="${checkout_dir}/images/ubuntu" -scripts_dir="${checkout_dir}"/images/ubuntu/scripts/build - -## ref: https://github.com/actions/runner-images/tags -## exports are used by runner-images scripts -export HELPER_SCRIPTS="${checkout_dir}"/images/ubuntu/scripts/helpers -export INSTALLER_SCRIPT_FOLDER="${checkout_dir}/imagegeneration" - -git config --global advice.detachedHead false - -setup() { - if [ -d "$checkout_dir" ]; then - return 0 - fi - - echo "Cloning actions/runner-images and setting things up..." - git clone --branch "${RUNNER_IMAGES_VERSION}" --single-branch https://github.com/actions/runner-images "${checkout_dir}" - mkdir -p "${INSTALLER_SCRIPT_FOLDER}" && cp "${osdir}/toolsets/toolset-${ubuntu_version}".json "${INSTALLER_SCRIPT_FOLDER}/toolset.json" - exit 0 -} - -check_os() { - if [ "$(lsb_release -cs)" != "jammy" ]; then - >&2 echo "OS other than Ubuntu 22.04 (jammy) is not supported!" - exit 1 - fi -} - -if [[ "$*" == *"--setup"* ]]; then - setup -fi - -## --------------- Install packages (runs on ubuntu) -function invoke_tests { /bin/true; } -export -f invoke_tests - -check_os -if [ ! -f /etc/apt/trusted.gpg.d/microsoft-prod.gpg ]; then - chmod +x "${osdir}/scripts/build/install-ms-repos.sh" - "${osdir}/scripts/build/install-ms-repos.sh" -fi - -if [ $# -eq 0 ]; then - echo "Usage: $0 package..." - exit 1 -fi - -for pkg in "$@"; do - script="${scripts_dir}/install-${pkg}.sh" - if [ ! -f "$script" ]; then - >&2 echo "Package ${pkg} is not available!" - fi - chmod +x "${script}" - "${script}" -done From bcda001aa7deddefeee2b1f62db0c87d7b23e381 Mon Sep 17 00:00:00 2001 From: Denis Baryshev Date: Mon, 13 Jan 2025 02:01:58 +0700 Subject: [PATCH 2/2] fix: provide readme Signed-off-by: Denis Baryshev --- README.md | 179 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 178 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 977879f..9a945a2 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,179 @@ # actions-runner -GitHub actions runner and images + +GitHub Actions runner and images based on Podman. + +## Podman 5.x + +The Bitdeps Actions Runner uses a statically built version of Podman, which differs from the official Microsoft runner and offers unique features. Unlike the official runner, this version provides: + +- **Rootless execution** on Kubernetes with minimal capabilities (only SETUID and SETGID are used). +- **No need for Buildx** — efficient multi-architecture builds are supported out of the box. +- **Container-only job execution** — this runner is designed exclusively for container jobs. +- **Pre-configured tools**: + - A Docker compatibility wrapper for remote Podman execution inside any job container. + - GitHub CLI tool. + - Pre-configured Google Artifacts Registry credential helper. + +### Known Limitations + +Rootless execution in cloud environments like GKE has some limitations. For instance, port mapping and DNS for service containers do not work as expected. Podman relies on the CNI plugin, and [Netavark](https://www.redhat.com/en/blog/podman-new-network-stack) does not function well in cloud environments. Despite this, the overall user experience remains smooth. + +## Using Podman Actions + +Since this runner does not use Buildx or Docker, Podman-native actions are used instead. Here are some examples: + +```yaml +jobs: + build: + runs-on: myrunner + + permissions: + contents: read + packages: write + + ## Container jobs are only allowed! + container: + image: images/alpine:latest + + steps: + - name: Build Image + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: myorg/repo + context: . + tags: latest + build-args: "" + containerfiles: Containerfile + + - name: Push to Artifact Registry + uses: redhat-actions/push-to-registry@v2 + with: + image: myorg/repo + tags: latest + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} +``` + +For more information: + * [buildah-build GitHub Action](https://github.com/redhat-actions/buildah-build) + * [push-to-registry GitHub Action](https://github.com/redhat-actions/push-to-registry) + +## Deploying on Kubernetes + +The standard method for deploying self-hosted runners in Kubernetes is using [actions-runner-controller](https://github.com/actions/actions-runner-controller). For detailed setup, refer to the [official documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set). + +Further configuration details are provided below. + +### Fuse Device Plugin + +With the Fuse device plugin, pods no longer need to run in privileged mode to access `/dev/fuse`. The DaemonSet below injects the fuse device into pods running on matched nodes. [Learn more](https://github.com/kubernetes-learning-group/fuse-device-plugin/blob/master/README_EN.md). + +```yaml +apiVersion: apps/v1 +kind: DaemonSet +spec: + template: + spec: + hostNetwork: true + nodeSelector: + myorg/gh-runner: "true" + tolerations: + - key: myorg/gh-runner + operator: Exists + effect: NoSchedule + containers: + - image: soolaugust/fuse-device-plugin:v1.0 + name: fuse-device-plugin-ctr + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + volumeMounts: + - name: device-plugin + mountPath: /var/lib/kubelet/device-plugins + volumes: + - name: device-plugin + hostPath: + path: /var/lib/kubelet/device-plugins +``` + +### Actions Runner Controller Values + +Refer to the [values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) for configuration reference. The configuration below highlights important settings, such as the Fuse device plugin, virtual network interface, and AppArmor security profile. + +```yaml +template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/runner: unconfined + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + + spec: + serviceAccountName: scale-set-wi + + nodeSelector: + myorg/gh-runner: "true" + + tolerations: + - key: myorg/gh-runner + operator: Exists + effect: NoSchedule + + containers: + - name: runner + command: + - entrypoint.sh + - /home/runner/run.sh + imagePullPolicy: Always + image: ghcr.io/bitdeps/actions-runner:5.3.1 + + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + capabilities: + allowPrivilegeEscalation: false + drop: ["ALL"] + add: + - SETUID + - SETGID + + resources: + requests: + cpu: 500m + memory: 3350Mi + + limits: + github.com/fuse: 1 + cpu: 2 + memory: 3350Mi + + volumeMounts: + - mountPath: /home/runner/.local/share/containers + name: podman-local + + # Virtual network interfaces mount + - mountPath: /dev/net/tun + name: dev-tun + + # Additional registry shortnames for Podman + - name: shortnames + mountPath: "/etc/containers/registries.conf.d/001-shortnames.conf" + subPath: 001-shortnames.conf + readOnly: true + + volumes: + - name: podman-local + emptyDir: {} + + - name: dev-tun + hostPath: + path: /dev/net/tun + type: CharDevice + + - name: shortnames + configMap: + name: scale-set-configs-shortnames +```