From 19f8e34ad09f9f082cf14914121da77a2f05ef36 Mon Sep 17 00:00:00 2001 From: sebthom Date: Sat, 27 May 2023 13:55:49 +0200 Subject: [PATCH] Avoid using sudo if on happy path --- image/DinD.Dockerfile | 1 + image/Dockerfile | 1 + image/run.sh | 60 +++++++++++++++++++++++++++++++++++-------- image/run_fixids.sh | 21 ++------------- image/run_runner.sh | 20 +++++++++++++++ 5 files changed, 74 insertions(+), 29 deletions(-) diff --git a/image/DinD.Dockerfile b/image/DinD.Dockerfile index 0c14482..ee5d307 100644 --- a/image/DinD.Dockerfile +++ b/image/DinD.Dockerfile @@ -83,6 +83,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <> /etc/sudoers diff --git a/image/Dockerfile b/image/Dockerfile index dfe8586..3be071a 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -83,6 +83,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <> /etc/sudoers diff --git a/image/run.sh b/image/run.sh index 3fc6772..57843a5 100644 --- a/image/run.sh +++ b/image/run.sh @@ -7,10 +7,11 @@ # source /opt/bash-init.sh -################################################# +################################################################# # print header -################################################# -cat <<'EOF' +################################################################# +if [[ ${1:-} == "" ]]; then + cat <<'EOF' _____ _ _ _ _____ / ____(_) | /\ | | | __ \ | | __ _| |_ ___ __ _ / \ ___| |_ | |__) | _ _ __ _ __ ___ _ __ @@ -19,12 +20,51 @@ cat <<'EOF' \_____|_|\__\___|\__,_| /_/ \_\___|\__| |_| \_\__,_|_| |_|_| |_|\___|_| EOF -cat /opt/build_info -echo + cat /opt/build_info + echo -log INFO "Timezone is $(date +"%Z %z")" -log INFO "Hostname: $(hostname -f)" -log INFO "IP Addresses: " -awk '/32 host/ { if(uniq[ip]++ && ip != "127.0.0.1") print " - " ip } {ip=$2}' /proc/net/fib_trie + log INFO "Timezone is $(date +"%Z %z")" + log INFO "Hostname: $(hostname -f)" + log INFO "IP Addresses: " + awk '/32 host/ { if(uniq[ip]++ && ip != "127.0.0.1") print " - " ip } {ip=$2}' /proc/net/fib_trie +fi -exec sudo -E bash /opt/run_fixids.sh + +################################################################# +# start docker deamon (if installed = DinD) +################################################################# +if [[ -f /usr/bin/dockerd ]]; then + [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]} + log INFO "Starting docker engine..." + sudo service docker start + while [[ ! -e /var/run/docker.sock ]]; do sleep 2; done +fi + + +################################################################# +# check if act user UID/GID needs adjustment +################################################################# +fixids=false +if [ -n "${GITEA_RUNNER_UID:-}" ]; then + effective_uid=$(id -u act) + if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then + fixids=true + fi +fi + +if [ -n "${GITEA_RUNNER_GID:-}" ]; then + effective_gid=$(id -g act) + if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then + fixids=true + fi +fi + + +################################################################# +# adjust act user UID/GID if required +################################################################# +if [[ $fixids == "true" ]]; then + exec sudo -E bash /opt/run_fixids.sh +else + bash /opt/run_runner.sh +fi diff --git a/image/run_fixids.sh b/image/run_fixids.sh index a92265e..02877ba 100644 --- a/image/run_fixids.sh +++ b/image/run_fixids.sh @@ -13,6 +13,7 @@ source /opt/bash-init.sh if [ -n "${GITEA_RUNNER_UID:-}" ]; then effective_uid=$(id -u act) if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then + [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]} log INFO "Changing UID of user [act] from $effective_uid to $GITEA_RUNNER_UID..." usermod -o -u "$GITEA_RUNNER_UID" act fi @@ -21,31 +22,13 @@ fi if [ -n "${GITEA_RUNNER_GID:-}" ]; then effective_gid=$(id -g act) if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then + [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]} log INFO "Changing GID of user [act] from $effective_gid to $GITEA_RUNNER_GID..." groupmod -o -g "$GITEA_RUNNER_GID" act fi fi chown -R act:act /data -if [[ -f /usr/bin/dockerd ]]; then - log INFO "Starting docker engine..." - service docker start - while [[ ! -e /var/run/docker.sock ]]; do sleep 2; done -fi - -docker_group=$(stat -c '%G' /var/run/docker.sock) -if [[ $docker_group == "UNKNOWN" ]]; then - docker_gid=$(stat -c '%g' /var/run/docker.sock) - docker_group="docker$docker_gid" - log INFO "Creating group [$docker_group]..." - addgroup --gid $docker_gid $docker_group -fi - -if ! id -nG act | grep -qw "$docker_group"; then - log INFO "Adding user [act] to group [$docker_group]..." - usermod -aG $docker_group act -fi - ################################################################# # Launch the runner with adjusted UID/GID diff --git a/image/run_runner.sh b/image/run_runner.sh index e18a87d..01556f1 100644 --- a/image/run_runner.sh +++ b/image/run_runner.sh @@ -11,6 +11,26 @@ log INFO "Effective user: $(id)" cd /data + +################################################################# +# ensure act user has read/write access to /var/run/docker.sock +################################################################# +if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then + docker_group=$(stat -c '%G' /var/run/docker.sock) + if [[ $docker_group == "UNKNOWN" ]]; then + docker_gid=$(stat -c '%g' /var/run/docker.sock) + docker_group="docker$docker_gid" + log INFO "Creating group [$docker_group]..." + sudo addgroup --gid $docker_gid $docker_group + fi + + if ! id -nG act | grep -qw "$docker_group"; then + log INFO "Adding user [act] to docker group [$(getent group $docker_group)]..." + sudo usermod -aG $docker_group act + fi +fi + + ################################################# # load custom init script if specified #################################################