From d848df35a6fb02ca8d50f81cdbfa7a8298a2a72f Mon Sep 17 00:00:00 2001 From: sebthom Date: Mon, 29 May 2023 22:19:05 +0200 Subject: [PATCH] improve build scripts --- .github/workflows/build.yml | 8 +- build-image.sh | 15 ++- image/DinD.Dockerfile | 207 ------------------------------------ image/Dockerfile | 47 +++++++- image/run.sh | 14 ++- image/run_runner.sh | 3 +- 6 files changed, 73 insertions(+), 221 deletions(-) delete mode 100644 image/DinD.Dockerfile diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 228bf3d..a13e78c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,9 +37,9 @@ jobs: strategy: matrix: include: - - DOCKER_FILE: Dockerfile + - DOCKER_IMAGE_FLAVOR: dood DOCKER_IMAGE_TAG: latest - - DOCKER_FILE: DinD.Dockerfile + - DOCKER_IMAGE_FLAVOR: dind DOCKER_IMAGE_TAG: dind-latest fail-fast: true steps: @@ -52,7 +52,7 @@ jobs: - name: Check Dockerfile uses: hadolint/hadolint-action@v3.1.0 with: - dockerfile: image/${{ matrix.DOCKER_FILE }} + dockerfile: image/Dockerfile ignore: DL3008,SC1091 # https://github.com/hadolint/hadolint/wiki/DL3008 - name: Cache trivy cache @@ -78,7 +78,7 @@ jobs: - name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ env.DOCKER_IMAGE_TAG }} env: DOCKER_IMAGE_TAG: ${{ matrix.DOCKER_IMAGE_TAG }} - DOCKER_FILE: ${{ matrix.DOCKER_FILE }} + DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }} DOCKER_PUSH: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} TRIVY_GITHUB_TOKEN: ${{ github.token }} run: bash build-image.sh diff --git a/build-image.sh b/build-image.sh index 01fdf28..1994a03 100644 --- a/build-image.sh +++ b/build-image.sh @@ -31,7 +31,7 @@ docker run --privileged --rm tonistiigi/binfmt --install all export DOCKER_CLI_EXPERIMENTAL=enabled # prevents "docker: 'buildx' is not a docker command." docker buildx create --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") docker buildx build "$project_root" \ - --file "image/$DOCKER_FILE" \ + --file "image/Dockerfile" \ --progress=plain \ --pull \ --build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \ @@ -42,12 +42,19 @@ docker buildx build "$project_root" \ --build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \ --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \ --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \ - --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \ + $(if [[ "${ACT:-}" == "true" ]]; then \ + echo -n "--output type=docker"; \ + else \ + echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \ + fi) \ -t $image_name \ - $(if [[ "${DOCKER_PUSH:-0}" == "true" ]]; then echo -n "--push"; fi) \ + $(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \ "$@" docker buildx stop -docker image pull $image_name +if [[ "${DOCKER_PUSH:-}" == "true" ]]; then + docker image pull $image_name +fi ################################################# diff --git a/image/DinD.Dockerfile b/image/DinD.Dockerfile deleted file mode 100644 index ee5d307..0000000 --- a/image/DinD.Dockerfile +++ /dev/null @@ -1,207 +0,0 @@ -#syntax=docker/dockerfile:1.4 -# see https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#user-content-syntax -# see https://docs.docker.com/build/dockerfile/frontend/ -# see https://docs.docker.com/engine/reference/builder/#syntax -# -# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com) -# SPDX-FileContributor: Sebastian Thomschke -# SPDX-License-Identifier: Apache-2.0 -# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner -# -# https://hub.docker.com/_/debian?tab=tags&name=stable-slim - -FROM debian:stable-slim - -LABEL maintainer="Vegard IT GmbH (vegardit.com)" - -USER root - -SHELL ["/bin/bash", "-euo", "pipefail", "-c"] - -ARG DEBIAN_FRONTEND=noninteractive -ARG LC_ALL=C - -ARG INSTALL_SUPPORT_TOOLS=0 - -ARG UPX_COMPRESS=true - -ARG BASE_LAYER_CACHE_KEY - -RUN --mount=type=bind,source=.shared,target=/mnt/shared <> /etc/sudoers - - echo "#################################################" - echo "Installing docker engine..." - echo "#################################################" - # https://docs.docker.com/engine/install/debian/#install-using-the-repository - apt-get install --no-install-recommends -y gnupg - install -m 0755 -d /etc/apt/keyrings - curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg - chmod a+r /etc/apt/keyrings/docker.gpg - echo \ - "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ - "$(source /etc/os-release && echo "$VERSION_CODENAME")" stable" > /etc/apt/sources.list.d/docker.list - apt-get update - apt-get install --no-install-recommends -y docker-ce docker-ce-cli containerd.io fuse-overlayfs - - minimize /usr/bin/containerd* /usr/bin/ctr /usr/bin/docker* /usr/bin/runc - - docker --version - runc --version - - # https://github.com/docker/for-linux/issues/1437#issuecomment-1293818806 - update-alternatives --set iptables /usr/sbin/iptables-legacy - update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy - - # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box - addgroup --system dockremap - adduser --system --ingroup dockremap dockremap - echo 'dockremap:165536:65536' | tee -a /etc/subuid - echo 'dockremap:165536:65536' | tee -a /etc/subgid - - usermod -aG docker act - - apt-get remove -y gnupg - - echo "#################################################" - echo "Cleanup..." - echo "#################################################" - apt-get remove -y binutils curl - rm -rf /opt/upx - /mnt/shared/cmd/debian-cleanup.sh - -EOF - -ARG BUILD_DATE -ARG GIT_BRANCH -ARG GIT_COMMIT_HASH -ARG GIT_COMMIT_DATE -ARG GIT_REPO_URL - -LABEL \ - org.label-schema.schema-version="1.0" \ - org.label-schema.build-date=$BUILD_DATE \ - org.label-schema.vcs-ref=$GIT_COMMIT_HASH \ - org.label-schema.vcs-url=$GIT_REPO_URL - -# Default configuration: can be overridden at the docker command line -ENV \ - INIT_SH_FILE='' \ - # - GITEA_RUNNER_CONFIG_TEMPLATE_FILE='/opt/config.template.yaml' \ - # - GITEA_RUNNER_NAME='' \ - GITEA_RUNNER_LABELS='' \ - GITEA_RUNNER_LABELS_DEFAULT='\ -ubuntu-latest:docker://catthehacker/ubuntu:runner-22.04,\ -ubuntu-22.04:docker://catthehacker/ubuntu:runner-22.04,\ -ubuntu-20.04:docker://catthehacker/ubuntu:runner-20.04' \ - GITEA_RUNNER_UID=1000 \ - GITEA_RUNNER_GID=1000 \ - # - GITEA_RUNNER_REGISTRATION_FILE='/data/.runner' \ - GITEA_RUNNER_REGISTRATION_TIMEOUT=30\ - GITEA_RUNNER_REGISTRATION_RETRY_INTERVAL=5s \ - # - GITEA_RUNNER_LOG_LEVEL='info' \ - GITEA_RUNNER_MAX_PARALLEL_JOBS=1 \ - GITEA_RUNNER_JOB_TIMEOUT='3h' \ - GITEA_RUNNER_ENV_FILE='/data/.env' \ - GITEA_RUNNER_FETCH_TIMEOUT='5s' \ - GITEA_RUNNER_FETCH_INTERVAL='2s' \ - # - GITEA_INSTANCE_INSECURE='false' \ - # - GITEA_RUNNER_JOB_CONTAINER_NETWORK='bridge' \ - GITEA_RUNNER_JOB_CONTAINER_OPTIONS='' \ - GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED='false' \ - GITEA_RUNNER_ACTION_CACHE_DIR='/data/cache/actions' \ - # - ACT_CACHE_SERVER_ENABLED='true' \ - ACT_CACHE_SERVER_DIR='/data/cache/server' \ - ACT_CACHE_SERVER_HOST='' \ - ACT_CACHE_SERVER_PORT=0 - -RUN </opt/build_info - cat /opt/build_info - -EOF - -COPY image/*.sh /opt/ -COPY image/config.template.yaml /opt/ -COPY .shared/lib/bash-init.sh /opt/bash-init.sh - -USER act - -VOLUME /data -VOLUME /var/lib/docker - -ENTRYPOINT ["/usr/bin/tini", "--"] - -CMD ["/bin/bash", "/opt/run.sh"] diff --git a/image/Dockerfile b/image/Dockerfile index 3be071a..bc310b6 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -27,6 +27,9 @@ ARG UPX_COMPRESS=true ARG BASE_LAYER_CACHE_KEY +# dood|dind +ARG FLAVOR + RUN --mount=type=bind,source=.shared,target=/mnt/shared <> /etc/sudoers + if [[ $FLAVOR == dind* ]]; then + echo "#################################################" + echo "Installing docker engine..." + echo "#################################################" + # https://docs.docker.com/engine/install/debian/#install-using-the-repository + apt-get install --no-install-recommends -y gnupg + install -m 0755 -d /etc/apt/keyrings + curl -fsSL "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg + chmod a+r /etc/apt/keyrings/docker.gpg + echo \ + "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + "$(source /etc/os-release && echo "$VERSION_CODENAME")" stable" > /etc/apt/sources.list.d/docker.list + apt-get update + apt-get install --no-install-recommends -y docker-ce containerd.io fuse-overlayfs + apt-get remove -y gnupg + + minimize /usr/bin/containerd* /usr/bin/ctr /usr/bin/docker* /usr/bin/runc + + docker --version + runc --version + + # https://github.com/docker/for-linux/issues/1437#issuecomment-1293818806 + update-alternatives --set iptables /usr/sbin/iptables-legacy + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + + # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box + addgroup --system dockremap + adduser --system --ingroup dockremap dockremap + echo 'dockremap:165536:65536' | tee -a /etc/subuid + echo 'dockremap:165536:65536' | tee -a /etc/subgid + + curl -sSfL "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack + chmod +x /usr/local/bin/dind-hack + + usermod -aG docker act + fi + echo "#################################################" echo "Cleanup..." echo "#################################################" @@ -168,6 +208,9 @@ USER act VOLUME /data +# only for dind relevant +VOLUME /var/lib/docker + ENTRYPOINT ["/usr/bin/tini", "--"] CMD ["/bin/bash", "/opt/run.sh"] diff --git a/image/run.sh b/image/run.sh index 57843a5..4b61d5c 100644 --- a/image/run.sh +++ b/image/run.sh @@ -34,10 +34,18 @@ fi # start docker deamon (if installed = DinD) ################################################################# if [[ -f /usr/bin/dockerd ]]; then - [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]} - log INFO "Starting docker engine..." + log INFO "Starting Docker engine..." + sudo rm -rf /var/run/docker.pid /run/docker/containerd/containerd.pid + sudo /usr/local/bin/dind-hack true sudo service docker start - while [[ ! -e /var/run/docker.sock ]]; do sleep 2; done + while ! docker stats --no-stream &>/dev/null; do + log INFO "Waiting for Docker engine to start..." + sleep 2 + tail -n 1 /var/log/docker.log + done + echo "===========================================================" + docker info + echo "===========================================================" fi diff --git a/image/run_runner.sh b/image/run_runner.sh index 01556f1..23e09f2 100644 --- a/image/run_runner.sh +++ b/image/run_runner.sh @@ -58,11 +58,12 @@ effective_config_file=/tmp/gitea_act_runner_config.yml rm -f "$effective_config_file" if [[ ${GITEA_RUNNER_LOG_EFFECTIVE_CONFIG:-false} == "true" ]]; then log INFO "Effective runner config [$effective_config_file]:" + echo "===========================================================" while IFS= read -r line; do line=${line//\"/\\\"} # escape double quotes eval "echo \"$line\"" | tee -a "$effective_config_file" done < $GITEA_RUNNER_CONFIG_TEMPLATE_FILE - echo + echo "===========================================================" else while IFS= read -r line; do line=${line//\"/\\\"} # escape double quotes