templates
/
docker-gitea-act-runner
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improve build scripts

This commit is contained in:
sebthom 2023-05-29 22:19:05 +02:00
parent 19f8e34ad0
commit d848df35a6
6 changed files with 73 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/build.yml vendored
View File

@ -37,9 +37,9 @@ jobs:
strategy:
matrix:
include:
- DOCKER_FILE: Dockerfile
- DOCKER_IMAGE_FLAVOR: dood
DOCKER_IMAGE_TAG: latest
- DOCKER_FILE: DinD.Dockerfile
- DOCKER_IMAGE_FLAVOR: dind
DOCKER_IMAGE_TAG: dind-latest
fail-fast: true
steps:
@ -52,7 +52,7 @@ jobs:
- name: Check Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: image/${{ matrix.DOCKER_FILE }}
dockerfile: image/Dockerfile
ignore: DL3008,SC1091 # https://github.com/hadolint/hadolint/wiki/DL3008
- name: Cache trivy cache
@ -78,7 +78,7 @@ jobs:
- name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ env.DOCKER_IMAGE_TAG }}
env:
DOCKER_IMAGE_TAG: ${{ matrix.DOCKER_IMAGE_TAG }}
DOCKER_FILE: ${{ matrix.DOCKER_FILE }}
DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }}
DOCKER_PUSH: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }}
TRIVY_GITHUB_TOKEN: ${{ github.token }}
run: bash build-image.sh

15
build-image.sh
View File

@ -31,7 +31,7 @@ docker run --privileged --rm tonistiigi/binfmt --install all
export DOCKER_CLI_EXPERIMENTAL=enabled # prevents "docker: 'buildx' is not a docker command."
docker buildx create --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
docker buildx build "$project_root" \
--file "image/$DOCKER_FILE" \
--file "image/Dockerfile" \
--progress=plain \
--pull \
--build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \
@ -42,12 +42,19 @@ docker buildx build "$project_root" \
--build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \
--build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
--build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \
$(if [[ "${ACT:-}" == "true" ]]; then \
echo -n "--output type=docker"; \
else \
echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \
fi) \
-t $image_name \
$(if [[ "${DOCKER_PUSH:-0}" == "true" ]]; then echo -n "--push"; fi) \
$(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \
"$@"
docker buildx stop
docker image pull $image_name
if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
docker image pull $image_name
fi
#################################################

207
image/DinD.Dockerfile
View File

@ -1,207 +0,0 @@
#syntax=docker/dockerfile:1.4
# see https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#user-content-syntax
# see https://docs.docker.com/build/dockerfile/frontend/
# see https://docs.docker.com/engine/reference/builder/#syntax
#
# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
# SPDX-FileContributor: Sebastian Thomschke
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
#
# https://hub.docker.com/_/debian?tab=tags&name=stable-slim
FROM debian:stable-slim
LABEL maintainer="Vegard IT GmbH (vegardit.com)"
USER root
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
ARG DEBIAN_FRONTEND=noninteractive
ARG LC_ALL=C
ARG INSTALL_SUPPORT_TOOLS=0
ARG UPX_COMPRESS=true
ARG BASE_LAYER_CACHE_KEY
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-os-updates.sh
/mnt/shared/cmd/debian-install-support-tools.sh
function minimize() {
ls -l "$@"
echo "Stripping [$*]..."
command strip --strip-unneeded "$@"
ls -l "$@"
if [[ $UPX_COMPRESS == "true" ]]; then
echo "Compressing [$*]..."
/opt/upx/upx -9 "$@" || true
fi
}
echo "#################################################"
echo "Installing required packages..."
echo "#################################################"
apt-get install --no-install-recommends -y binutils ca-certificates curl sudo tini
if [[ $UPX_COMPRESS == "true" ]]; then
echo "#################################################"
echo "Downloading UPX..."
echo "#################################################"
apt-get install --no-install-recommends -y xz-utils
mkdir /opt/upx
upx_download_url=$(curl -fsSL https://api.github.com/repos/upx/upx/releases/latest | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4)
echo "Downloading [$upx_download_url]..."
curl -fsSL "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
/opt/upx/upx --version
fi
minimize /usr/bin/tini-static
echo "#################################################"
echo "Downloading Gitea act runner..."
echo "#################################################"
arch=$(dpkg --print-architecture)
case $arch in
armhf) arch=arm-7 ;;
amd64|arm64) ;;
*) echo "Unsupported arch: $arch"; exit 1;;
esac
act_runner_download_url=$(curl -sSfL https://gitea.com/gitea/act_runner/releases | grep -oP "https://gitea.com/gitea/act_runner/releases/download/.*-linux-${arch}" | head -1)
echo "Downloading [$act_runner_download_url]..."
curl -fsSL "$act_runner_download_url" -o /usr/local/bin/act_runner
chmod 755 /usr/local/bin/act_runner
minimize /usr/local/bin/act_runner
act_runner --version
echo "#################################################"
echo "Adding [act] user..."
echo "#################################################"
addgroup --gid 1000 act
adduser --uid 1000 --ingroup act --home /data --shell /bin/bash --disabled-password --gecos "" act
adduser act users
adduser act sudo
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
echo "#################################################"
echo "Installing docker engine..."
echo "#################################################"
# https://docs.docker.com/engine/install/debian/#install-using-the-repository
apt-get install --no-install-recommends -y gnupg
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(source /etc/os-release && echo "$VERSION_CODENAME")" stable" > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install --no-install-recommends -y docker-ce docker-ce-cli containerd.io fuse-overlayfs
minimize /usr/bin/containerd* /usr/bin/ctr /usr/bin/docker* /usr/bin/runc
docker --version
runc --version
# https://github.com/docker/for-linux/issues/1437#issuecomment-1293818806
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
addgroup --system dockremap
adduser --system --ingroup dockremap dockremap
echo 'dockremap:165536:65536' | tee -a /etc/subuid
echo 'dockremap:165536:65536' | tee -a /etc/subgid
usermod -aG docker act
apt-get remove -y gnupg
echo "#################################################"
echo "Cleanup..."
echo "#################################################"
apt-get remove -y binutils curl
rm -rf /opt/upx
/mnt/shared/cmd/debian-cleanup.sh
EOF
ARG BUILD_DATE
ARG GIT_BRANCH
ARG GIT_COMMIT_HASH
ARG GIT_COMMIT_DATE
ARG GIT_REPO_URL
LABEL \
org.label-schema.schema-version="1.0" \
org.label-schema.build-date=$BUILD_DATE \
org.label-schema.vcs-ref=$GIT_COMMIT_HASH \
org.label-schema.vcs-url=$GIT_REPO_URL
# Default configuration: can be overridden at the docker command line
ENV \
INIT_SH_FILE='' \
#
GITEA_RUNNER_CONFIG_TEMPLATE_FILE='/opt/config.template.yaml' \
#
GITEA_RUNNER_NAME='' \
GITEA_RUNNER_LABELS='' \
GITEA_RUNNER_LABELS_DEFAULT='\
ubuntu-latest:docker://catthehacker/ubuntu:runner-22.04,\
ubuntu-22.04:docker://catthehacker/ubuntu:runner-22.04,\
ubuntu-20.04:docker://catthehacker/ubuntu:runner-20.04' \
GITEA_RUNNER_UID=1000 \
GITEA_RUNNER_GID=1000 \
#
GITEA_RUNNER_REGISTRATION_FILE='/data/.runner' \
GITEA_RUNNER_REGISTRATION_TIMEOUT=30\
GITEA_RUNNER_REGISTRATION_RETRY_INTERVAL=5s \
#
GITEA_RUNNER_LOG_LEVEL='info' \
GITEA_RUNNER_MAX_PARALLEL_JOBS=1 \
GITEA_RUNNER_JOB_TIMEOUT='3h' \
GITEA_RUNNER_ENV_FILE='/data/.env' \
GITEA_RUNNER_FETCH_TIMEOUT='5s' \
GITEA_RUNNER_FETCH_INTERVAL='2s' \
#
GITEA_INSTANCE_INSECURE='false' \
#
GITEA_RUNNER_JOB_CONTAINER_NETWORK='bridge' \
GITEA_RUNNER_JOB_CONTAINER_OPTIONS='' \
GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED='false' \
GITEA_RUNNER_ACTION_CACHE_DIR='/data/cache/actions' \
#
ACT_CACHE_SERVER_ENABLED='true' \
ACT_CACHE_SERVER_DIR='/data/cache/server' \
ACT_CACHE_SERVER_HOST='' \
ACT_CACHE_SERVER_PORT=0
RUN <<EOF
echo "#################################################"
echo "Writing build_info..."
echo "#################################################"
echo -e "
GIT_REPO: $GIT_REPO_URL
GIT_BRANCH: $GIT_BRANCH
GIT_COMMIT: $GIT_COMMIT_HASH @ $GIT_COMMIT_DATE
IMAGE_BUILD: $BUILD_DATE" >/opt/build_info
cat /opt/build_info
EOF
COPY image/*.sh /opt/
COPY image/config.template.yaml /opt/
COPY .shared/lib/bash-init.sh /opt/bash-init.sh
USER act
VOLUME /data
VOLUME /var/lib/docker
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/bin/bash", "/opt/run.sh"]

47
image/Dockerfile
View File

@ -27,6 +27,9 @@ ARG UPX_COMPRESS=true
ARG BASE_LAYER_CACHE_KEY
# dood|dind
ARG FLAVOR
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-os-updates.sh
@ -54,7 +57,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo "#################################################"
apt-get install --no-install-recommends -y xz-utils
mkdir /opt/upx
upx_download_url=$(curl -fsSL https://api.github.com/repos/upx/upx/releases/latest | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4)
upx_download_url=$(curl -fsSL "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4)
echo "Downloading [$upx_download_url]..."
curl -fsSL "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
/opt/upx/upx --version
@ -71,7 +74,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
amd64|arm64) ;;
*) echo "Unsupported arch: $arch"; exit 1;;
esac
act_runner_download_url=$(curl -sSfL https://gitea.com/gitea/act_runner/releases | grep -oP "https://gitea.com/gitea/act_runner/releases/download/.*-linux-${arch}" | head -1)
act_runner_download_url=$(curl -fsSL "https://gitea.com/gitea/act_runner/releases" | grep -oP "https://gitea.com/gitea/act_runner/releases/download/.*-linux-${arch}" | head -1)
echo "Downloading [$act_runner_download_url]..."
curl -fsSL "$act_runner_download_url" -o /usr/local/bin/act_runner
chmod 755 /usr/local/bin/act_runner
@ -87,6 +90,43 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
adduser act sudo
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
if [[ $FLAVOR == dind* ]]; then
echo "#################################################"
echo "Installing docker engine..."
echo "#################################################"
# https://docs.docker.com/engine/install/debian/#install-using-the-repository
apt-get install --no-install-recommends -y gnupg
install -m 0755 -d /etc/apt/keyrings
curl -fsSL "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(source /etc/os-release && echo "$VERSION_CODENAME")" stable" > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install --no-install-recommends -y docker-ce containerd.io fuse-overlayfs
apt-get remove -y gnupg
minimize /usr/bin/containerd* /usr/bin/ctr /usr/bin/docker* /usr/bin/runc
docker --version
runc --version
# https://github.com/docker/for-linux/issues/1437#issuecomment-1293818806
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
addgroup --system dockremap
adduser --system --ingroup dockremap dockremap
echo 'dockremap:165536:65536' | tee -a /etc/subuid
echo 'dockremap:165536:65536' | tee -a /etc/subgid
curl -sSfL "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack
chmod +x /usr/local/bin/dind-hack
usermod -aG docker act
fi
echo "#################################################"
echo "Cleanup..."
echo "#################################################"
@ -168,6 +208,9 @@ USER act
VOLUME /data
# only for dind relevant
VOLUME /var/lib/docker
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/bin/bash", "/opt/run.sh"]

14
image/run.sh
View File

@ -34,10 +34,18 @@ fi
# start docker deamon (if installed = DinD)
#################################################################
if [[ -f /usr/bin/dockerd ]]; then
[[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]}
log INFO "Starting docker engine..."
log INFO "Starting Docker engine..."
sudo rm -rf /var/run/docker.pid /run/docker/containerd/containerd.pid
sudo /usr/local/bin/dind-hack true
sudo service docker start
while [[ ! -e /var/run/docker.sock ]]; do sleep 2; done
while ! docker stats --no-stream &>/dev/null; do
log INFO "Waiting for Docker engine to start..."
sleep 2
tail -n 1 /var/log/docker.log
done
echo "==========================================================="
docker info
echo "==========================================================="
fi

3
image/run_runner.sh
View File

@ -58,11 +58,12 @@ effective_config_file=/tmp/gitea_act_runner_config.yml
rm -f "$effective_config_file"
if [[ ${GITEA_RUNNER_LOG_EFFECTIVE_CONFIG:-false} == "true" ]]; then
log INFO "Effective runner config [$effective_config_file]:"
echo "==========================================================="
while IFS= read -r line; do
line=${line//\"/\\\"} # escape double quotes
eval "echo \"$line\"" | tee -a "$effective_config_file"
done < $GITEA_RUNNER_CONFIG_TEMPLATE_FILE
echo
echo "==========================================================="
else
while IFS= read -r line; do
line=${line//\"/\\\"} # escape double quotes