public_git
/
actions-runner-controller
mirror of https://github.com/actions-runner-controller/actions-runner-controller.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: dind-rootless 22.04 runner (#2033) 

* feat: dind-rootless 22.04 runner

* runner: Bring back packages needed by rootlesskit

* e2e: Update E2E buildvars with ubuntu 22.04 dockerfiles

* feat: use new uid for runner user

* e2e: Make it possible to inject ubuntu version via envvar for actiosn-runner-dind image

* doc: Use fsGroup=1001 for IRSA on Ubuntu 22.04 runner

Co-authored-by: toast-gear <toast-gear@users.noreply.github.com>
Co-authored-by: Yusuke Kuoka <ykuoka@gmail.com>
This commit is contained in:
Callum Tait 2022-12-07 10:02:35 +00:00 committed by GitHub
parent 775dc60c94
commit a8417ec67e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 140 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/detailed-docs.md
View File

@ -1634,6 +1634,8 @@ Create one using e.g. `eksctl`. You can refer to [the EKS documentation](https:/
Once you set up the service account, all you need is to add `serviceAccountName` and `fsGroup` to any pods that use the IAM-role enabled service account. Once you set up the service account, all you need is to add `serviceAccountName` and `fsGroup` to any pods that use the IAM-role enabled service account.
`fsGroup` needs to be set to the UID of the `runner` Linux user that runs the runner agent (and dockerd in case you use dind-runner). For anyone using an Ubuntu 20.04 runner image it's `1000` and for Ubuntu 22.04 one it's `1001`.
For `RunnerDeployment`, you can set those two fields under the runner spec at `RunnerDeployment.Spec.Template`: For `RunnerDeployment`, you can set those two fields under the runner spec at `RunnerDeployment.Spec.Template`:
```yaml ```yaml
@ -1647,7 +1649,10 @@ spec:
repository: USER/REO repository: USER/REO
serviceAccountName: my-service-account serviceAccountName: my-service-account
securityContext: securityContext:
# For Ubuntu 20.04 runner
fsGroup: 1000 fsGroup: 1000
# Use 1001 for Ubuntu 22.04 runner
#fsGroup: 1001
``` ```
### Software Installed in the Runner Image ### Software Installed in the Runner Image

3
runner/actions-runner-dind-rootless.ubuntu-20.04.dockerfile
View File

@ -134,7 +134,8 @@ USER runner
# This will install docker under $HOME/bin according to the content of the script # This will install docker under $HOME/bin according to the content of the script
RUN export SKIP_IPTABLES=1 \ RUN export SKIP_IPTABLES=1 \
&& curl -fsSL https://get.docker.com/rootless | sh && curl -fsSL https://get.docker.com/rootless | sh \
&& /home/runner/bin/docker -v
RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \ RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
&& if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \ && if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \

125
runner/actions-runner-dind-rootless.ubuntu-22.04.dockerfile Normal file
View File

@ -0,0 +1,125 @@
FROM ubuntu:22.04
ARG TARGETPLATFORM
ARG RUNNER_VERSION=2.299.1
ARG RUNNER_CONTAINER_HOOKS_VERSION=0.1.3
# Docker and Docker Compose arguments
ENV CHANNEL=stable
ARG DOCKER_COMPOSE_VERSION=v2.12.2
ARG DUMB_INIT_VERSION=1.2.5
ARG RUNNER_USER_UID=1001
# Other arguments
ARG DEBUG=false
RUN test -n "$TARGETPLATFORM" || (echo "TARGETPLATFORM must be set" && false)
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update -y \
&& apt-get install -y software-properties-common \
&& add-apt-repository -y ppa:git-core/ppa \
&& apt-get update -y \
&& apt-get install -y --no-install-recommends \
curl \
ca-certificates \
git \
git-lfs \
iproute2 \
iptables \
jq \
supervisor \
sudo \
uidmap \
unzip \
zip \
&& rm -rf /var/lib/apt/lists/*
# Runner user
RUN adduser --disabled-password --gecos "" --uid $RUNNER_USER_UID runner
ENV HOME=/home/runner
# Set-up subuid and subgid so that "--userns-remap=default" works
RUN set -eux; \
addgroup --system dockremap; \
adduser --system --ingroup dockremap dockremap; \
echo 'dockremap:165536:65536' >> /etc/subuid; \
echo 'dockremap:165536:65536' >> /etc/subgid
RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
&& if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
&& if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
&& curl -fLo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${ARCH} \
&& chmod +x /usr/bin/dumb-init
ENV RUNNER_ASSETS_DIR=/runnertmp
RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
&& if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x64 ; fi \
&& mkdir -p "$RUNNER_ASSETS_DIR" \
&& cd "$RUNNER_ASSETS_DIR" \
&& curl -fLo runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \
&& tar xzf ./runner.tar.gz \
&& rm runner.tar.gz \
&& ./bin/installdependencies.sh \
&& mv ./externals ./externalstmp \
# libyaml-dev is required for ruby/setup-ruby action.
# It is installed after installdependencies.sh and before removing /var/lib/apt/lists
# to avoid rerunning apt-update on its own.
&& apt-get install -y libyaml-dev \
&& rm -rf /var/lib/apt/lists/*
ENV RUNNER_TOOL_CACHE=/opt/hostedtoolcache
RUN mkdir /opt/hostedtoolcache \
&& chgrp runner /opt/hostedtoolcache \
&& chmod g+rwx /opt/hostedtoolcache
RUN cd "$RUNNER_ASSETS_DIR" \
&& curl -fLo runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-k8s-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
&& unzip ./runner-container-hooks.zip -d ./k8s \
&& rm -f runner-container-hooks.zip
# Make the rootless runner directory executable
RUN mkdir /run/user/1000 \
&& chown runner:runner /run/user/1000 \
&& chmod a+x /run/user/1000
# We place the scripts in `/usr/bin` so that users who extend this image can
# override them with scripts of the same name placed in `/usr/local/bin`.
COPY entrypoint-dind-rootless.sh startup.sh logger.sh graceful-stop.sh update-status /usr/bin/
RUN chmod +x /usr/bin/entrypoint-dind-rootless.sh /usr/bin/startup.sh
# Copy the docker shim which propagates the docker MTU to underlying networks
# to replace the docker binary in the PATH.
COPY docker-shim.sh /usr/local/bin/docker
# Configure hooks folder structure.
COPY hooks /etc/arc/hooks/
# Add the Python "User Script Directory" to the PATH
ENV PATH="${PATH}:${HOME}/.local/bin:/home/runner/bin"
ENV ImageOS=ubuntu22
ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
ENV XDG_RUNTIME_DIR=/run/user/1000
RUN echo "PATH=${PATH}" > /etc/environment \
&& echo "ImageOS=${ImageOS}" >> /etc/environment \
&& echo "DOCKER_HOST=${DOCKER_HOST}" >> /etc/environment \
&& echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> /etc/environment
# No group definition, as that makes it harder to run docker.
USER runner
# This will install docker under $HOME/bin according to the content of the script
RUN export SKIP_IPTABLES=1 \
&& curl -fsSL https://get.docker.com/rootless | sh \
&& /home/runner/bin/docker -v
RUN export ARCH=$(echo ${TARGETPLATFORM} | cut -d / -f2) \
&& if [ "$ARCH" = "arm64" ]; then export ARCH=aarch64 ; fi \
&& if [ "$ARCH" = "amd64" ] || [ "$ARCH" = "i386" ]; then export ARCH=x86_64 ; fi \
&& mkdir -p /home/runner/bin \
&& curl -fLo /home/runner/bin/docker-compose https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-Linux-${ARCH} \
&& chmod +x /home/runner/bin/docker-compose
ENTRYPOINT ["/bin/bash", "-c"]
CMD ["entrypoint-dind-rootless.sh"]

13
test/e2e/e2e_test.go
View File

@ -92,7 +92,10 @@ func TestE2E(t *testing.T) {
skipTestIDCleanUp := os.Getenv("ARC_E2E_SKIP_TEST_ID_CLEANUP") != "" skipTestIDCleanUp := os.Getenv("ARC_E2E_SKIP_TEST_ID_CLEANUP") != ""
skipArgoTunnelCleanUp := os.Getenv("ARC_E2E_SKIP_ARGO_TUNNEL_CLEAN_UP") != "" skipArgoTunnelCleanUp := os.Getenv("ARC_E2E_SKIP_ARGO_TUNNEL_CLEAN_UP") != ""
vars := buildVars(os.Getenv("ARC_E2E_IMAGE_REPO")) vars := buildVars(
os.Getenv("ARC_E2E_IMAGE_REPO"),
os.Getenv("UBUNTU_VERSION"),
)
var testedVersions = []struct { var testedVersions = []struct {
label string label string
@ -401,7 +404,7 @@ type vars struct {
commonScriptEnv []string commonScriptEnv []string
} }
func buildVars(repo string) vars { func buildVars(repo, ubuntuVer string) vars {
if repo == "" { if repo == "" {
repo = "actionsrunnercontrollere2e" repo = "actionsrunnercontrollere2e"
} }
@ -443,7 +446,7 @@ func buildVars(repo string) vars {
EnableBuildX: true, EnableBuildX: true,
}, },
{ {
Dockerfile: "../../runner/actions-runner.dockerfile", Dockerfile: fmt.Sprintf("../../runner/actions-runner.ubuntu-%s.dockerfile", ubuntuVer),
Args: []testing.BuildArg{ Args: []testing.BuildArg{
{ {
Name: "RUNNER_VERSION", Name: "RUNNER_VERSION",
@ -454,7 +457,7 @@ func buildVars(repo string) vars {
EnableBuildX: true, EnableBuildX: true,
}, },
{ {
Dockerfile: "../../runner/actions-runner-dind.dockerfile", Dockerfile: fmt.Sprintf("../../runner/actions-runner-dind.ubuntu-%s.dockerfile", ubuntuVer),
Args: []testing.BuildArg{ Args: []testing.BuildArg{
{ {
Name: "RUNNER_VERSION", Name: "RUNNER_VERSION",
@ -465,7 +468,7 @@ func buildVars(repo string) vars {
EnableBuildX: true, EnableBuildX: true,
}, },
{ {
Dockerfile: "../../runner/actions-runner-dind-rootless.dockerfile", Dockerfile: fmt.Sprintf("../../runner/actions-runner-dind-rootless.ubuntu-%s.dockerfile", ubuntuVer),
Args: []testing.BuildArg{ Args: []testing.BuildArg{
{ {
Name: "RUNNER_VERSION", Name: "RUNNER_VERSION",