From b9e3e5b62dc2232962fb05c1cebec14c53e21bd4 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Sat, 26 Aug 2023 12:15:27 +0200 Subject: [PATCH 1/3] README: the documentation is part of the Forgejo documentation --- README.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/README.md b/README.md index 3316398..d054902 100644 --- a/README.md +++ b/README.md @@ -2,13 +2,7 @@ **WARNING:** this is [alpha release quality](https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha) code and should not be considered secure enough to deploy in production. -A daemon that connects to a Forgejo instance and runs jobs for continous integration. The high level [installation instructions](https://forgejo.org/docs/next/admin/actions/) are part of the Forgejo documentation. - -# Configuration - -Display the usage with `forgejo-runner --help`. - -For more information on the configuration file, see the [commented example](internal/pkg/config/config.example.yaml). +A daemon that connects to a Forgejo instance and runs jobs for continous integration. The [installation and usage instructions](https://forgejo.org/docs/next/admin/actions/) are part of the Forgejo documentation. # Hacking From 9d79a0b92dd922051ae7c45b0867c857475abb31 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Sat, 26 Aug 2023 12:18:42 +0200 Subject: [PATCH 2/3] cleanup the examples section, remove unsupported elements --- examples/README.md | 13 ++--- examples/docker/README.md | 12 +++-- examples/vm/README.md | 6 --- examples/vm/rootless-docker.md | 87 ---------------------------------- 4 files changed, 12 insertions(+), 106 deletions(-) delete mode 100644 examples/vm/README.md delete mode 100644 examples/vm/rootless-docker.md diff --git a/examples/README.md b/examples/README.md index d5a5b7e..c47859b 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,12 +1,7 @@ -# Usage Examples for `act_runner` - -Welcome to our collection of usage and deployment examples specifically designed for Gitea setups. Whether you're a beginner or an experienced user, you'll find practical resources here that you can directly apply to enhance your Gitea experience. We encourage you to contribute your own insights and knowledge to make this collection even more comprehensive and valuable. +A collection of usage and deployment examples. | Section | Description | |-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [`docker`](docker) | This section provides you with scripts and instructions tailored for running containers on a workstation or server where Docker is installed. It simplifies the process of setting up and managing your Gitea deployment using Docker. | -| [`docker-compose`](docker-compose) | In this section, you'll discover examples demonstrating how to utilize docker-compose to efficiently handle your Gitea deployments. It offers a straightforward approach to managing multiple containerized components of your Gitea setup. | -| [`kubernetes`](kubernetes) | If you're utilizing Kubernetes clusters for your infrastructure, this section is specifically designed for you. It presents examples and guidelines for configuring Gitea deployments within Kubernetes clusters, enabling you to leverage the scalability and flexibility of Kubernetes. | -| [`vm`](vm) | This section is dedicated to examples that assist you in setting up Gitea on virtual or physical servers. Whether you're working with virtual machines or physical hardware, you'll find helpful resources to guide you through the deployment process. | - -We hope these resources provide you with valuable insights and solutions for your Gitea setup. Feel free to explore, contribute, and adapt these examples to suit your specific requirements. +| [`docker`](docker) | using the host docker server by mounting the socket | +| [`docker-compose`](docker-compose) | all in one docker-compose with the Forgejo server, the runner and docker in docker | +| [`kubernetes`](kubernetes) | a sample deployment for the Forgejo runner | diff --git a/examples/docker/README.md b/examples/docker/README.md index dde2d63..628c99c 100644 --- a/examples/docker/README.md +++ b/examples/docker/README.md @@ -1,8 +1,12 @@ -### Run `act_runner` in a Docker Container +The following assumes: + +* a docker server runs on the host +* the docker group of the host is GID 133 +* a `.runner` file exists in /tmp/data +* a `runner-config.yml` file exists in /tmp/data ```sh -docker run -e GITEA_INSTANCE_URL=http://192.168.8.18:3000 -e GITEA_RUNNER_REGISTRATION_TOKEN= -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/data:/data --name my_runner gitea/act_runner:nightly +docker run -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/data:/data --user 1000:133 --rm code.forgejo.org/forgejo/runner:3.0.0 forgejo-runner --config runner-config.yaml daemon ``` -The `/data` directory inside the docker container contains the runner API keys after registration. -It must be persisted, otherwise the runner would try to register again, using the same, now defunct registration token. +The workflows will run using the host docker srever diff --git a/examples/vm/README.md b/examples/vm/README.md deleted file mode 100644 index 001a56d..0000000 --- a/examples/vm/README.md +++ /dev/null @@ -1,6 +0,0 @@ -## `act_runner` on Virtual or Physical Servers - -Files in this directory: - -- [`rootless-docker.md`](rootless-docker.md) - How to set up a rootless docker implementation of the runner. diff --git a/examples/vm/rootless-docker.md b/examples/vm/rootless-docker.md deleted file mode 100644 index 2f07d78..0000000 --- a/examples/vm/rootless-docker.md +++ /dev/null @@ -1,87 +0,0 @@ -## Using Rootless Docker with`act_runner` - -Here is a simple example of how to set up `act_runner` with rootless Docker. It has been created with Debian, but other Linux should work the same way. - -Note: This procedure needs a real login shell -- using `sudo su` or other method of accessing the account will fail some of the steps below. - -As `root`: - -- Create a user to run both `docker` and `act_runner`. In this example, we use a non-privileged account called `rootless`. - -```bash - useradd -m rootless - passwd rootless -``` - -- Install [`docker-ce`](https://docs.docker.com/engine/install/) -- (Recommended) Disable the system-wide Docker daemon - - ``systemctl disable --now docker.service docker.socket`` - -As the `rootless` user: - -- Follow the instructions for [enabling rootless mode](https://docs.docker.com/engine/security/rootless/) -- Add the following lines to the `/home/rootless/.bashrc`: - -```bash - export XDG_RUNTIME_DIR=/home/rootless/.docker/run - export PATH=/home/rootless/bin:$PATH - export DOCKER_HOST=unix:///run/user/1001/docker.sock -``` - -- Reboot. Ensure that the Docker process is working. -- Create a directory for saving `act_runner` data between restarts - - `mkdir /home/rootless/act_runner` - -- Register the runner from the data directory - -```bash - cd /home/rootless/act_runner - act_runner register -``` - -- Generate a `act_runner` configuration file in the data directory. Edit the file to adjust for the system. - -```bash - act_runner generate-config >/home/rootless/act_runner/config -``` - -- Create a new user-level`systemd` unit file as `/home/rootless/.config/systemd/user/act_runner.service` with the following contents: - -```bash - Description=Gitea Actions runner - Documentation=https://gitea.com/gitea/act_runner - After=docker.service - - [Service] - Environment=PATH=/home/rootless/bin:/sbin:/usr/sbin:/home/rootless/bin:/home/rootless/bin:/home/rootless/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games - Environment=DOCKER_HOST=unix:///run/user/1001/docker.sock - ExecStart=/usr/bin/act_runner daemon -c /home/rootless/act_runner/config - ExecReload=/bin/kill -s HUP $MAINPID - WorkingDirectory=/home/rootless/act_runner - TimeoutSec=0 - RestartSec=2 - Restart=always - StartLimitBurst=3 - StartLimitInterval=60s - LimitNOFILE=infinity - LimitNPROC=infinity - LimitCORE=infinity - TasksMax=infinity - Delegate=yes - Type=notify - NotifyAccess=all - KillMode=mixed - - [Install] - WantedBy=default.target -``` - -- Reboot - -After the system restarts, check that the`act_runner` is working and that the runner is connected to Gitea. - -````bash - systemctl --user status act_runner - journalctl --user -xeu act_runner From 294912488ccbee7d86c1e22c2628931f118307c3 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Sat, 26 Aug 2023 12:19:06 +0200 Subject: [PATCH 3/3] update kubernetes examples to match version 3.0.0 images Starting with Forgejo runner 3.0.0 images are different in two ways that matter to k8s because they: * are all rootless * do not rely on tini --- examples/kubernetes/README.md | 10 +--- examples/kubernetes/dind-docker.yaml | 20 ++++--- examples/kubernetes/rootless-docker.yaml | 69 ------------------------ 3 files changed, 11 insertions(+), 88 deletions(-) delete mode 100644 examples/kubernetes/rootless-docker.yaml diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md index a8784b4..d00cf1a 100644 --- a/examples/kubernetes/README.md +++ b/examples/kubernetes/README.md @@ -1,13 +1,7 @@ -## Kubernetes Docker in Docker Deployment with `act_runner` +## Kubernetes Docker in Docker Deployment Registers Kubernetes pod runners using [offline registration](https://forgejo.org/docs/v1.21/admin/actions/#offline-registration), allowing the scaling of runners as needed. NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context. -Files in this directory: - -- [`dind-docker.yaml`](dind-docker.yaml) - How to create a Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. - -- [`rootless-docker.yaml`](rootless-docker.yaml) - How to create a rootless Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. +[`dind-docker.yaml`](dind-docker.yaml) creates a deployment and secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. diff --git a/examples/kubernetes/dind-docker.yaml b/examples/kubernetes/dind-docker.yaml index 92e46e9..7abf9e0 100644 --- a/examples/kubernetes/dind-docker.yaml +++ b/examples/kubernetes/dind-docker.yaml @@ -12,20 +12,20 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app: act-runner - name: act-runner + app: forgejo-runner + name: forgejo-runner spec: # Two replicas means that if one is busy, the other can pick up jobs. replicas: 2 selector: matchLabels: - app: act-runner + app: forgejo-runner strategy: {} template: metadata: creationTimestamp: null labels: - app: act-runner + app: forgejo-runner spec: restartPolicy: Always volumes: @@ -37,23 +37,23 @@ spec: # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration initContainers: - name: runner-config-generation - image: code.forgejo.org/forgejo/runner:2.4.0 - command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ] + image: code.forgejo.org/forgejo/runner:3.0.0 + command: [ "forgejo-runner create-runner-file --instance $FORGEJO_INSTANCE_URL --secret $RUNNER_SECRET --connect" ] env: - name: RUNNER_SECRET valueFrom: secretKeyRef: name: runner-secret key: token - - name: GITEA_INSTANCE_URL + - name: FORGEJO_INSTANCE_URL value: http://gitea-http.gitea.svc.cluster.local:3000 volumeMounts: - name: runner-data mountPath: /data containers: - name: runner - image: gitea/act_runner:nightly - command: ["sh", "-c", "while ! nc -z localhost 2376