public/pipglr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'docs' into 'main'

Browse Source 
Support externally maintained DNF cache

See merge request qontainers/pipglr!5
This commit is contained in:
Chris Evich
2022-11-19 10:52:12 +00:00
parent e5dfadbd4c cbddc54007
commit 9cda05620b
2 changed files with 99 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
Containerfile
View File

@@ -37,16 +37,16 @@ ARG EXCLUDE_PACKAGES="\
# Base-image runs as user 'podman', temporarily switch to root # Base-image runs as user 'podman', temporarily switch to root
# for installation/setup. # for installation/setup.
USER root USER root
# Not a real build-arg. Avoiding addition of an env. layer # Helper for comparison in future RUN operations (DO NOT USE)
# only to help prevent some extra typing. ARG _DNFCMD="dnf --setopt=tsflags=nodocs -y"
ARG dnfcmd="dnf --setopt=tsflags=nodocs -y" # Set this instead, if (for example) you want to volume-mount in /var/cache/dnf
ARG DNFCMD="${_DNFCMD}"
# Avoid installing any documentation to keep image small
# During install, excluding packages is meaningless if already installed # During install, excluding packages is meaningless if already installed
RUN set -x && \ RUN set -x && \
rm -f /etc/dnf/protected.d/sudo.conf && \ rm -f /etc/dnf/protected.d/sudo.conf && \
rm -f /etc/dnf/protected.d/yum.conf && \ rm -f /etc/dnf/protected.d/yum.conf && \
$dnfcmd remove ${EXCLUDE_PACKAGES} && \ $DNFCMD remove ${EXCLUDE_PACKAGES}
dnf clean all && \
rm -rf /var/cache/dnf
# Enable callers to customize the runner version as needed, otherwise # Enable callers to customize the runner version as needed, otherwise
# assume this image will be version-tagged, so it's fine to grab the latest. # assume this image will be version-tagged, so it's fine to grab the latest.
@@ -56,11 +56,13 @@ ARG TARGETARCH="amd64"
ENV RUNNER_RPM_URL=https://gitlab-runner-downloads.s3.amazonaws.com/${RUNNER_VERSION}/rpm/gitlab-runner_${TARGETARCH}.rpm ENV RUNNER_RPM_URL=https://gitlab-runner-downloads.s3.amazonaws.com/${RUNNER_VERSION}/rpm/gitlab-runner_${TARGETARCH}.rpm
RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \ RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \
set -x && \ set -x && \
$dnfcmd update && \ $DNFCMD update && \
$dnfcmd install $x $RUNNER_RPM_URL && \ $DNFCMD install $x $RUNNER_RPM_URL && \
$dnfcmd upgrade && \ $DNFCMD upgrade && \
dnf clean all && \ if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then \
rm -rf /var/cache/dnf dnf clean all && \
rm -rf /var/cache/dnf; \
fi
# In case of a runner escape, prevent easy installation of packages. # In case of a runner escape, prevent easy installation of packages.
RUN rm -f /etc/dnf/protected.d/* && \ RUN rm -f /etc/dnf/protected.d/* && \
@@ -132,16 +134,10 @@ ENV REGISTER_NON_INTERACTIVE="true" \
DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER" DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
# Not a real build-arg. Simply here to save lots of typing. # Not a real build-arg. Simply here to save lots of typing.
ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman -v gitlab-runner-storage:/home/podman/.local/share/containers/storage:Z,U -v gitlab-runner-cache:/home/podman/.cache/gitlab-runner:Z,U -v gitlab-runner-config:/home/podman/.gitlab-runner:Z,U -e PODMAN_RUNNER_DEBUG" ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage:Z --volume pipglr-runner-config:/home/podman/.gitlab-runner:Z -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
# These labels simply make it easier to register and execute the runner. # These labels simply make it easier to register and execute the runner.
# Define them last so they are absent should a image-build failure occur. # Define them last so they are absent should a image-build failure occur.
LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$IMAGE register" LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$IMAGE register"
# Note: Privileged mode is required to permit building container images with inner-podman
# TODO: Figure out what's needed to run w/o --privileged. When unspecified, LABEL run="podman run -d --rm --privileged --name gitlab-runner $_pm \$IMAGE run"
# conmon fails with this error (from podman debug output):
#
# DEBU[0019] running conmon: /usr/bin/conmon args="[--api-version 1 -c 289...c08 -u 289...c08 -r /usr/bin/crun -b /home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata -p /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/pidfile -n runner-8pxm3xb-project-19009784-concurrent-0-a71b53d132a29e56-predefined-0 --exit-dir /tmp/podman-run-1000/libpod/tmp/exits --full-attach -l k8s-file:/home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata/ctr.log --log-level debug --syslog --runtime-arg --cgroup-manager --runtime-arg disabled -i --conmon-pidfile /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/podman/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /tmp/podman-run-1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /tmp/podman-run-1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/podman/.local/share/containers/storage/volumes --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg 289...c08]"
# [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied
LABEL run="podman run -d --privileged --name gitlab-runner $_pm \$IMAGE run"

117
README.md
View File

@@ -12,70 +12,101 @@ made available as:
It's purpose is to provide an easy method to execute a GitLab runner, It's purpose is to provide an easy method to execute a GitLab runner,
to service CI/CD jobs for groups and/or repositories on to service CI/CD jobs for groups and/or repositories on
[gitlab.com](https://gitlab.com). It comes pre-configured to utilize [gitlab.com](https://gitlab.com). It comes pre-configured to utilize
the gitlab-runner app to execute with rootless podman containers, the gitlab-runner app to execute within a rootless podman container,
nested inside a rootless podman container. nested inside a rootless podman container.
This is intended to provide multiple additional layers of security This is intended to provide additional layers of security for the host,
for the host, when running potentially arbitrary CI/CD code. Though, when running potentially arbitrary CI/CD code. Though, the ultimate
the ultimate responsibility still rests with the end-user to review responsibility still rests with the end-user to review the setup and
the setup and configuration relative to their own situation/environment. configuration relative to their own security situation/environment.
### Quickstart ### Operation
Several labels are set on the built image or manifest list to support This image supports `podman container runlabel`, or if your version
easy registration and execution of a runner container. They require lacks this feature, Several labels are set on the image to support
defining several environment variables for use. easy registration and execution of a runner container using a special
bash command. See the examples below for more information.
#### Volume Ownership Bug
Some versions of podman contain a bug where named volumes aren't owned
by the namespaced user within a rootless container (i.e. in conjunction
with the --user option). Since the `podman` user/group inside the `pipglr`
container is known, it's possible to manually set/reset ownership:
```bash
VOLUME=pipglr-podman-root
podman volume create $VOLUME
cd $(podman unshare podman volume mount $VOLUME)
podman unshare chown 1000:1000
podman volume unmount $VOLUME
```
#### Runner registration #### Runner registration
Each time the registration command is run, a new runner is added into Each time the registration command is run, a new runner is added into
the configuration. If your intent is to simply update or modify the the configuration. If however, you simply need to update/modify the
configuration, please edit the config.toml file within the configuration, please edit the `config.toml` file directly after mounting
`gitlab-runner-config` volume. (default) `pipglr-runner-config` (`/home/podman/.gitlab-runner/`) volume.
For modern versions of podman, registration can be performed with the
Note: These commands assume you have both `podman` and `jq` available. following commands:
Instead of `eval`, if your podman version supports `container runlabel`,
you may use that.
```bash ```bash
$ echo '<registration token>' | podman secret create REGISTRATION_TOKEN - IMAGE="=registry.gitlab.com/qontainers/pipglr:latest"
$ export IMAGE=<image FQIN:TAG> echo '<actual registration token>' | podman secret create REGISTRATION_TOKEN -
$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register) podman container runlabel $IMAGE register --secret REGISTRATION_TOKEN,type=env
```
Where `<actual registration token>` is the value obtained from the "runners"
settings page of a gitlab group or project.
Note: Some versions of podman don't support the `container runlabel` sub-command.
If this is the case, you may simulate it with the following command (in addition
to the other example commands above):
```bash
eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
``` ```
#### Runner Startup #### Runner Startup
With one or more runners registered and configured, and `$IMAGE` set, With one or more runners successfully registered and configured, the GitLab
the GitLab runner container may be launched with the following commands. runner container may be launched with the following commands:
Note: The first time this is run, startup will take an extended amount ```bash
of time as the runner downloads and runs several (inner) support containers. podman container runlabel $IMAGE run
As above, instead of `eval`, if your podman version supports `container runlabel`, ```
you may use that.
Debugging: You may `export PODMAN_RUNNER_DEBUG=debug` to enable inner-podman As above, if you're missing the `container runlabel` sub-command, the following
debugging (or any other supported log level) to stdout. may be used instead (assuming `$IMAGE` remains set):
```bash ```bash
$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run) $ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run)
``` ```
#### Debugging
Before starting the runner, you may `export PODMAN_RUNNER_DEBUG=debug` to enable
debugging on the inner-podman. Whereas `export LOG_LEVEL=debug` can be used to
debug the gitlab-runner itself.
## Building ## Building
This image may be built simply with: This image may be built simply with:
`podman build -t runner .` `podman build -t registry.gitlab.com/qontainers/pipglr:latest .`
This will utilize the latest stable version of podman and the latest This will utilize the latest stable version of podman and the latest
stable version of the gitlab runner. stable version of the gitlab runner.
### Multi-arch ### Notes
Assuming the host supports foreign-architecture emulation. The * If you wish to use the `testing` or `upstream` flavors of the podman base image,
`Containerfile` may be used to produce a multi-arch manifest-list. simply build with `--build-arg FLAVOR=testing` (or `upstream`).
For example:
`podman build --jobs 4 --platform linux/s390x,linux/ppc64le,linux/amd64 --manifest runner .` * Additionally or alternatively, you may specify a specific podman base image tag
with `--build-arg BASE_TAG=<value>`. Where `<value>` is either `latest`, the
podman image version (e.g. `v4`, `v4.2`, `v4.2.0`, etc.)
### Build-args ### Build-args
@@ -90,13 +121,18 @@ Several build arguments are available to control the output image:
and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic
version numbers). It's also possible to specify an image SHA. version numbers). It's also possible to specify an image SHA.
* `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent * `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent
their existance in the final image. This is intended as a security measure their existence in the final image. This is intended as a security measure
to limit the attack-surface should a gitlab-runner process escape it's to limit the attack-surface should a gitlab-runner process escape it's
inner-container. inner-container.
* `RUNNER_VERSION` - Allows specifying an exact gitlab runner version. * `RUNNER_VERSION` - Allows specifying an exact gitlab runner version.
By default the `latest` is used, assuming the user is building a tagged By default the `latest` is used, assuming the user is building a tagged
image anyway. Valid versions may be found on the [runner image anyway. Valid versions may be found on the [runner
release page](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). release page](https://gitlab.com/gitlab-org/gitlab-runner/-/releases).
* `DNFCMD` - By default this is set to `dnf --setopt=tsflags=nodocs -y`.
However, if you'd like to volume-mount in `/var/cache/dnf` then you'll
need to use
`--build-arg DNFCMD="dnf --setopt=tsflags=nodocs -y --setopt keepcache=true`"
Note: Changing `DNFCMD` will cause build-time cache cleanup to be disabled.
* `TARGETARCH` - Supports inclusion of non-x86_64 gitlab runners. This * `TARGETARCH` - Supports inclusion of non-x86_64 gitlab runners. This
value is assumed to match the image's architecture. If using the value is assumed to match the image's architecture. If using the
`--platform` build argument, it will be set automatically. `--platform` build argument, it will be set automatically.
@@ -113,3 +149,16 @@ Several build arguments are available to control the output image:
configuration), and determines where jobs are run. configuration), and determines where jobs are run.
* `RUNNER_UNTAGED` - Defaults to `true`, may be set to `false`. Allows * `RUNNER_UNTAGED` - Defaults to `true`, may be set to `false`. Allows
the runner to service jobs without any tags on them at all. the runner to service jobs without any tags on them at all.
### Environment variables
Nearly every option to every gitlab-runner sub-command may be specified via
environment variable. Many important/required options are set in the
`Containerfile`. However it's entirely possible to pass them in via
either of the `podman container runlabel...` container commands. To
discover them, simply append `--help` to the end of the command.
For example:
```bash
podman container runlabel $IMAGE register --help
```