public/pipglr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Resolve TODO, update volume names, update docs.

Browse Source 
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
This commit is contained in:
Chris Evich
2022-11-18 21:52:08 -05:00
parent 0e51bfdf8e
commit cbddc54007
2 changed files with 75 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
Containerfile
View File

@@ -46,11 +46,7 @@ ARG DNFCMD="${_DNFCMD}"
RUN set -x && \
rm -f /etc/dnf/protected.d/sudo.conf && \
rm -f /etc/dnf/protected.d/yum.conf && \
$DNFCMD remove ${EXCLUDE_PACKAGES} && \
if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then
dnf clean all && \
rm -rf /var/cache/dnf; \
fi
$DNFCMD remove ${EXCLUDE_PACKAGES}
# Enable callers to customize the runner version as needed, otherwise
# assume this image will be version-tagged, so it's fine to grab the latest.
@@ -63,7 +59,7 @@ RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \
$DNFCMD update && \
$DNFCMD install $x $RUNNER_RPM_URL && \
$DNFCMD upgrade && \
if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then
if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then \
dnf clean all && \
rm -rf /var/cache/dnf; \
fi
@@ -138,16 +134,10 @@ ENV REGISTER_NON_INTERACTIVE="true" \
DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
# Not a real build-arg. Simply here to save lots of typing.
ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman -v gitlab-runner-storage:/home/podman/.local/share/containers/storage:Z,U -v gitlab-runner-cache:/home/podman/.cache/gitlab-runner:Z,U -v gitlab-runner-config:/home/podman/.gitlab-runner:Z,U -e PODMAN_RUNNER_DEBUG"
ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage:Z --volume pipglr-runner-config:/home/podman/.gitlab-runner:Z -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
# These labels simply make it easier to register and execute the runner.
# Define them last so they are absent should a image-build failure occur.
LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$IMAGE register"
# TODO: Figure out what's needed to run w/o --privileged. When unspecified,
# conmon fails with this error (from podman debug output):
#
# DEBU[0019] running conmon: /usr/bin/conmon args="[--api-version 1 -c 289...c08 -u 289...c08 -r /usr/bin/crun -b /home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata -p /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/pidfile -n runner-8pxm3xb-project-19009784-concurrent-0-a71b53d132a29e56-predefined-0 --exit-dir /tmp/podman-run-1000/libpod/tmp/exits --full-attach -l k8s-file:/home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata/ctr.log --log-level debug --syslog --runtime-arg --cgroup-manager --runtime-arg disabled -i --conmon-pidfile /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/podman/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /tmp/podman-run-1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /tmp/podman-run-1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/podman/.local/share/containers/storage/volumes --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg 289...c08]"
# [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied
LABEL run="podman run -d --privileged --name gitlab-runner $_pm \$IMAGE run"
# Note: Privileged mode is required to permit building container images with inner-podman
LABEL run="podman run -d --rm --privileged --name gitlab-runner $_pm \$IMAGE run"

97
README.md
View File

@@ -12,54 +12,84 @@ made available as:
It's purpose is to provide an easy method to execute a GitLab runner,
to service CI/CD jobs for groups and/or repositories on
[gitlab.com](https://gitlab.com). It comes pre-configured to utilize
the gitlab-runner app to execute with rootless podman containers,
the gitlab-runner app to execute within a rootless podman container,
nested inside a rootless podman container.
This is intended to provide multiple additional layers of security
for the host, when running potentially arbitrary CI/CD code. Though,
the ultimate responsibility still rests with the end-user to review
the setup and configuration relative to their own situation/environment.
This is intended to provide additional layers of security for the host,
when running potentially arbitrary CI/CD code. Though, the ultimate
responsibility still rests with the end-user to review the setup and
configuration relative to their own security situation/environment.
### Quickstart
### Operation
Several labels are set on the built image or manifest list to support
easy registration and execution of a runner container. They require
defining several environment variables for use.
This image supports `podman container runlabel`, or if your version
lacks this feature, Several labels are set on the image to support
easy registration and execution of a runner container using a special
bash command. See the examples below for more information.
#### Volume Ownership Bug
Some versions of podman contain a bug where named volumes aren't owned
by the namespaced user within a rootless container (i.e. in conjunction
with the --user option). Since the `podman` user/group inside the `pipglr`
container is known, it's possible to manually set/reset ownership:
```bash
VOLUME=pipglr-podman-root
podman volume create $VOLUME
cd $(podman unshare podman volume mount $VOLUME)
podman unshare chown 1000:1000
podman volume unmount $VOLUME
```
#### Runner registration
Each time the registration command is run, a new runner is added into
the configuration. If your intent is to simply update or modify the
configuration, please edit the config.toml file within the
`gitlab-runner-config` volume.
Note: These commands assume you have both `podman` and `jq` available.
Instead of `eval`, if your podman version supports `container runlabel`,
you may use that.
the configuration. If however, you simply need to update/modify the
configuration, please edit the `config.toml` file directly after mounting
(default) `pipglr-runner-config` (`/home/podman/.gitlab-runner/`) volume.
For modern versions of podman, registration can be performed with the
following commands:
```bash
$ echo '<registration token>' | podman secret create REGISTRATION_TOKEN -
$ export IMAGE=<image FQIN:TAG>
$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
IMAGE="=registry.gitlab.com/qontainers/pipglr:latest"
echo '<actual registration token>' | podman secret create REGISTRATION_TOKEN -
podman container runlabel $IMAGE register --secret REGISTRATION_TOKEN,type=env
```
Where `<actual registration token>` is the value obtained from the "runners"
settings page of a gitlab group or project.
Note: Some versions of podman don't support the `container runlabel` sub-command.
If this is the case, you may simulate it with the following command (in addition
to the other example commands above):
```bash
eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
```
#### Runner Startup
With one or more runners registered and configured, and `$IMAGE` set,
the GitLab runner container may be launched with the following commands.
With one or more runners successfully registered and configured, the GitLab
runner container may be launched with the following commands:
Note: The first time this is run, startup will take an extended amount
of time as the runner downloads and runs several (inner) support containers.
As above, instead of `eval`, if your podman version supports `container runlabel`,
you may use that.
```bash
podman container runlabel $IMAGE run
```
Debugging: You may `export PODMAN_RUNNER_DEBUG=debug` to enable inner-podman
debugging (or any other supported log level) to stdout.
As above, if you're missing the `container runlabel` sub-command, the following
may be used instead (assuming `$IMAGE` remains set):
```bash
$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run)
```
#### Debugging
Before starting the runner, you may `export PODMAN_RUNNER_DEBUG=debug` to enable
debugging on the inner-podman. Whereas `export LOG_LEVEL=debug` can be used to
debug the gitlab-runner itself.
## Building
This image may be built simply with:
@@ -119,3 +149,16 @@ Several build arguments are available to control the output image:
configuration), and determines where jobs are run.
* `RUNNER_UNTAGED` - Defaults to `true`, may be set to `false`. Allows
the runner to service jobs without any tags on them at all.
### Environment variables
Nearly every option to every gitlab-runner sub-command may be specified via
environment variable. Many important/required options are set in the
`Containerfile`. However it's entirely possible to pass them in via
either of the `podman container runlabel...` container commands. To
discover them, simply append `--help` to the end of the command.
For example:
```bash
podman container runlabel $IMAGE register --help
```