Resolve TODO, update volume names, update docs.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
2022-11-18 21:52:08 -05:00
parent 0e51bfdf8e
commit cbddc54007
2 changed files with 75 additions and 42 deletions
--- a/20
+++ b/20
@@ -46,11 +46,7 @@ ARG DNFCMD="${_DNFCMD}"
 RUN set -x && \
    rm -f /etc/dnf/protected.d/sudo.conf && \
    rm -f /etc/dnf/protected.d/yum.conf && \
-    $DNFCMD remove ${EXCLUDE_PACKAGES} && \
+    $DNFCMD remove ${EXCLUDE_PACKAGES}
    if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then
      dnf clean all && \
      rm -rf /var/cache/dnf; \
    fi
 # Enable callers to customize the runner version as needed, otherwise
 # assume this image will be version-tagged, so it's fine to grab the latest.
@@ -63,7 +59,7 @@ RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \
    $DNFCMD update && \
    $DNFCMD install $x $RUNNER_RPM_URL && \
    $DNFCMD upgrade && \
-    if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then
+    if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then \
      dnf clean all && \
      rm -rf /var/cache/dnf; \
    fi
@@ -138,16 +134,10 @@ ENV REGISTER_NON_INTERACTIVE="true" \
    DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
 # Not a real build-arg.  Simply here to save lots of typing.
-ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman -v gitlab-runner-storage:/home/podman/.local/share/containers/storage:Z,U -v gitlab-runner-cache:/home/podman/.cache/gitlab-runner:Z,U -v gitlab-runner-config:/home/podman/.gitlab-runner:Z,U -e PODMAN_RUNNER_DEBUG"
+ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage:Z --volume pipglr-runner-config:/home/podman/.gitlab-runner:Z -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
 # These labels simply make it easier to register and execute the runner.
 # Define them last so they are absent should a image-build failure occur.
 LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$IMAGE register"
-
+# Note: Privileged mode is required to permit building container images with inner-podman
-# TODO: Figure out what's needed to run w/o --privileged.  When unspecified,
+LABEL run="podman run -d --rm --privileged --name gitlab-runner $_pm \$IMAGE run"
 # conmon fails with this error (from podman debug output):
 #
 # DEBU[0019] running conmon: /usr/bin/conmon args="[--api-version 1 -c 289...c08 -u 289...c08 -r /usr/bin/crun -b /home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata -p /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/pidfile -n runner-8pxm3xb-project-19009784-concurrent-0-a71b53d132a29e56-predefined-0 --exit-dir /tmp/podman-run-1000/libpod/tmp/exits --full-attach -l k8s-file:/home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata/ctr.log --log-level debug --syslog --runtime-arg --cgroup-manager --runtime-arg disabled -i --conmon-pidfile /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/podman/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /tmp/podman-run-1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /tmp/podman-run-1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/podman/.local/share/containers/storage/volumes --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg 289...c08]"
 # [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied
 LABEL run="podman run -d --privileged --name gitlab-runner $_pm \$IMAGE run"
--- a/README.md
+++ b/README.md
@@ -12,54 +12,84 @@ made available as:
 It's purpose is to provide an easy method to execute a GitLab runner,
 to service CI/CD jobs for groups and/or repositories on
 [gitlab.com](https://gitlab.com).  It comes pre-configured to utilize
-the gitlab-runner app to execute with rootless podman containers,
+the gitlab-runner app to execute within a rootless podman container,
 nested inside a rootless podman container.
-This is intended to provide multiple additional layers of security
+This is intended to provide additional layers of security for the host,
-for the host, when running potentially arbitrary CI/CD code.  Though,
+when running potentially arbitrary CI/CD code.  Though, the ultimate
-the ultimate responsibility still rests with the end-user to review
+responsibility still rests with the end-user to review the setup and
-the setup and configuration relative to their own situation/environment.
+configuration relative to their own security situation/environment.
-### Quickstart
+### Operation
-Several labels are set on the built image or manifest list to support
+This image supports `podman container runlabel`, or if your version
-easy registration and execution of a runner container.  They require
+lacks this feature, Several labels are set on the image to support
-defining several environment variables for use.
+easy registration and execution of a runner container using a special
 bash command.  See the examples below for more information.
 #### Volume Ownership Bug
 Some versions of podman contain a bug where named volumes aren't owned
 by the namespaced user within a rootless container (i.e. in conjunction
 with the --user option).  Since the `podman` user/group inside the `pipglr`
 container is known, it's possible to manually set/reset ownership:
 ```bash
 VOLUME=pipglr-podman-root
 podman volume create $VOLUME
 cd $(podman unshare podman volume mount $VOLUME)
 podman unshare chown 1000:1000
 podman volume unmount $VOLUME
 ```
 #### Runner registration
 Each time the registration command is run, a new runner is added into
-the configuration.  If your intent is to simply update or modify the
+the configuration.  If however, you simply need to update/modify the
-configuration, please edit the config.toml file within the
+configuration, please edit the `config.toml` file directly after mounting
-`gitlab-runner-config` volume.
+(default) `pipglr-runner-config` (`/home/podman/.gitlab-runner/`) volume.
-
+For modern versions of podman, registration can be performed with the
-Note: These commands assume you have both `podman` and `jq` available.
+following commands:
 Instead of `eval`, if your podman version supports `container runlabel`,
 you may use that.
 ```bash
-$ echo '<registration token>' | podman secret create REGISTRATION_TOKEN -
+IMAGE="=registry.gitlab.com/qontainers/pipglr:latest"
-$ export IMAGE=<image FQIN:TAG>
+echo '<actual registration token>' | podman secret create REGISTRATION_TOKEN -
-$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
+podman container runlabel $IMAGE register --secret REGISTRATION_TOKEN,type=env
 ```
 Where `<actual registration token>` is the value obtained from the "runners"
 settings page of a gitlab group or project.
 Note: Some versions of podman don't support the `container runlabel` sub-command.
 If this is the case, you may simulate it with the following command (in addition
 to the other example commands above):
 ```bash
 eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
 ```
 #### Runner Startup
-With one or more runners registered and configured, and `$IMAGE` set,
+With one or more runners successfully registered and configured, the GitLab
-the GitLab runner container may be launched with the following commands.
+runner container may be launched with the following commands:
-Note: The first time this is run, startup will take an extended amount
+```bash
-of time as the runner downloads and runs several (inner) support containers.
+podman container runlabel $IMAGE run
-As above, instead of `eval`, if your podman version supports `container runlabel`,
+```
 you may use that.
-Debugging: You may `export PODMAN_RUNNER_DEBUG=debug` to enable inner-podman
+As above, if you're missing the `container runlabel` sub-command, the following
-debugging (or any other supported log level) to stdout.
+may be used instead (assuming `$IMAGE` remains set):
 ```bash
 $ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run)
 ```
 #### Debugging
 Before starting the runner, you may `export PODMAN_RUNNER_DEBUG=debug` to enable
 debugging on the inner-podman.  Whereas `export LOG_LEVEL=debug` can be used to
 debug the gitlab-runner itself.
 ## Building
 This image may be built simply with:
@@ -119,3 +149,16 @@ Several build arguments are available to control the output image:
  configuration), and determines where jobs are run.
 * `RUNNER_UNTAGED` - Defaults to `true`, may be set to `false`.  Allows
  the runner to service jobs without any tags on them at all.
 ### Environment variables
 Nearly every option to every gitlab-runner sub-command may be specified via
 environment variable.  Many important/required options are set in the
 `Containerfile`.  However it's entirely possible to pass them in via
 either of the `podman container runlabel...` container commands.  To
 discover them, simply append `--help` to the end of the command.
 For example:
 ```bash
 podman container runlabel $IMAGE register --help
 ```