Fix image tagging (again)

This CI environment is using a busybox `sh` so doesn't support all the
advanced features of bash.  Reimplement IMAGE_TAG processing so it
functions as intended.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>

.gitignore

@@ -0,0 +1 @@
+/.pre-commit-config.yaml

.gitlab-ci.yml

@@ -15,12 +15,26 @@ build:
     BASE_TAG: latest
     FLAVOR: stable
   script:
-    - mkdir -p /kaniko/.docker
+    - 'mkdir -p /kaniko/.docker'
-    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    - 'echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json'
-    - >-
+    - |
+        echo "Select CI env. vars.:";
+        printenv | egrep '^CI_' | sort
+    # N/B: There could be more than one merge-request open with this branch's HEAD
+    - |
+        IMAGE_TAG="${CI_COMMIT_BRANCH}";
+        if [[ -n "$CI_COMMIT_TAG" ]]; then
+            IMAGE_TAG="${CI_COMMIT_TAG}";
+        elif [[ -n "$CI_OPEN_MERGE_REQUESTS" ]]; then
+            IMAGE_TAG=mr$(echo "${CI_OPEN_MERGE_REQUESTS}" | cut -d, -f -1 | cut -d\! -f 2);
+        elif [[ "$CI_COMMIT_BRANCH" == "main" ]]; then
+            IMAGE_TAG="latest";
+        fi
+        echo "Building/Pushing to: ${CI_REGISTRY_IMAGE}:${IMAGE_TAG}";
+    - |
         /kaniko/executor \
             --context $CI_PROJECT_DIR \
             --dockerfile $CI_PROJECT_DIR/Containerfile \
-            --destination "$CI_REGISTRY_IMAGE:${CI_COMMIT_TAG:-latest}" \
+            --destination "${CI_REGISTRY_IMAGE}:${IMAGE_TAG}" \
             --build-arg "BASE_TAG=$BASE_TAG" \
             --build-arg "FLAVOR=$FLAVOR"

Containerfile

@@ -86,13 +86,14 @@ RUN if [[ "$RUNNER_LISTEN_ADDRESS" == "disabled" ]]; then \
 
 # A small wrapper is needed to launch a background podman system service
 # process for the gitlab-runner to connect to.
-ADD /gitlab-runner-wrapper /usr/local/bin/
+ADD /gitlab-runner-wrapper /podman-in-podman-maintenance /usr/local/bin/
 # Base image UTS NS configuration causes runner to break when launching
 # nested rootless containers.
 RUN sed -i -r \
         -e 's/^utsns.+host.*/utsns="private"/' \
         /etc/containers/containers.conf && \
     chmod +x /usr/local/bin/gitlab-runner-wrapper && \
+    chmod +x /usr/local/bin/podman-in-podman-maintenance && \
     chown -R podman.podman /home/podman && \
     rm -f /home/podman/.bash* && \
     echo DOCKER_HOST="unix:///tmp/podman-run-1000/podman/podman.sock" > /etc/profile.d/podman.sh
@@ -106,10 +107,11 @@ ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"]
 
 # Gitlab-runner configuration options.  Default to unprivileged (nested)
 # runner.  Privileged is required to permit nested container image building.
+ARG RUNNER_NAME="qontainers-pipglr"
 ARG PRIVILEGED_RUNNER="false"
 # Tags allow pinning jobs to specific runners, comma-separated list of
 # tags to add to runner (no spaces!)
-ARG RUNNER_TAGS="podman_in_podman"
+ARG RUNNER_TAGS="podman-in-podman"
 # Permit running jobs without any tag at all
 ARG RUNNER_UNTAGGED="true"
 ENV REGISTER_NON_INTERACTIVE="true" \
@@ -118,6 +120,7 @@ ENV REGISTER_NON_INTERACTIVE="true" \
     REGISTER_ACCESS_LEVEL="ref_protected" \
     REGISTER_MAXIMUM_TIMEOUT="3600" \
     CI_SERVER_URL="https://gitlab.com/" \
+    RUNNER_NAME="${RUNNER_NAME}" \
     RUNNER_EXECUTOR="docker" \
     RUNNER_SHELL="bash" \
     REGISTER_MAINTENANCE_NOTE="Podman-in-Podman containerized runner" \
@@ -141,4 +144,4 @@ LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$
 # DEBU[0019] running conmon: /usr/bin/conmon args="[--api-version 1 -c 289...c08 -u 289...c08 -r /usr/bin/crun -b /home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata -p /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/pidfile -n runner-8pxm3xb-project-19009784-concurrent-0-a71b53d132a29e56-predefined-0 --exit-dir /tmp/podman-run-1000/libpod/tmp/exits --full-attach -l k8s-file:/home/podman/.local/share/containers/storage/overlay-containers/289...c08/userdata/ctr.log --log-level debug --syslog --runtime-arg --cgroup-manager --runtime-arg disabled -i --conmon-pidfile /tmp/podman-run-1000/containers/overlay-containers/289...c08/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/podman/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /tmp/podman-run-1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /tmp/podman-run-1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/podman/.local/share/containers/storage/volumes --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg 289...c08]"
 # [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied
 
-LABEL run="podman run -d --privileged --name gitlab-runner $_pm -p $RUNNER_SESSION_PORT:$RUNNER_SESSION_PORT \$IMAGE run"
+LABEL run="podman run -d --privileged --name gitlab-runner $_pm \$IMAGE run"

README.md

@@ -3,7 +3,11 @@
 This container image is built daily from this `Containerfile`, and
 made available as:
 
-* FIXME
+* `registry.gitlab.com/qontainers/pipglr:latest`
+
+-or-
+
+* `registry.gitlab.com/qontainers/pipglr:<version>`
 
 It's purpose is to provide an easy method to execute a GitLab runner,
 to service CI/CD jobs for groups and/or repositories on
@@ -30,6 +34,8 @@ configuration, please edit the config.toml file within the
 `gitlab-runner-config` volume.
 
 Note: These commands assume you have both `podman` and `jq` available.
+Instead of `eval`, if your podman version supports `container runlabel`,
+you may use that.
 
 ```bash
 $ echo '<registration token>' | podman secret create REGISTRATION_TOKEN -
@@ -44,6 +50,8 @@ the GitLab runner container may be launched with the following commands.
 
 Note: The first time this is run, startup will take an extended amount
 of time as the runner downloads and runs several (inner) support containers.
+As above, instead of `eval`, if your podman version supports `container runlabel`,
+you may use that.
 
 Debugging: You may `export PODMAN_RUNNER_DEBUG=debug` to enable inner-podman
 debugging (or any other supported log level) to stdout.

gitlab-runner-wrapper

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+# This script is intended to be called as the entrypoint for
+# a podman-in-podman gitlab runner container.  Any usage
+# outside that context is not supported and may cause harm.
+
 set -e
 
 unset _debug_args
@@ -9,7 +13,8 @@ fi
 
 if [[ "$1" == "run" ]] && [[ ! -S "/tmp/podman-run-1000/podman/podman.sock" ]]; then
     podman $_debug_args system service -t 0 &
-    # Prevent SIGHUP propigation to podman process
+    /usr/local/bin/podman-in-podman-maintenance &
+    # Prevent SIGHUP propagation to podman process
     disown -ar
 fi
 

podman-in-podman-maintenance

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# This script is intended to be called by the entrypoint for
+# a podman-in-podman gitlab runner container.  Any usage
+# outside that context is not supported and may cause harm.
+
+set -e
+
+maintain_podman() {
+  # Two days seems to be a good happy-medium beween filling up
+  # about 40gig of storage space from moderate CI activity,
+  # and maintaining a useful level of caching.
+  while sleep 2d; do
+    if [[ -n "$PODMAN_RUNNER_DEBUG" ]]; then
+      echo "$(date --iso-8601=second) ${BASH_SOURCE[0] performing podman maintenance}"
+    fi
+    podman system prune --all --force
+  done
+}