public/pipglr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: public:v1.1.2
Branches Tags
public:main public:quadlet
public:v4.3.0 public:v4.2.0 public:v4.1.0 public:v4.0.0 public:v3.0.1 public:v3.0.0 public:v2.0.3 public:v2.0.2 public:v2.0.1 public:v2.0.0 public:v1.4.2 public:v1.4.1 public:v1.4.0 public:v1.3.0 public:v1.2.1 public:v1.2.0 public:v1.1.2 public:v1.1.1 public:v1.1.0 public:v1.0.1 public:v1.0.0 public:v0.0.0-f36
...
compare: public:v1.2.1
Branches Tags
public:main public:quadlet
public:v4.3.0 public:v4.2.0 public:v4.1.0 public:v4.0.0 public:v3.0.1 public:v3.0.0 public:v2.0.3 public:v2.0.2 public:v2.0.1 public:v2.0.0 public:v1.4.2 public:v1.4.1 public:v1.4.0 public:v1.3.0 public:v1.2.1 public:v1.2.0 public:v1.1.2 public:v1.1.1 public:v1.1.0 public:v1.0.1 public:v1.0.0 public:v0.0.0-f36

5 Commits
v1.1.2 ... v1.2.1

Author SHA1 Message Date
Chris Evich
63b00ad2e7 Merge branch 'fix_maintenance' into 'main' 
Fix maintenance task

See merge request qontainers/pipglr!7
 2022-11-23 17:12:59 +00:00
Chris Evich
2bda4c3be6 Fix maintenance task 
The function was defined but never called, resulting in immediate exit
of the maintenance script.  Fix this, also add a configuration build-arg and
ENV to control the cleaning interval.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
 2022-11-23 12:10:07 -05:00
Chris Evich
3b72178739 Merge branch 'cachevol' into 'main' 
Add missing cache volume

See merge request qontainers/pipglr!6
 2022-11-22 22:31:28 +00:00
Chris Evich
df8f46eb2d Update docs and Containerfile to match 
Fully tested README.md instructions end-to-end on F36.

Signed-off-by: Chris Evich <cevich@redhat.com>
 2022-11-22 14:53:41 -05:00
Chris Evich
a1931efcc1 Add missing cache volume 
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
 2022-11-22 11:35:36 -05:00
3 changed files with 81 additions and 30 deletions
Expand all files Collapse all files

19
Containerfile
View File

@@ -97,13 +97,15 @@ RUN sed -i -r \
chmod +x /usr/local/bin/gitlab-runner-wrapper && \
chmod +x /usr/local/bin/podman-in-podman-maintenance && \
chown -R podman:podman /home/podman && \
chmod u+s /usr/bin/new{uid,gid}map && \
rm -f /home/podman/.bash* && \
echo DOCKER_HOST="unix:///tmp/podman-run-1000/podman/podman.sock" > /etc/profile.d/podman.sh
# Runtime rootless-mode configuration
USER podman
VOLUME ["/home/podman/.local/share/containers/storage/",\
"/home/podman/.gitlab-runner/"]
"/home/podman/.gitlab-runner/", \
"/cache"]
WORKDIR /home/podman
ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"]
@@ -113,13 +115,17 @@ RUN mkdir -p .local/share/containers/storage
# Gitlab-runner configuration options. Default to unprivileged (nested)
# runner. Privileged is required to permit nested container image building.
ARG RUNNER_NAME="qontainers-pipglr"
ARG PRIVILEGED_RUNNER="false"
# Running inner-podman privileged is necessary at the time of this commit.
ARG PRIVILEGED_RUNNER="true"
# Tags allow pinning jobs to specific runners, comma-separated list of
# tags to add to runner (no spaces!)
ARG RUNNER_TAGS="podman-in-podman"
# Permit running jobs without any tag at all
ARG RUNNER_UNTAGGED="true"
ENV REGISTER_NON_INTERACTIVE="true" \
# Adjust based on usage and storage size to prevent ENOSPACE problems
ARG CLEAN_INTERVAL="24h"
ENV CLEAN_INTERVAL="$CLEAN_INTERVAL" \
REGISTER_NON_INTERACTIVE="true" \
RUNNER_TAG_LIST="$RUNNER_TAGS" \
REGISTER_RUN_UNTAGGED="$RUNNER_UNTAGGED" \
REGISTER_ACCESS_LEVEL="ref_protected" \
@@ -132,15 +138,16 @@ ENV REGISTER_NON_INTERACTIVE="true" \
DOCKER_HOST="unix:///tmp/podman-run-1000/podman/podman.sock" \
DOCKER_DEVICES="/dev/fuse" \
DOCKER_IMAGE="registry.fedoraproject.org/fedora-minimal:latest" \
DOCKER_CACHE_DIR="/home/podman/.cache/gitlab-runner" \
DOCKER_CACHE_DIR="/cache" \
DOCKER_VOLUMES="/cache" \
DOCKER_NETWORK_MODE="host" \
DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
# Not a real build-arg. Simply here to save lots of typing.
ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage:Z --volume pipglr-runner-config:/home/podman/.gitlab-runner:Z -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
# These labels simply make it easier to register and execute the runner.
# Define them last so they are absent should a image-build failure occur.
LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$IMAGE register"
# Note: Privileged mode is required to permit building container images with inner-podman
LABEL run="podman run -d --rm --privileged --name gitlab-runner $_pm \$IMAGE run"
LABEL run="podman run -d --privileged --name pipglr $_pm \$IMAGE run"

81
README.md
View File

@@ -27,21 +27,28 @@ lacks this feature, Several labels are set on the image to support
easy registration and execution of a runner container using a special
bash command. See the examples below for more information.
#### Volume Ownership Bug
#### [Volume Ownership Bug](https://github.com/containers/podman/issues/16576)
Some versions of podman contain a bug where named volumes aren't owned
by the namespaced user within a rootless container (i.e. in conjunction
with the --user option). Since the `podman` user/group inside the `pipglr`
container is known, it's possible to manually set/reset ownership:
Some versions of podman contain a bug where named local volumes aren't owned
by the namespaced user within a rootless container (i.e. the 'podman' user).
Since the `podman` user/group inside the `pipglr` container is known, it's
possible to manually setup ownership ahead of time. This should be be done
once, prior to registering your runners:
```bash
VOLUME=pipglr-podman-root
podman volume create $VOLUME
cd $(podman unshare podman volume mount $VOLUME)
podman unshare chown 1000:1000
podman volume unmount $VOLUME
$ for VOLUME in pipglr-podman-root pipglr-config pipglr-podman-cache; do \
PUPVM="podman unshare podman volume mount $VOLUME"
podman volume create $VOLUME && \
podman unshare chown 1000:1000 $($PUPVM) && \
podman unshare chmod 02770 $($PUPVM) && \
podman unshare ls -land $($PUPVM) ; \
done
```
If you get `podman system service` startup permission-denied errors, or
errors from gitlab-runner, unable to connect to the podman socket, this is
likely the cause. You can fix it after-the-fact using the same commands as above, just add a `-R` option to the `chown`/`chmod`, and additionally target `./*`.
#### Runner registration
Each time the registration command is run, a new runner is added into
@@ -52,20 +59,27 @@ For modern versions of podman, registration can be performed with the
following commands:
```bash
IMAGE="=registry.gitlab.com/qontainers/pipglr:latest"
echo '<actual registration token>' | podman secret create REGISTRATION_TOKEN -
podman container runlabel $IMAGE register --secret REGISTRATION_TOKEN,type=env
$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
$ echo '<actual registration token>' | podman secret create REGISTRATION_TOKEN -
$ podman container runlabel register $IMAGE
```
Where `<actual registration token>` is the value obtained from the "runners"
settings page of a gitlab group or project.
settings page of a gitlab group or project. When you're finished registering
as many runners as you want, the secret is no-longer needed and may be removed:
Note: Some versions of podman don't support the `container runlabel` sub-command.
```bash
$ podman secret rm REGISTRATION_TOKEN
```
##### Note
Some versions of podman don't support the `container runlabel` sub-command.
If this is the case, you may simulate it with the following command (in addition
to the other example commands above):
```bash
eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.register)
```
#### Runner Startup
@@ -74,9 +88,11 @@ With one or more runners successfully registered and configured, the GitLab
runner container may be launched with the following commands:
```bash
podman container runlabel $IMAGE run
$ podman container runlabel run $IMAGE
```
##### Note
As above, if you're missing the `container runlabel` sub-command, the following
may be used instead (assuming `$IMAGE` remains set):
@@ -84,8 +100,24 @@ may be used instead (assuming `$IMAGE` remains set):
$ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run)
```
#### Runner configuration
You may inspect/modify the gitlab-runner configuration as you see fit, just be
sure to use the `podman unshare` command-wrapper to enter the usernamespace.
For example, to display the config:
```bash
$ podman unshare $(podman unshare podman volume mount pipglr-config)/config.toml
```
#### Debugging
The first thing to check is the container output:
```bash
$ podman logs --since 0 pipglr
```
Before starting the runner, you may `export PODMAN_RUNNER_DEBUG=debug` to enable
debugging on the inner-podman. Whereas `export LOG_LEVEL=debug` can be used to
debug the gitlab-runner itself.
@@ -94,7 +126,9 @@ debug the gitlab-runner itself.
This image may be built simply with:
`podman build -t registry.gitlab.com/qontainers/pipglr:latest .`
```bash
$ podman build -t registry.gitlab.com/qontainers/pipglr:latest .
```
This will utilize the latest stable version of podman and the latest
stable version of the gitlab runner.
@@ -120,6 +154,10 @@ Several build arguments are available to control the output image:
exact podman version. Possible values include, `latest`, `vX`, `vX.Y`,
and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic
version numbers). It's also possible to specify an image SHA.
* `CLEAN_INTERVAL` - A `sleep` (command) compatible time-argument that
determines how often to clean out podman storage of disused containers and
images. Defaults to 24-hours, but should be adjusted based on desired caching-effect
versus available storage space and rate of job execution.
* `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent
their existence in the final image. This is intended as a security measure
to limit the attack-surface should a gitlab-runner process escape it's
@@ -140,10 +178,9 @@ Several build arguments are available to control the output image:
and port supports various observability and debugging features of the
gitlab runner. For more information see the [gitlab runner advanced
configuration documentation](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section).
* `PRIVILEGED_RUNNER` - Defaults to 'false', may be set 'true'. When
`true`, this causes inner-containers to be created with the `--privileged`
flag. This is a potential security weakness, but is necessary for
(among other things) allowing nested container image builds.
* `PRIVILEGED_RUNNER` - Defaults to 'true', may be set 'true' if you're brave.
However this may result in the gitlab-runner failing to launch inner-containers.
Setting it false will also prevent building container images using the runner.
* `RUNNER_TAGS` - Defaults to `podman_in_podman`, may be set to any comma-separated
list (with no spaces!) of tags. These show up in GitLab (not the runner
configuration), and determines where jobs are run.

11
podman-in-podman-maintenance
View File

@@ -4,16 +4,23 @@
# a podman-in-podman gitlab runner container. Any usage
# outside that context is not supported and may cause harm.
set -e
set -eo pipefail
maintain_podman() {
# Two days seems to be a good happy-medium beween filling up
# about 40gig of storage space from moderate CI activity,
# and maintaining a useful level of caching.
while sleep 2d; do
while sleep "$CLEAN_INTERVAL"; do
if [[ -n "$PODMAN_RUNNER_DEBUG" ]]; then
echo "$(date --iso-8601=second) ${BASH_SOURCE[0] performing podman maintenance}"
fi
podman system prune --all --force
done
}
if [[ -z "$CLEAN_INTERVAL" ]]; then
echo "ERROR: Empty/unset \$CLEAN_INTERVAL"
exit 1
fi
maintain_podman