From 16d53b860c5c3ebba8f73524f6fe0cf5023a0240 Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:27:17 +1000 Subject: [PATCH 1/8] Bump runner version to 2.317.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3e6fb02..3740966 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:22.04 # set the github runner version -ARG RUNNER_VERSION="2.311.0" +ARG RUNNER_VERSION="2.317.0" ENV TZ=Europe/Lisbon RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone From c5799011430b340e5d6616d069732c6a17d35685 Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:28:33 +1000 Subject: [PATCH 2/8] Remove download artifacts for smaller image size --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3740966..c0559ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,8 @@ RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -; \ # cd into the user directory, download and unzip the github actions runner RUN cd /home/docker && mkdir actions-runner && cd actions-runner \ && curl -O -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz \ - && tar xzf ./actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz + && tar xzf ./actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz \ + && rm ./actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz # install some additional dependencies RUN chown -R docker ~docker && /home/docker/actions-runner/bin/installdependencies.sh From a477926b7bc42822a72588b9a513e66112c4f78c Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:30:29 +1000 Subject: [PATCH 3/8] Use secrets instead of bind mount for token access --- docker-compose.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3e339dc..55c2fd4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,9 @@ version: "3.9" +secrets: + # Note: Github personal access token + # Not the token for registering self-hosted runner + github_access-token: + file: ./access-token services: socket: @@ -18,11 +23,11 @@ services: runner: build: context: . + secrets: + - github_access-token env_file: .env environment: DOCKER_HOST: socket:2375 ACCESS_TOKEN_FILE: /run/secrets/github_access-token volumes: - - /var/run/docker.sock:/var/run/docker.sock - - ./access-token:/run/secrets/github_access-token:ro From cf3d281f50fb42515470923e0cd841c596870063 Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:35:32 +1000 Subject: [PATCH 4/8] Enhance security by not loading token into env var --- docker-compose.yml | 4 +++- start.sh | 4 +--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 55c2fd4..814fff8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,6 @@ -version: "3.9" +volumes: + data: + secrets: # Note: Github personal access token # Not the token for registering self-hosted runner diff --git a/start.sh b/start.sh index b030dde..ff6a2a7 100755 --- a/start.sh +++ b/start.sh @@ -1,9 +1,7 @@ #!/bin/bash ORGANIZATION=$ORGANIZATION -ACCESS_TOKEN=$(cat $ACCESS_TOKEN_FILE) - -REG_TOKEN=$(curl -sX POST -H "Authorization: token ${ACCESS_TOKEN}" https://api.github.com/orgs/${ORGANIZATION}/actions/runners/registration-token | jq .token --raw-output) +REG_TOKEN=$(curl -sX POST -H "Authorization: token $(cat $ACCESS_TOKEN_FILE)" https://api.github.com/orgs/${ORGANIZATION}/actions/runners/registration-token | jq .token --raw-output) cd /home/docker/actions-runner From d0ce409a4e519229d7871a596c383f69031e3ab3 Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 14:09:23 +1000 Subject: [PATCH 5/8] Fix clobbered docker compose volumes --- docker-compose.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 814fff8..d46022c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,3 @@ -volumes: - data: - secrets: # Note: Github personal access token # Not the token for registering self-hosted runner @@ -31,5 +28,3 @@ services: environment: DOCKER_HOST: socket:2375 ACCESS_TOKEN_FILE: /run/secrets/github_access-token - - volumes: From 3cd759917c6554e026f1b5b227ece4d9e15821d7 Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:37:38 +1000 Subject: [PATCH 6/8] Disable ephemeral runner updates --- start.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/start.sh b/start.sh index ff6a2a7..28e0e9f 100755 --- a/start.sh +++ b/start.sh @@ -5,7 +5,8 @@ REG_TOKEN=$(curl -sX POST -H "Authorization: token $(cat $ACCESS_TOKEN_FILE)" ht cd /home/docker/actions-runner -./config.sh --url https://github.com/${ORGANIZATION} --token ${REG_TOKEN} --ephemeral +echo "Configuring ephemeral runner..." +./config.sh --url https://github.com/${ORGANIZATION} --token ${REG_TOKEN} --ephemeral --disableupdate cleanup() { echo "Removing runner..." @@ -15,4 +16,5 @@ cleanup() { trap 'cleanup; exit 130' INT trap 'cleanup; exit 143' TERM +echo "Beginning run script..." ./run.sh & wait $! From f69dce0bdbff38b4dee24d12e39b2190b9ab343d Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:38:33 +1000 Subject: [PATCH 7/8] Remove unsupported runner cleanup option --- start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/start.sh b/start.sh index 28e0e9f..faa27b5 100755 --- a/start.sh +++ b/start.sh @@ -10,7 +10,7 @@ echo "Configuring ephemeral runner..." cleanup() { echo "Removing runner..." - ./config.sh remove --unattended --token ${REG_TOKEN} + ./config.sh remove --token ${REG_TOKEN} } trap 'cleanup; exit 130' INT From b07e6341d19313d1b65e8bf72fcdad14484a2d67 Mon Sep 17 00:00:00 2001 From: Fetwar Date: Tue, 11 Jun 2024 13:58:13 +1000 Subject: [PATCH 8/8] Add healthcheck for socket service --- docker-compose.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index d46022c..00b7505 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,6 +18,14 @@ services: INFO: 1 SESSION: 1 CONFIGS: 1 + healthcheck: + # Test on docker healthcheck endpoint + test: [ "CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:2375/v1.35/_ping" ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 30s + start_interval: 2s runner: build: