diff --git a/Dockerfile b/Dockerfile index 0fa7e00..478938f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,6 @@ FROM alpine:3.18 RUN apk add --no-cache git bash tini COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner -COPY run.sh /opt/act/run.sh +COPY scripts/run.sh /opt/act/run.sh ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"] diff --git a/Dockerfile.rootless b/Dockerfile.rootless new file mode 100644 index 0000000..b80033d --- /dev/null +++ b/Dockerfile.rootless @@ -0,0 +1,24 @@ +FROM golang:1.20-alpine3.18 as builder +# Do not remove `git` here, it is required for getting runner version when executing `make build` +RUN apk add --no-cache make git + +COPY . /opt/src/act_runner +WORKDIR /opt/src/act_runner + +RUN make clean && make build + +FROM docker:dind-rootless +USER root +RUN apk add --no-cache \ + git bash supervisor + +COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner +COPY /scripts/supervisord.conf /etc/supervisord.conf +COPY /scripts/run.sh /opt/act/run.sh +COPY /scripts/rootless.sh /opt/act/rootless.sh + +RUN mkdir /data \ + && chown rootless:rootless /data + +USER rootless +ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] diff --git a/Makefile b/Makefile index 454d2f5..2b8db97 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,7 @@ GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "genera DOCKER_IMAGE ?= gitea/act_runner DOCKER_TAG ?= nightly DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG) +DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE)_rootless:$(DOCKER_TAG) ifneq ($(shell uname), Darwin) EXTLDFLAGS = -extldflags "-static" $(null) @@ -169,6 +170,7 @@ docker: ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \ fi; \ docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) . + docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless . clean: $(GO) clean -x -i ./... diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md index a21d4a6..5427893 100644 --- a/examples/kubernetes/README.md +++ b/examples/kubernetes/README.md @@ -6,3 +6,6 @@ Files in this directory: - [`dind-docker.yaml`](dind-docker.yaml) How to create a Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. + +- [`rootless-docker.yaml`](rootless-docker.yaml) + How to create a rootless Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. diff --git a/examples/kubernetes/rootless-docker.yaml b/examples/kubernetes/rootless-docker.yaml new file mode 100644 index 0000000..5945bdc --- /dev/null +++ b/examples/kubernetes/rootless-docker.yaml @@ -0,0 +1,68 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: act-runner-vol +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: standard +--- +apiVersion: v1 +data: + token: << runner registration token goes here >> +kind: Secret +metadata: + name: runner-secret +type: Opaque +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: act-runner + name: act-runner +spec: + replicas: 1 + selector: + matchLabels: + app: act-runner + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: act-runner + spec: + restartPolicy: Always + volumes: + - name: runner-data + persistentVolumeClaim: + claimName: act-runner-vol + containers: + - name: runner + image: gitea/act_runner:nightly-rootless + imagePullPolicy: Always + # command: ["sh", "-c", "while ! nc -z localhost 2376