From 341d49a24d45abe4c7636e46d524f1ca2bf687cc Mon Sep 17 00:00:00 2001
From: ccureau <ccureau@noreply.gitea.com>
Date: Mon, 12 Jun 2023 06:35:27 +0000
Subject: [PATCH] implement act_runner rootless image (#208)

This PR creates a rootless Docker image that runs both `dockerd` and `act_runner` using `supervisord`.  It has been tested locally for a few days and seems stable.

Co-authored-by: ccureau <ccureau@noreply.gitea.io>
Reviewed-on: https://gitea.com/gitea/act_runner/pulls/208
Reviewed-by: Jason Song <i@wolfogre.com>
Co-authored-by: ccureau <ccureau@noreply.gitea.com>
Co-committed-by: ccureau <ccureau@noreply.gitea.com>
---
 Dockerfile                               |  2 +-
 Dockerfile.rootless                      | 24 +++++++++
 Makefile                                 |  2 +
 examples/kubernetes/README.md            |  3 ++
 examples/kubernetes/rootless-docker.yaml | 68 ++++++++++++++++++++++++
 scripts/rootless.sh                      |  9 ++++
 run.sh => scripts/run.sh                 |  0
 scripts/supervisord.conf                 | 13 +++++
 8 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 Dockerfile.rootless
 create mode 100644 examples/kubernetes/rootless-docker.yaml
 create mode 100755 scripts/rootless.sh
 rename run.sh => scripts/run.sh (100%)
 create mode 100644 scripts/supervisord.conf

diff --git a/Dockerfile b/Dockerfile
index 0fa7e00..478938f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,6 +11,6 @@ FROM alpine:3.18
 RUN apk add --no-cache git bash tini
 
 COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
-COPY run.sh /opt/act/run.sh
+COPY scripts/run.sh /opt/act/run.sh
 
 ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"]
diff --git a/Dockerfile.rootless b/Dockerfile.rootless
new file mode 100644
index 0000000..b80033d
--- /dev/null
+++ b/Dockerfile.rootless
@@ -0,0 +1,24 @@
+FROM golang:1.20-alpine3.18 as builder
+# Do not remove `git` here, it is required for getting runner version when executing `make build`
+RUN apk add --no-cache make git
+
+COPY . /opt/src/act_runner
+WORKDIR /opt/src/act_runner
+
+RUN make clean && make build
+
+FROM docker:dind-rootless
+USER root
+RUN apk add --no-cache \
+  git bash supervisor
+
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY /scripts/supervisord.conf /etc/supervisord.conf
+COPY /scripts/run.sh /opt/act/run.sh
+COPY /scripts/rootless.sh /opt/act/rootless.sh
+
+RUN mkdir /data \
+    && chown rootless:rootless /data
+
+USER rootless
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/Makefile b/Makefile
index 454d2f5..2b8db97 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,7 @@ GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "genera
 DOCKER_IMAGE ?= gitea/act_runner
 DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
+DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE)_rootless:$(DOCKER_TAG)
 
 ifneq ($(shell uname), Darwin)
 	EXTLDFLAGS = -extldflags "-static" $(null)
@@ -169,6 +170,7 @@ docker:
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
+	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless .
 
 clean:
 	$(GO) clean -x -i ./...
diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md
index a21d4a6..5427893 100644
--- a/examples/kubernetes/README.md
+++ b/examples/kubernetes/README.md
@@ -6,3 +6,6 @@ Files in this directory:
 
 - [`dind-docker.yaml`](dind-docker.yaml)
   How to create a Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
+
+- [`rootless-docker.yaml`](rootless-docker.yaml)
+  How to create a rootless Deployment and Persistent Volume for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
diff --git a/examples/kubernetes/rootless-docker.yaml b/examples/kubernetes/rootless-docker.yaml
new file mode 100644
index 0000000..5945bdc
--- /dev/null
+++ b/examples/kubernetes/rootless-docker.yaml
@@ -0,0 +1,68 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: act-runner-vol
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: standard
+---
+apiVersion: v1
+data:
+  token: << runner registration token goes here >>
+kind: Secret
+metadata:
+  name: runner-secret
+type: Opaque
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: act-runner
+  name: act-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: act-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: act-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: act-runner-vol
+      containers:
+      - name: runner
+        image: gitea/act_runner:nightly-rootless
+        imagePullPolicy: Always
+        # command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        - name: GITEA_INSTANCE_URL
+          value: http://gitea-http.gitea.svc.cluster.local:3000
+        - name: GITEA_RUNNER_REGISTRATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: runner-secret
+              key: token
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data
+
diff --git a/scripts/rootless.sh b/scripts/rootless.sh
new file mode 100755
index 0000000..310a03b
--- /dev/null
+++ b/scripts/rootless.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# wait for docker daemon
+while ! nc -z localhost 2376 </dev/null; do
+  echo 'waiting for docker daemon...'
+  sleep 5
+done
+
+. /opt/act/run.sh
diff --git a/run.sh b/scripts/run.sh
similarity index 100%
rename from run.sh
rename to scripts/run.sh
diff --git a/scripts/supervisord.conf b/scripts/supervisord.conf
new file mode 100644
index 0000000..8c45f5b
--- /dev/null
+++ b/scripts/supervisord.conf
@@ -0,0 +1,13 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+
+[program:dockerd]
+command=/usr/local/bin/dockerd-entrypoint.sh
+
+[program:act_runner]
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+command=/opt/act/rootless.sh