From 1ef3232ea03abbadc9ab165d59fea5cca6e3ad44 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Sun, 1 Oct 2023 18:27:03 +1100 Subject: [PATCH 1/6] add new github actions updates --- github/actions/self-hosted-runner/README.md | 81 ++++++++++++++++++- github/actions/self-hosted-runner/dockerfile | 60 +++++++------- .../actions/self-hosted-runner/entrypoint.sh | 5 +- .../self-hosted-runner/kubernetes.yaml | 71 ++++++++-------- 4 files changed, 151 insertions(+), 66 deletions(-) diff --git a/github/actions/self-hosted-runner/README.md b/github/actions/self-hosted-runner/README.md index a96b9fa..28d6e79 100644 --- a/github/actions/self-hosted-runner/README.md +++ b/github/actions/self-hosted-runner/README.md @@ -1,3 +1,82 @@ # Introduction to GitHub Actions: Self hosted runners -introduction to github actions runners +## Create a kubernetes cluster + +In this guide we we''ll need a Kubernetes cluster for testing. Let's create one using [kind](https://kind.sigs.k8s.io/)
+ +``` +kind create cluster --name githubactions --image kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 +``` + +Let's test our cluster: +``` +kubectl get nodes +NAME STATUS ROLES AGE VERSION +githubactions-control-plane Ready control-plane 2m53s v1.28.0 +``` + +## Running the Runner in Docker + +We can simply install this directly on to virtual machines , but for this demo, I'd like to run it in Kubernetes inside a container.
+ +### Security notes + +* Running in Docker needs high priviledges. +* Would not recommend to use these on public repositories. +* Would recommend to always run your CI systems in seperate Kubernetes clusters. + +### Creating a Dockerfile + +* Installing Docker CLI +For this to work we need a `dockerfile` and follow instructions to [Install Docker](https://docs.docker.com/engine/install/debian/). +I would grab the content and create statements for my `dockerfile`
+ +Now notice that we only install the `docker` CLI.
+This is because we want our running to be able to run docker commands , but the actual docker server runs elsewhere
+This gives you flexibility to tighten security by running docker on the host itself and potentially run the container runtime in a non-root environment
+ +* Installing Github Actions Runner + +Next up we will need to install the [GitHub actions runner](https://github.com/actions/runner) in our `dockerfile` +Now to give you a "behind the scenes" of how I usually build my `dockerfile`s, I run a container to test my installs: + +``` +docker build . -t github-runner:latest +docker run -it github-runner bash +``` + +Next steps: + +* Now we can see `docker is installed +* To see how a runner is installed, lets go to our repo | runner and click "New self-hosted runner" +* Try these steps in the container +* We will needfew dependencies +* We download the runner +* TODO + + +Finally lets test the runner in `docker` + +``` +docker run -it -e GITHUB_PERSONAL_TOKEN="" -e GITHUB_OWNER=marcel-dempers -e GITHUB_REPOSITORY=docker-development-youtube-series github-runner +``` + +## Deploy to Kubernetes + +Load our github runner image so we dont need to push it to a registry: + +``` +kind load docker-image github-runner:latest --name githubactions +``` + +Create a kubernetes secret with our github details + +``` +kubectl create ns github +kubectl -n github create secret generic github-secret ` + --from-literal GITHUB_OWNER=marcel-dempers ` + --from-literal GITHUB_REPOSITORY=docker-development-youtube-series ` + --from-literal GITHUB_PERSONAL_TOKEN="" + +kubectl -n github apply -f kubernetes.yaml +``` \ No newline at end of file diff --git a/github/actions/self-hosted-runner/dockerfile b/github/actions/self-hosted-runner/dockerfile index f8c8d0b..457265a 100644 --- a/github/actions/self-hosted-runner/dockerfile +++ b/github/actions/self-hosted-runner/dockerfile @@ -1,40 +1,46 @@ -FROM debian:buster +FROM debian:bookworm-slim -ARG RUNNER_VERSION="2.169.1" +ARG RUNNER_VERSION="2.302.1" ENV GITHUB_PERSONAL_TOKEN "" ENV GITHUB_OWNER "" ENV GITHUB_REPOSITORY "" -RUN apt-get update \ - && apt-get install -y \ - curl \ - sudo \ - git \ - jq \ - tar \ - gnupg2 \ - apt-transport-https \ - ca-certificates \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +# Install Docker -> https://docs.docker.com/engine/install/debian/ + +# Add Docker's official GPG key: +RUN apt-get update && \ + apt-get install -y ca-certificates curl gnupg +RUN install -m 0755 -d /etc/apt/keyrings +RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg +RUN chmod a+r /etc/apt/keyrings/docker.gpg + +# Add the repository to Apt sources: +RUN echo \ + "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null +RUN apt-get update + +# I only install the CLI, we will run docker in another container! +RUN apt-get install -y docker-ce-cli + +# Install the GitHub Actions Runner +RUN apt-get update && apt-get install -y sudo jq RUN useradd -m github && \ - usermod -aG sudo github && \ - echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers - -#setup docker runner -RUN curl -sSL https://get.docker.com/ | sh -RUN usermod -aG docker github + usermod -aG sudo github && \ + echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers USER github -WORKDIR /home/github +WORKDIR /actions-runner +RUN curl -Ls https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz | tar xz \ + && sudo ./bin/installdependencies.sh -RUN curl -O -L https://github.com/actions/runner/releases/download/v$RUNNER_VERSION/actions-runner-linux-x64-$RUNNER_VERSION.tar.gz -RUN tar xzf ./actions-runner-linux-x64-$RUNNER_VERSION.tar.gz -RUN sudo ./bin/installdependencies.sh +COPY --chown=github:github entrypoint.sh /actions-runner/entrypoint.sh +RUN sudo chmod u+x /actions-runner/entrypoint.sh -COPY --chown=github:github entrypoint.sh ./entrypoint.sh -RUN sudo chmod u+x ./entrypoint.sh +#working folder for the runner +RUN sudo mkdir /work -ENTRYPOINT ["/home/github/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/actions-runner/entrypoint.sh"] \ No newline at end of file diff --git a/github/actions/self-hosted-runner/entrypoint.sh b/github/actions/self-hosted-runner/entrypoint.sh index ba24b57..59d63b2 100644 --- a/github/actions/self-hosted-runner/entrypoint.sh +++ b/github/actions/self-hosted-runner/entrypoint.sh @@ -2,14 +2,15 @@ registration_url="https://api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPOSITORY}/actions/runners/registration-token" echo "Requesting registration URL at '${registration_url}'" -payload=$(curl -sX POST -H "Authorization: token ${GITHUB_PAT}" ${registration_url}) +payload=$(curl -sX POST -H "Authorization: token ${GITHUB_PERSONAL_TOKEN}" ${registration_url}) export RUNNER_TOKEN=$(echo $payload | jq .token --raw-output) ./config.sh \ --name $(hostname) \ --token ${RUNNER_TOKEN} \ + -- labels my-runner \ --url https://github.com/${GITHUB_OWNER}/${GITHUB_REPOSITORY} \ - --work ${RUNNER_WORKDIR} \ + --work "/work" \ --unattended \ --replace diff --git a/github/actions/self-hosted-runner/kubernetes.yaml b/github/actions/self-hosted-runner/kubernetes.yaml index 673b354..d4949ab 100644 --- a/github/actions/self-hosted-runner/kubernetes.yaml +++ b/github/actions/self-hosted-runner/kubernetes.yaml @@ -1,37 +1,36 @@ -apiVersion: v1 -kind: Secret -metadata: - name: github-secret -type: Opaque -data: - GITHUB_PERSONAL_TOKEN: XXXXXXXXXXXXXXXXXXXXXXXXX ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: github-runner - labels: - app: github-runner -spec: - replicas: 1 - selector: - matchLabels: - app: github-runner - template: - metadata: - labels: - app: github-runner - spec: - containers: - - name: github-runner - image: aimvector/github-runner:latest - env: - - name: GITHUB_OWNER - value: marcel-dempers - - name: GITHUB_REPOSITORY - value: docker-development-youtube-series - - name: GITHUB_PERSONAL_TOKEN - valueFrom: - secretKeyRef: - name: github-secret +apiVersion: apps/v1 +kind: Deployment +metadata: + name: github-runner + labels: + app: github-runner +spec: + replicas: 1 + selector: + matchLabels: + app: github-runner + template: + metadata: + labels: + app: github-runner + spec: + containers: + - name: github-runner + imagePullPolicy: Never #use local kind image + image: github-runner:latest + env: + - name: GITHUB_OWNER + valueFrom: + secretKeyRef: + name: github-secret + key: GITHUB_OWNER + - name: GITHUB_REPOSITORY + valueFrom: + secretKeyRef: + name: github-secret + key: GITHUB_REPOSITORY + - name: GITHUB_PERSONAL_TOKEN + valueFrom: + secretKeyRef: + name: github-secret key: GITHUB_PERSONAL_TOKEN \ No newline at end of file From 19d2d161b78d311400602473fc98bcea7385bdb0 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Sun, 1 Oct 2023 18:44:07 +1100 Subject: [PATCH 2/6] add docker dind support --- .../self-hosted-runner/kubernetes.yaml | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/github/actions/self-hosted-runner/kubernetes.yaml b/github/actions/self-hosted-runner/kubernetes.yaml index d4949ab..f1b134c 100644 --- a/github/actions/self-hosted-runner/kubernetes.yaml +++ b/github/actions/self-hosted-runner/kubernetes.yaml @@ -33,4 +33,32 @@ spec: valueFrom: secretKeyRef: name: github-secret - key: GITHUB_PERSONAL_TOKEN \ No newline at end of file + key: GITHUB_PERSONAL_TOKEN + - name: DOCKER_HOST + value: tcp://localhost:2375 + volumeMounts: + - name: data + mountPath: /work/ + - name: dind + image: docker:24.0.6-dind + env: + - name: DOCKER_TLS_CERTDIR + value: "" + resources: + requests: + cpu: 20m + memory: 512Mi + securityContext: + privileged: true + volumeMounts: + - name: docker-graph-storage + mountPath: /var/lib/docker + - name: data + mountPath: /work/ + volumes: + - name: docker-graph-storage + emptyDir: {} + - name: data + emptyDir: {} + + \ No newline at end of file From 3918c32e67d937dd7dae0fbfa30fcc449d2ea6a0 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Sun, 1 Oct 2023 18:58:42 +1100 Subject: [PATCH 3/6] add example workflow --- .github/workflows/self-hosted-runner.yaml | 29 +++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/self-hosted-runner.yaml diff --git a/.github/workflows/self-hosted-runner.yaml b/.github/workflows/self-hosted-runner.yaml new file mode 100644 index 0000000..01735b0 --- /dev/null +++ b/.github/workflows/self-hosted-runner.yaml @@ -0,0 +1,29 @@ +########################################################### +# Rename the file extension to ".yaml" (remove "_") to enable +########################################################### + +name: Self-Hosted Runner Test + +on: + push: + branches: + - githubactions + +jobs: + build: + runs-on: self-hosted + steps: + - uses: actions/checkout@v2 + + - name: docker build csharp + run: | + docker build ./c# -t aimvector/csharp:1.0.0 + - name: docker build nodejs + run: | + docker build ./nodejs -t aimvector/nodejs:1.0.0 + - name: docker build python + run: | + docker build ./python -t aimvector/python:1.0.0 + - name: docker build golang + run: | + docker build ./golang -t aimvector/golang:1.0.0 From d37efdde16e3a20d4c435c286efe4dd5fc4aa8d0 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Sun, 1 Oct 2023 19:03:31 +1100 Subject: [PATCH 4/6] add example workflow --- .github/workflows/self-hosted-runner.yaml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/.github/workflows/self-hosted-runner.yaml b/.github/workflows/self-hosted-runner.yaml index 01735b0..d682380 100644 --- a/.github/workflows/self-hosted-runner.yaml +++ b/.github/workflows/self-hosted-runner.yaml @@ -14,16 +14,7 @@ jobs: runs-on: self-hosted steps: - uses: actions/checkout@v2 - - - name: docker build csharp - run: | - docker build ./c# -t aimvector/csharp:1.0.0 - - name: docker build nodejs - run: | - docker build ./nodejs -t aimvector/nodejs:1.0.0 + - name: docker build python run: | - docker build ./python -t aimvector/python:1.0.0 - - name: docker build golang - run: | - docker build ./golang -t aimvector/golang:1.0.0 + docker build ./python/introduction/ -t python:1.0.0 \ No newline at end of file From f49fff9af50f2827cefb8717f56f278bc78409c3 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Tue, 3 Oct 2023 16:48:36 +1100 Subject: [PATCH 5/6] update readme --- github/actions/self-hosted-runner/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/github/actions/self-hosted-runner/README.md b/github/actions/self-hosted-runner/README.md index 28d6e79..1e403c7 100644 --- a/github/actions/self-hosted-runner/README.md +++ b/github/actions/self-hosted-runner/README.md @@ -47,7 +47,7 @@ docker run -it github-runner bash Next steps: -* Now we can see `docker is installed +* Now we can see `docker` is installed * To see how a runner is installed, lets go to our repo | runner and click "New self-hosted runner" * Try these steps in the container * We will needfew dependencies From 6ce511cd3668676540b0491b23feb556c700e044 Mon Sep 17 00:00:00 2001 From: marceldempers Date: Sun, 15 Oct 2023 15:15:55 +1100 Subject: [PATCH 6/6] disable the workflow and keep it as reference --- .../{self-hosted-runner.yaml => self-hosted-runner._yaml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename .github/workflows/{self-hosted-runner.yaml => self-hosted-runner._yaml} (78%) diff --git a/.github/workflows/self-hosted-runner.yaml b/.github/workflows/self-hosted-runner._yaml similarity index 78% rename from .github/workflows/self-hosted-runner.yaml rename to .github/workflows/self-hosted-runner._yaml index d682380..08f2258 100644 --- a/.github/workflows/self-hosted-runner.yaml +++ b/.github/workflows/self-hosted-runner._yaml @@ -1,5 +1,5 @@ ########################################################### -# Rename the file extension to ".yaml" (remove "_") to enable +# IMPORTANT -> Rename the file extension to ".yaml" (remove "_") to enable this ########################################################### name: Self-Hosted Runner Test @@ -7,7 +7,7 @@ name: Self-Hosted Runner Test on: push: branches: - - githubactions + - jobs: build: