From f0e5a4f2602ff151c5c92f4d37764dd837f22d91 Mon Sep 17 00:00:00 2001 From: Marc Cataford Date: Wed, 6 Nov 2024 21:16:02 -0500 Subject: [PATCH 1/3] ci: set up container to build containers within podman --- .forgejo/workflows/ci.yml | 17 +++--- images/debian-12.6-slim/Dockerfile | 2 + images/debian-12.6-slim/files/storage.conf | 68 ++++++++++++++++++++++ 3 files changed, 77 insertions(+), 10 deletions(-) create mode 100644 images/debian-12.6-slim/files/storage.conf diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index c6a20e7..f3661b3 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -16,12 +16,9 @@ jobs: webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}} status: "Started" init: true - build-images: + build-runner: needs: [pre-run] runs-on: imagefactory-latest - strategy: - matrix: - image-name: ['debian-12.6-slim'] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -33,21 +30,21 @@ jobs: id: image-metadata run: | echo "image-tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - echo "full-image-name=${{ matrix.image-name }}:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + echo "full-image-name=debian-12.6-slim:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Build image - run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/${{ matrix.image-name }}/Dockerfile + run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/debian-12.6-slim/Dockerfile - name: Tag image as latest - run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} ${{ matrix.image-name }}:latest + run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} debian-12.6-slim:latest - name: List images run: podman image ls - name: Push tagged image to registry - if: ${{ github.event_name == "push" }} + if: ${{ github.event_name == 'push' }} run: | podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }} - podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ matrix.image-name }}:latest + podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/debian-12.6-slim:latest post-run: runs-on: imagefactory-latest - needs: [build-images] + needs: [build-runner] steps: - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main if: ${{success()}} diff --git a/images/debian-12.6-slim/Dockerfile b/images/debian-12.6-slim/Dockerfile index 935b335..f016fad 100644 --- a/images/debian-12.6-slim/Dockerfile +++ b/images/debian-12.6-slim/Dockerfile @@ -18,11 +18,13 @@ RUN apt update && \ python3 \ python3-pip \ pipx \ + fuse-overlayfs \ --no-install-recommends \ --autoremove && \ apt-get clean COPY ./files/registries.conf /etc/containers/registries.conf +COPY ./files/storage.conf /etc/containers/storage.conf FROM skeleton as runner diff --git a/images/debian-12.6-slim/files/storage.conf b/images/debian-12.6-slim/files/storage.conf new file mode 100644 index 0000000..f8dd04f --- /dev/null +++ b/images/debian-12.6-slim/files/storage.conf @@ -0,0 +1,68 @@ +[storage] +driver = "overlay" +runroot = "/run/containers/storage" +graphroot = "/var/lib/containers/storage" + +[storage.options.overlay] +# ignore_chown_errors can be set to allow a non privileged user running with +# a single UID within a user namespace to run containers. The user can pull +# and use any image even those with multiple uids. Note multiple UIDs will be +# squashed down to the default uid in the container. These images will have no +# separation between the users in the container. Only supported for the overlay +# and vfs drivers. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +#ignore_chown_errors = "false" + +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + +# Path to an helper program to use for mounting the file system instead of mounting it +# directly. +mount_program = "/usr/bin/fuse-overlayfs" + +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev" + +# Set to skip a PRIVATE bind mount on the storage home directory. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +# skip_mount_home = "false" + +# Set to use composefs to mount data layers with overlay. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +# use_composefs = "false" + +# Size is used to set a maximum size of the container image. +# size = "" + +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather than the +# "force_mask" permissions. +# +# force_mask = "" -- 2.45.2 From 01277e91594d039d76db72137ab2bc1ef1d2c465 Mon Sep 17 00:00:00 2001 From: Marc Cataford Date: Wed, 6 Nov 2024 21:31:53 -0500 Subject: [PATCH 2/3] docs: add notes on building images locally+ci --- README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f28ca05..19c881a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,15 @@ # runner-images -Image factory for Forgejo action runners \ No newline at end of file +Image factory for Forgejo Action runners + +## Building + +Images can be build locally if needed: + +```sh +python build_image.py +``` + +CI will also build images when a tag of the format `v*` is pushed. The images built by CI are tagged as `:latest` and pushed to the registry at the run. + +If CI workflows are triggered manually (i.e. via `workflow_dispatch`), then the image push is skipped. -- 2.45.2 From 5df3bdf74399db6426cb972c4a20bf8326dcfdbb Mon Sep 17 00:00:00 2001 From: Marc Cataford Date: Wed, 6 Nov 2024 21:32:10 -0500 Subject: [PATCH 3/3] chore(deadcode): remove unused ubuntu-2204 image --- images/ubuntu-2204/Dockerfile | 45 ------------------------ images/ubuntu-2204/files/registries.conf | 3 -- 2 files changed, 48 deletions(-) delete mode 100644 images/ubuntu-2204/Dockerfile delete mode 100644 images/ubuntu-2204/files/registries.conf diff --git a/images/ubuntu-2204/Dockerfile b/images/ubuntu-2204/Dockerfile deleted file mode 100644 index d599acf..0000000 --- a/images/ubuntu-2204/Dockerfile +++ /dev/null @@ -1,45 +0,0 @@ -FROM ubuntu:22.04 as skeleton - -ENV NODE_VERSION "20.12.2" -ENV NVM_VERSION "0.37.2" - -ENV DEBIAN_FRONTEND noninteractive -ENV TZ Etc/UTC - -RUN apt update && \ - apt upgrade -y && \ - apt install -y \ - curl \ - podman \ - jq \ - git \ - xz-utils \ - ca-certificates \ - python3 \ - python3-venv \ - python3-pip \ - --no-install-recommends \ - --autoremove && \ - apt-get clean - -COPY ./files/registries.conf /etc/containers/registries.conf - -FROM skeleton as runner - -WORKDIR /runner - -RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v$NVM_VERSION/install.sh | bash - -RUN . $HOME/.nvm/nvm.sh && \ - nvm install $NODE_VERSION && \ - nvm use $NODE_VERSION && \ - nvm cache clear - -ENV NVM_DIR $HOME/.nvm -ENV PATH /root/.nvm/versions/node/v$NODE_VERSION/bin:$PATH - -RUN node --version - -RUN corepack enable - -RUN python3 -m pip install pipx diff --git a/images/ubuntu-2204/files/registries.conf b/images/ubuntu-2204/files/registries.conf deleted file mode 100644 index 067d712..0000000 --- a/images/ubuntu-2204/files/registries.conf +++ /dev/null @@ -1,3 +0,0 @@ -[[registry]] -insecure = true -location = "host.containers.internal:5000" -- 2.45.2