From 9e39f8a8ba62f98c5117d06ce290515c0727c94b Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Fri, 8 Nov 2024 09:49:13 -0800 Subject: [PATCH] fix(shaka-lab-github-runner): Make nested container support configurable (#69) Running nested container setup on a host with multiple runner instances causes them to conflict with each other, because they each try to control certain locations on the host. By making nested container support configurable, we can avoid it on hosts with multiple instances. --- shaka-lab-github-runner/README.md | 9 +-- .../debian/shaka-lab-github-runner.postinst | 3 + .../linux/debian/templates | 6 ++ shaka-lab-github-runner/linux/start-runner.sh | 80 +++++++++++-------- 4 files changed, 60 insertions(+), 38 deletions(-) diff --git a/shaka-lab-github-runner/README.md b/shaka-lab-github-runner/README.md index d49585b..0afb112 100644 --- a/shaka-lab-github-runner/README.md +++ b/shaka-lab-github-runner/README.md @@ -55,12 +55,15 @@ echo deb https://shaka-project.github.io/shaka-lab/ stable main | \ sudo apt update # Configure your GitHub details before installation to avoid prompting. +# Note that support_nested_containers is incompatible with number_of_runners +# greater than 1. cat << EOF | sudo debconf-set-selections shaka-lab-github-runner shaka-lab-github-runner/scope select SCOPE shaka-lab-github-runner shaka-lab-github-runner/scope_name string SCOPE_NAME shaka-lab-github-runner shaka-lab-github-runner/access_token password ACCESS_TOKEN shaka-lab-github-runner shaka-lab-github-runner/labels string LABELS shaka-lab-github-runner shaka-lab-github-runner/number_of_runners string NUMBER +shaka-lab-github-runner shaka-lab-github-runner/support_nested_containers boolean TRUE_OR_FALSE EOF # Install the package, which will not have to prompt for anything thanks to @@ -119,12 +122,6 @@ them in text files inside `/etc/shaka-lab-github-runner.args.d/`. To add Docker command line arguments that apply to specific runner instances, add them in text files inside `/etc/shaka-lab-github-runner@$INSTANCE.args.d/`. -To support nested containers, put this in -`/etc/shaka-lab-github-runner.args.d/docker-nested`: - -``` --v /var/run/docker.sock:/var/run/docker.sock -``` ## Updates diff --git a/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst b/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst index 45cd031..15ebdd7 100755 --- a/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst +++ b/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst @@ -74,6 +74,7 @@ db_go db_input high shaka-lab-github-runner/access_token || true db_input high shaka-lab-github-runner/labels || true db_input high shaka-lab-github-runner/number_of_runners || true +db_input high shaka-lab-github-runner/support_nested_containers || true db_go # Now we should have all necessary configuration. @@ -87,6 +88,8 @@ db_get shaka-lab-github-runner/labels LABELS="$RET" db_get shaka-lab-github-runner/number_of_runners NUMBER_OF_RUNNERS="$RET" +db_get shaka-lab-github-runner/support_nested_containers +SUPPORT_NESTED_CONTAINERS="$RET" ### INSTALLATION ### diff --git a/shaka-lab-github-runner/linux/debian/templates b/shaka-lab-github-runner/linux/debian/templates index 837b894..e19da38 100644 --- a/shaka-lab-github-runner/linux/debian/templates +++ b/shaka-lab-github-runner/linux/debian/templates @@ -35,3 +35,9 @@ Template: shaka-lab-github-runner/number_of_runners Type: string Description: Number of runner instances The number of runner instances to launch in parallel. + +Template: shaka-lab-github-runner/support_nested_containers +Type: boolean +Description: Support nested containers? + If true, support nested containers. Incompatible with multiple runner + instances on the same host. diff --git a/shaka-lab-github-runner/linux/start-runner.sh b/shaka-lab-github-runner/linux/start-runner.sh index 341258a..6e85515 100755 --- a/shaka-lab-github-runner/linux/start-runner.sh +++ b/shaka-lab-github-runner/linux/start-runner.sh @@ -86,43 +86,59 @@ if dpkg -s shaka-lab-cert-generator &>/dev/null || \ extra_docker_args+=(--mount type=bind,src=/etc/letsencrypt,dst=/etc/letsencrypt,ro) fi -# To support nested containers in self-hosted workflows, certain folders -# expected by GitHub Actions must be consistently mapped from the outer host to -# the first container. To keep workflows ephemeral, we also wipe these before -# every run. +# This matches what GitHub runner expects, and is the necessary value for +# nested container support. RUNNER_WORKDIR=/home/runner/work -MAPPED_FOLDERS=( - $RUNNER_WORKDIR - /opt/hostedtoolcache -) -for i in "${MAPPED_FOLDERS[@]}"; do - rm -rf "$i" - mkdir -p "$i" - extra_docker_args+=(--mount type=bind,src="$i",dst="$i") -done - -# This folder already exists inside the container image, but we want to keep our -# own copy of it at the host level. This will allow it to be correctly mapped -# to nested containers, and modified if necessary. -EXTERNALS=/actions-runner/externals -rm -rf "$EXTERNALS" -mkdir -p "$EXTERNALS" -# Create a temporary docker container to extract these files. +# Make sure we have the required Docker image/tag, and the latest version of it. docker pull "$DOCKER_IMAGE" -docker container create --name "$CONTAINER_NAME" "$DOCKER_IMAGE" - -# Copy "$EXTERNALS" itself from the container into the local parent of the same. -# This is because "docker cp" doesn't do wildcards, so you can't copy "e/* e/". -docker cp "$CONTAINER_NAME":"$EXTERNALS" "$EXTERNALS"/.. -# Clean up the temporary container. -docker container rm "$CONTAINER_NAME" - -# Create a special mount for this folder. -extra_docker_args+=(--mount type=bind,src="$EXTERNALS",dst="$EXTERNALS",ro) +# Extract the value of shaka-lab-github-runner/support_nested_containers from +# debian package configuration. +SUPPORT_NESTED_CONTAINERS=$(debconf-get-selections 2>/dev/null | grep shaka-lab-github-runner/support_nested_containers | awk '{print $4}') + +# Add extra arguments necessary for nested containers, if requested. +if [[ "$SUPPORT_NESTED_CONTAINERS" == "true" ]]; then + # To support nested containers in self-hosted workflows, certain folders + # expected by GitHub Actions must be consistently mapped from the outer host + # to the first container. To keep workflows ephemeral, we also wipe these + # before every run. + MAPPED_FOLDERS=( + $RUNNER_WORKDIR + /opt/hostedtoolcache + ) + for i in "${MAPPED_FOLDERS[@]}"; do + rm -rf "$i" + mkdir -p "$i" + extra_docker_args+=(--mount type=bind,src="$i",dst="$i") + done + + # This folder already exists inside the container image, but we want to keep + # our own copy of it at the host level. This will allow it to be correctly + # mapped to nested containers, and modified if necessary. + EXTERNALS=/actions-runner/externals + rm -rf "$EXTERNALS" + mkdir -p "$EXTERNALS" + + # Create a temporary docker container to extract these files. + docker container create --name "$CONTAINER_NAME" "$DOCKER_IMAGE" + + # Copy "$EXTERNALS" itself from the container into the local parent of the + # same. This is because "docker cp" doesn't do wildcards, so you can't copy + # "e/* e/". + docker cp "$CONTAINER_NAME":"$EXTERNALS" "$EXTERNALS"/.. + + # Clean up the temporary container. + docker container rm "$CONTAINER_NAME" + + # Create a special mount for this folder. + extra_docker_args+=(--mount type=bind,src="$EXTERNALS",dst="$EXTERNALS",ro) + + # Create a special bind for the docker socket. + extra_docker_args+=(-v /var/run/docker.sock:/var/run/docker.sock) +fi -# Start a docker container. +# Start the docker container. # --rm: Remove the container when it shuts down. # --name: The name of the container. # --network host: Use the host directly for networking, rather than NAT.