06d4990
06d499088b54ee672e4c9010749471550ea648c193ac552
e19c785.github/workflows/runner-image.ymlmodified@@ -62,7 +62,7 @@ jobs: | |||
| 62 | run: docker load < result | 62 | run: docker load < result |
| 63 | 63 | ||
| 64 | - name: Tag image | 64 | - name: Tag image |
| 65 | - run: docker tag ghcr.io/shithub/runner-nix:1.0 "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}" | 65 | + run: docker tag ghcr.io/tenseleyflow/shithub/runner-nix:1.0 "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}" |
| 66 | 66 | ||
| 67 | - name: Login to GHCR | 67 | - name: Login to GHCR |
| 68 | uses: docker/login-action@v3 | 68 | uses: docker/login-action@v3 |
deploy/ansible/inventory/production.examplemodified@@ -51,7 +51,7 @@ grafana_cloud_prom_token=REPLACE_ME # access-policy token | |||
| 51 | # shithub_runner_token=REPLACE_ME | 51 | # shithub_runner_token=REPLACE_ME |
| 52 | # shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64 | 52 | # shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64 |
| 53 | # shithub_runner_capacity=1 | 53 | # shithub_runner_capacity=1 |
| 54 | -# shithub_runner_default_image=ghcr.io/shithub/runner-nix:1.0 | 54 | +# shithub_runner_default_image=ghcr.io/tenseleyflow/shithub/runner-nix:1.0 |
| 55 | # The role creates shithub-actions on shact0 (172.30.0.1/24), runs | 55 | # The role creates shithub-actions on shact0 (172.30.0.1/24), runs |
| 56 | # dnsmasq on that bridge, and enforces direct-IP egress denial with | 56 | # dnsmasq on that bridge, and enforces direct-IP egress denial with |
| 57 | # shithub-runner-firewall.service. | 57 | # shithub-runner-firewall.service. |
deploy/ansible/roles/shithubd-runner/defaults/main.ymlmodified@@ -23,7 +23,7 @@ shithub_runner_network_allowlist: | |||
| 23 | - registry-1.docker.io | 23 | - registry-1.docker.io |
| 24 | - "*.githubusercontent.com" | 24 | - "*.githubusercontent.com" |
| 25 | shithub_runner_engine: docker | 25 | shithub_runner_engine: docker |
| 26 | -shithub_runner_default_image: ghcr.io/shithub/runner-nix:1.0 | 26 | +shithub_runner_default_image: ghcr.io/tenseleyflow/shithub/runner-nix:1.0 |
| 27 | shithub_runner_network: shithub-actions | 27 | shithub_runner_network: shithub-actions |
| 28 | shithub_runner_network_bridge: shact0 | 28 | shithub_runner_network_bridge: shact0 |
| 29 | shithub_runner_network_subnet: 172.30.0.0/24 | 29 | shithub_runner_network_subnet: 172.30.0.0/24 |
deploy/ansible/roles/shithubd-runner/tasks/main.ymlmodified@@ -122,10 +122,24 @@ | |||
| 122 | before re-running the role so firewall rules target the correct bridge. | 122 | before re-running the role so firewall rules target the correct bridge. |
| 123 | when: shithub_runner_engine == "docker" and not ansible_check_mode | 123 | when: shithub_runner_engine == "docker" and not ansible_check_mode |
| 124 | 124 | ||
| 125 | -- name: Upload shithubd-runner binary (built by `make build` locally) | 125 | +- name: Upload candidate shithubd-runner binary (built by `make build` locally) |
| 126 | copy: | 126 | copy: |
| 127 | src: "{{ playbook_dir }}/../../bin/shithubd-runner" | 127 | src: "{{ playbook_dir }}/../../bin/shithubd-runner" |
| 128 | + dest: /var/lib/shithubd-runner/binaries/shithubd-runner-candidate | ||
| 129 | + mode: "0755" | ||
| 130 | + owner: root | ||
| 131 | + group: root | ||
| 132 | + | ||
| 133 | +- name: Candidate runner binary executes on target | ||
| 134 | + command: /var/lib/shithubd-runner/binaries/shithubd-runner-candidate version | ||
| 135 | + register: shithubd_runner_version | ||
| 136 | + changed_when: false | ||
| 137 | + | ||
| 138 | +- name: Promote candidate shithubd-runner binary | ||
| 139 | + copy: | ||
| 140 | + src: /var/lib/shithubd-runner/binaries/shithubd-runner-candidate | ||
| 128 | dest: /usr/local/bin/shithubd-runner | 141 | dest: /usr/local/bin/shithubd-runner |
| 142 | + remote_src: true | ||
| 129 | mode: "0755" | 143 | mode: "0755" |
| 130 | owner: root | 144 | owner: root |
| 131 | group: root | 145 | group: root |
deploy/doctl/generate-actions-runner-inventory.shmodified@@ -13,7 +13,7 @@ ANSIBLE_USER="${ANSIBLE_USER:-root}" | |||
| 13 | SERVER_URL="${SHITHUB_RUNNER_SERVER_URL:-https://shithub.sh}" | 13 | SERVER_URL="${SHITHUB_RUNNER_SERVER_URL:-https://shithub.sh}" |
| 14 | LABELS="${SHITHUB_RUNNER_LABELS:-self-hosted,linux,ubuntu-latest,x64}" | 14 | LABELS="${SHITHUB_RUNNER_LABELS:-self-hosted,linux,ubuntu-latest,x64}" |
| 15 | CAPACITY="${SHITHUB_RUNNER_CAPACITY:-1}" | 15 | CAPACITY="${SHITHUB_RUNNER_CAPACITY:-1}" |
| 16 | -DEFAULT_IMAGE="${SHITHUB_RUNNER_DEFAULT_IMAGE:-ghcr.io/shithub/runner-nix:1.0}" | 16 | +DEFAULT_IMAGE="${SHITHUB_RUNNER_DEFAULT_IMAGE:-ghcr.io/tenseleyflow/shithub/runner-nix:1.0}" |
| 17 | TOKEN_PLACEHOLDER="${SHITHUB_RUNNER_TOKEN_PLACEHOLDER:-REPLACE_WITH_RUNNER_TOKEN}" | 17 | TOKEN_PLACEHOLDER="${SHITHUB_RUNNER_TOKEN_PLACEHOLDER:-REPLACE_WITH_RUNNER_TOKEN}" |
| 18 | 18 | ||
| 19 | usage() { | 19 | usage() { |
deploy/doctl/provision-actions-runner-pool.shmodified@@ -179,7 +179,10 @@ for raw in "${CIDR_PARTS[@]}"; do | |||
| 179 | done | 179 | done |
| 180 | (( ${#SSH_RULES[@]} > 0 )) || fatal "at least one non-public SSH CIDR is required" | 180 | (( ${#SSH_RULES[@]} > 0 )) || fatal "at least one non-public SSH CIDR is required" |
| 181 | SSH_INBOUND_RULES="${SSH_RULES[*]}" | 181 | SSH_INBOUND_RULES="${SSH_RULES[*]}" |
| 182 | -OUTBOUND_RULES="protocol:tcp,ports:all,address:0.0.0.0/0 protocol:udp,ports:all,address:0.0.0.0/0 protocol:icmp,ports:all,address:0.0.0.0/0" | 182 | +# DigitalOcean firewall rules accept explicit TCP/UDP port ranges here, not |
| 183 | +# the human shorthand "all". Keep this broad at the cloud firewall layer; the | ||
| 184 | +# runner host's ipset firewall enforces the DNS allowlist for job containers. | ||
| 185 | +OUTBOUND_RULES="protocol:tcp,ports:1-65535,address:0.0.0.0/0 protocol:udp,ports:1-65535,address:0.0.0.0/0 protocol:icmp,address:0.0.0.0/0" | ||
| 183 | 186 | ||
| 184 | require_tool doctl | 187 | require_tool doctl |
| 185 | require_tool jq | 188 | require_tool jq |
deploy/runner-images/README.mdmodified@@ -7,7 +7,7 @@ nix build ./deploy/runner-images#runnerImage | |||
| 7 | docker load < result | 7 | docker load < result |
| 8 | ``` | 8 | ``` |
| 9 | 9 | ||
| 10 | -The image tag is `ghcr.io/shithub/runner-nix:1.0`, matching | 10 | +The image tag is `ghcr.io/tenseleyflow/shithub/runner-nix:1.0`, matching |
| 11 | `internal/runner/config`'s default. `flake.lock` pins nixpkgs so the | 11 | `internal/runner/config`'s default. `flake.lock` pins nixpkgs so the |
| 12 | image input set is reviewable and repeatable. The image intentionally | 12 | image input set is reviewable and repeatable. The image intentionally |
| 13 | contains only the baseline tools needed for v1 `run:` steps and checkout | 13 | contains only the baseline tools needed for v1 `run:` steps and checkout |
@@ -19,4 +19,4 @@ Publishing is handled by `.github/workflows/runner-image.yml`. That | |||
| 19 | workflow is manual because the GHCR namespace may differ between the | 19 | workflow is manual because the GHCR namespace may differ between the |
| 20 | upstream project and self-hosted forks. Leave the image input blank to | 20 | upstream project and self-hosted forks. Leave the image input blank to |
| 21 | publish under the current repository's GHCR namespace, or override it | 21 | publish under the current repository's GHCR namespace, or override it |
| 22 | -with `ghcr.io/shithub/runner-nix` for the upstream package. | 22 | +with `ghcr.io/tenseleyflow/shithub/runner-nix` for the upstream package. |
deploy/runner-images/flake.nixmodified@@ -65,7 +65,7 @@ | |||
| 65 | in | 65 | in |
| 66 | { | 66 | { |
| 67 | runnerImage = pkgs.dockerTools.buildLayeredImage { | 67 | runnerImage = pkgs.dockerTools.buildLayeredImage { |
| 68 | - name = "ghcr.io/shithub/runner-nix"; | 68 | + name = "ghcr.io/tenseleyflow/shithub/runner-nix"; |
| 69 | tag = "1.0"; | 69 | tag = "1.0"; |
| 70 | contents = [ imageRoot ]; | 70 | contents = [ imageRoot ]; |
| 71 | maxLayers = 80; | 71 | maxLayers = 80; |
docs/internal/runbooks/actions-runner.mdmodified@@ -172,7 +172,7 @@ network_allowlist = [ | |||
| 172 | 172 | ||
| 173 | [engine] | 173 | [engine] |
| 174 | kind = "docker" | 174 | kind = "docker" |
| 175 | -default_image = "ghcr.io/shithub/runner-nix:1.0" | 175 | +default_image = "ghcr.io/tenseleyflow/shithub/runner-nix:1.0" |
| 176 | network = "shithub-actions" | 176 | network = "shithub-actions" |
| 177 | memory = "2g" | 177 | memory = "2g" |
| 178 | cpus = "2" | 178 | cpus = "2" |
docs/internal/runbooks/runner-deploy.mdmodified@@ -129,7 +129,7 @@ shithub_runner_enabled=true | |||
| 129 | shithub_runner_token=REPLACE_ME | 129 | shithub_runner_token=REPLACE_ME |
| 130 | shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64 | 130 | shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64 |
| 131 | shithub_runner_capacity=1 | 131 | shithub_runner_capacity=1 |
| 132 | -shithub_runner_default_image=ghcr.io/shithub/runner-nix:1.0 | 132 | +shithub_runner_default_image=ghcr.io/tenseleyflow/shithub/runner-nix:1.0 |
| 133 | shithub_runner_seccomp_profile=/etc/shithubd-runner/seccomp.json | 133 | shithub_runner_seccomp_profile=/etc/shithubd-runner/seccomp.json |
| 134 | shithub_runner_container_user=65534:65534 | 134 | shithub_runner_container_user=65534:65534 |
| 135 | shithub_runner_pids_limit=512 | 135 | shithub_runner_pids_limit=512 |
@@ -158,6 +158,13 @@ cd deploy/ansible | |||
| 158 | ansible-playbook -i inventory/production site.yml -t shithubd-runner | 158 | ansible-playbook -i inventory/production site.yml -t shithubd-runner |
| 159 | ``` | 159 | ``` |
| 160 | 160 | ||
| 161 | +When deploying from a non-Linux operator machine, build the runner binary for | ||
| 162 | +the target host architecture before running Ansible: | ||
| 163 | + | ||
| 164 | +```sh | ||
| 165 | +GOOS=linux GOARCH=amd64 CGO_ENABLED=0 make build | ||
| 166 | +``` | ||
| 167 | + | ||
| 161 | For the generated DigitalOcean runner inventory: | 168 | For the generated DigitalOcean runner inventory: |
| 162 | 169 | ||
| 163 | ```sh | 170 | ```sh |
internal/runner/config/config.gomodified@@ -28,7 +28,7 @@ import ( | |||
| 28 | const ( | 28 | const ( |
| 29 | DefaultPath = "/etc/shithubd-runner/config.toml" | 29 | DefaultPath = "/etc/shithubd-runner/config.toml" |
| 30 | EnvPrefix = "SHITHUB_RUNNER_" | 30 | EnvPrefix = "SHITHUB_RUNNER_" |
| 31 | - defaultImage = "ghcr.io/shithub/runner-nix:1.0" | 31 | + defaultImage = "ghcr.io/tenseleyflow/shithub/runner-nix:1.0" |
| 32 | defaultNetwork = "shithub-actions" | 32 | defaultNetwork = "shithub-actions" |
| 33 | defaultDNSServer = "172.30.0.1" | 33 | defaultDNSServer = "172.30.0.1" |
| 34 | defaultSeccompProfile = "/etc/shithubd-runner/seccomp.json" | 34 | defaultSeccompProfile = "/etc/shithubd-runner/seccomp.json" |