tenseleyflow/shithub / 06d4990

Browse files

actions: fix shared runner provisioning defaults

Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
06d499088b54ee672e4c9010749471550ea648c1
Parents
93ac552
Tree
e19c785

11 changed files

StatusFile+-
M .github/workflows/runner-image.yml 1 1
M deploy/ansible/inventory/production.example 1 1
M deploy/ansible/roles/shithubd-runner/defaults/main.yml 1 1
M deploy/ansible/roles/shithubd-runner/tasks/main.yml 15 1
M deploy/doctl/generate-actions-runner-inventory.sh 1 1
M deploy/doctl/provision-actions-runner-pool.sh 4 1
M deploy/runner-images/README.md 2 2
M deploy/runner-images/flake.nix 1 1
M docs/internal/runbooks/actions-runner.md 1 1
M docs/internal/runbooks/runner-deploy.md 8 1
M internal/runner/config/config.go 1 1
.github/workflows/runner-image.ymlmodified
@@ -62,7 +62,7 @@ jobs:
6262
         run: docker load < result
6363
6464
       - name: Tag image
65
-        run: docker tag ghcr.io/shithub/runner-nix:1.0 "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}"
65
+        run: docker tag ghcr.io/tenseleyflow/shithub/runner-nix:1.0 "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}"
6666
6767
       - name: Login to GHCR
6868
         uses: docker/login-action@v3
deploy/ansible/inventory/production.examplemodified
@@ -51,7 +51,7 @@ grafana_cloud_prom_token=REPLACE_ME # access-policy token
5151
 # shithub_runner_token=REPLACE_ME
5252
 # shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64
5353
 # shithub_runner_capacity=1
54
-# shithub_runner_default_image=ghcr.io/shithub/runner-nix:1.0
54
+# shithub_runner_default_image=ghcr.io/tenseleyflow/shithub/runner-nix:1.0
5555
 # The role creates shithub-actions on shact0 (172.30.0.1/24), runs
5656
 # dnsmasq on that bridge, and enforces direct-IP egress denial with
5757
 # shithub-runner-firewall.service.
deploy/ansible/roles/shithubd-runner/defaults/main.ymlmodified
@@ -23,7 +23,7 @@ shithub_runner_network_allowlist:
2323
   - registry-1.docker.io
2424
   - "*.githubusercontent.com"
2525
 shithub_runner_engine: docker
26
-shithub_runner_default_image: ghcr.io/shithub/runner-nix:1.0
26
+shithub_runner_default_image: ghcr.io/tenseleyflow/shithub/runner-nix:1.0
2727
 shithub_runner_network: shithub-actions
2828
 shithub_runner_network_bridge: shact0
2929
 shithub_runner_network_subnet: 172.30.0.0/24
deploy/ansible/roles/shithubd-runner/tasks/main.ymlmodified
@@ -122,10 +122,24 @@
122122
       before re-running the role so firewall rules target the correct bridge.
123123
   when: shithub_runner_engine == "docker" and not ansible_check_mode
124124
125
-- name: Upload shithubd-runner binary (built by `make build` locally)
125
+- name: Upload candidate shithubd-runner binary (built by `make build` locally)
126126
   copy:
127127
     src: "{{ playbook_dir }}/../../bin/shithubd-runner"
128
+    dest: /var/lib/shithubd-runner/binaries/shithubd-runner-candidate
129
+    mode: "0755"
130
+    owner: root
131
+    group: root
132
+
133
+- name: Candidate runner binary executes on target
134
+  command: /var/lib/shithubd-runner/binaries/shithubd-runner-candidate version
135
+  register: shithubd_runner_version
136
+  changed_when: false
137
+
138
+- name: Promote candidate shithubd-runner binary
139
+  copy:
140
+    src: /var/lib/shithubd-runner/binaries/shithubd-runner-candidate
128141
     dest: /usr/local/bin/shithubd-runner
142
+    remote_src: true
129143
     mode: "0755"
130144
     owner: root
131145
     group: root
deploy/doctl/generate-actions-runner-inventory.shmodified
@@ -13,7 +13,7 @@ ANSIBLE_USER="${ANSIBLE_USER:-root}"
1313
 SERVER_URL="${SHITHUB_RUNNER_SERVER_URL:-https://shithub.sh}"
1414
 LABELS="${SHITHUB_RUNNER_LABELS:-self-hosted,linux,ubuntu-latest,x64}"
1515
 CAPACITY="${SHITHUB_RUNNER_CAPACITY:-1}"
16
-DEFAULT_IMAGE="${SHITHUB_RUNNER_DEFAULT_IMAGE:-ghcr.io/shithub/runner-nix:1.0}"
16
+DEFAULT_IMAGE="${SHITHUB_RUNNER_DEFAULT_IMAGE:-ghcr.io/tenseleyflow/shithub/runner-nix:1.0}"
1717
 TOKEN_PLACEHOLDER="${SHITHUB_RUNNER_TOKEN_PLACEHOLDER:-REPLACE_WITH_RUNNER_TOKEN}"
1818
1919
 usage() {
deploy/doctl/provision-actions-runner-pool.shmodified
@@ -179,7 +179,10 @@ for raw in "${CIDR_PARTS[@]}"; do
179179
 done
180180
 (( ${#SSH_RULES[@]} > 0 )) || fatal "at least one non-public SSH CIDR is required"
181181
 SSH_INBOUND_RULES="${SSH_RULES[*]}"
182
-OUTBOUND_RULES="protocol:tcp,ports:all,address:0.0.0.0/0 protocol:udp,ports:all,address:0.0.0.0/0 protocol:icmp,ports:all,address:0.0.0.0/0"
182
+# DigitalOcean firewall rules accept explicit TCP/UDP port ranges here, not
183
+# the human shorthand "all". Keep this broad at the cloud firewall layer; the
184
+# runner host's ipset firewall enforces the DNS allowlist for job containers.
185
+OUTBOUND_RULES="protocol:tcp,ports:1-65535,address:0.0.0.0/0 protocol:udp,ports:1-65535,address:0.0.0.0/0 protocol:icmp,address:0.0.0.0/0"
183186
184187
 require_tool doctl
185188
 require_tool jq
deploy/runner-images/README.mdmodified
@@ -7,7 +7,7 @@ nix build ./deploy/runner-images#runnerImage
77
 docker load < result
88
 ```
99
10
-The image tag is `ghcr.io/shithub/runner-nix:1.0`, matching
10
+The image tag is `ghcr.io/tenseleyflow/shithub/runner-nix:1.0`, matching
1111
 `internal/runner/config`'s default. `flake.lock` pins nixpkgs so the
1212
 image input set is reviewable and repeatable. The image intentionally
1313
 contains only the baseline tools needed for v1 `run:` steps and checkout
@@ -19,4 +19,4 @@ Publishing is handled by `.github/workflows/runner-image.yml`. That
1919
 workflow is manual because the GHCR namespace may differ between the
2020
 upstream project and self-hosted forks. Leave the image input blank to
2121
 publish under the current repository's GHCR namespace, or override it
22
-with `ghcr.io/shithub/runner-nix` for the upstream package.
22
+with `ghcr.io/tenseleyflow/shithub/runner-nix` for the upstream package.
deploy/runner-images/flake.nixmodified
@@ -65,7 +65,7 @@
6565
         in
6666
         {
6767
           runnerImage = pkgs.dockerTools.buildLayeredImage {
68
-            name = "ghcr.io/shithub/runner-nix";
68
+            name = "ghcr.io/tenseleyflow/shithub/runner-nix";
6969
             tag = "1.0";
7070
             contents = [ imageRoot ];
7171
             maxLayers = 80;
docs/internal/runbooks/actions-runner.mdmodified
@@ -172,7 +172,7 @@ network_allowlist = [
172172
173173
 [engine]
174174
 kind = "docker"
175
-default_image = "ghcr.io/shithub/runner-nix:1.0"
175
+default_image = "ghcr.io/tenseleyflow/shithub/runner-nix:1.0"
176176
 network = "shithub-actions"
177177
 memory = "2g"
178178
 cpus = "2"
docs/internal/runbooks/runner-deploy.mdmodified
@@ -129,7 +129,7 @@ shithub_runner_enabled=true
129129
 shithub_runner_token=REPLACE_ME
130130
 shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64
131131
 shithub_runner_capacity=1
132
-shithub_runner_default_image=ghcr.io/shithub/runner-nix:1.0
132
+shithub_runner_default_image=ghcr.io/tenseleyflow/shithub/runner-nix:1.0
133133
 shithub_runner_seccomp_profile=/etc/shithubd-runner/seccomp.json
134134
 shithub_runner_container_user=65534:65534
135135
 shithub_runner_pids_limit=512
@@ -158,6 +158,13 @@ cd deploy/ansible
158158
 ansible-playbook -i inventory/production site.yml -t shithubd-runner
159159
 ```
160160
161
+When deploying from a non-Linux operator machine, build the runner binary for
162
+the target host architecture before running Ansible:
163
+
164
+```sh
165
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 make build
166
+```
167
+
161168
 For the generated DigitalOcean runner inventory:
162169
163170
 ```sh
internal/runner/config/config.gomodified
@@ -28,7 +28,7 @@ import (
2828
 const (
2929
 	DefaultPath            = "/etc/shithubd-runner/config.toml"
3030
 	EnvPrefix              = "SHITHUB_RUNNER_"
31
-	defaultImage           = "ghcr.io/shithub/runner-nix:1.0"
31
+	defaultImage           = "ghcr.io/tenseleyflow/shithub/runner-nix:1.0"
3232
 	defaultNetwork         = "shithub-actions"
3333
 	defaultDNSServer       = "172.30.0.1"
3434
 	defaultSeccompProfile  = "/etc/shithubd-runner/seccomp.json"