From 39ffd5399193a7f7c0b3fa2269c1af8884ee6959 Mon Sep 17 00:00:00 2001 From: Alejandro Lembke Barrientos Date: Sat, 11 Nov 2023 17:47:19 +0000 Subject: [PATCH] Adding Docker to runners. --- Dockerfile | 20 +++++++++ README.md | 2 +- wrapdocker.sh | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 wrapdocker.sh diff --git a/Dockerfile b/Dockerfile index 39e2183..f0c2011 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,21 @@ RUN apt-get -y install vim # set the github runner version ARG RUNNER_VERSION="2.311.0" +#Installing Docker +# Let's start with some basic stuff. +RUN sudo apt-get update -qq && sudo apt-get install -qqy \ + apt-transport-https \ + ca-certificates \ + curl \ + lxc \ + iptables +# Install Docker from Docker Inc. repositories. +RUN curl -sSL https://get.docker.com/ | sh +# Define additional metadata for our image. +VOLUME /var/lib/docker +RUN sudo usermod -aG docker coder +#Finishing Installing Docker + # update the base packages, add a non-sudo user, and install Xvfb RUN apt-get update -y && \ apt-get upgrade -y && \ @@ -41,6 +56,11 @@ COPY start.sh start.sh # make the script executable RUN chmod +x start.sh +# Install the magic wrapper. +ADD ./wrapdocker.sh /usr/local/bin/wrapdocker.sh +RUN sudo chmod +x /usr/local/bin/wrapdocker.sh +RUN sudo sed -i "2 i\exec sudo /usr/local/bin/wrapdocker.sh &" start.sh + # since the config and run script for actions are not allowed to be run by root, # set the user to "docker" so all subsequent commands are run as the docker user USER docker diff --git a/README.md b/README.md index 492539e..aaf0d4d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # Docker Github Action Runner -## Version 1.0.8 \ No newline at end of file +## Version 1.0.9 \ No newline at end of file diff --git a/wrapdocker.sh b/wrapdocker.sh new file mode 100644 index 0000000..dff6a25 --- /dev/null +++ b/wrapdocker.sh @@ -0,0 +1,113 @@ +#!/bin/bash + +# Ensure that all nodes in /dev/mapper correspond to mapped devices currently loaded by the device-mapper kernel driver +dmsetup mknodes + +# First, make sure that cgroups are mounted correctly. +CGROUP=/sys/fs/cgroup +: {LOG:=stdio} + +[ -d $CGROUP ] || + mkdir $CGROUP + +mountpoint -q $CGROUP || + mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || { + echo "Could not make a tmpfs mount. Did you use --privileged?" + exit 1 + } + +if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security +then + mount -t securityfs none /sys/kernel/security || { + echo "Could not mount /sys/kernel/security." + echo "AppArmor detection and --privileged mode might break." + } +fi + +# Mount the cgroup hierarchies exactly as they are in the parent system. +for SUBSYS in $(cut -d: -f2 /proc/1/cgroup) +do + [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS + mountpoint -q $CGROUP/$SUBSYS || + mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS + + # The two following sections address a bug which manifests itself + # by a cryptic "lxc-start: no ns_cgroup option specified" when + # trying to start containers withina container. + # The bug seems to appear when the cgroup hierarchies are not + # mounted on the exact same directories in the host, and in the + # container. + + # Named, control-less cgroups are mounted with "-o name=foo" + # (and appear as such under /proc//cgroup) but are usually + # mounted on a directory named "foo" (without the "name=" prefix). + # Systemd and OpenRC (and possibly others) both create such a + # cgroup. To avoid the aforementioned bug, we symlink "foo" to + # "name=foo". This shouldn't have any adverse effect. + echo $SUBSYS | grep -q ^name= && { + NAME=$(echo $SUBSYS | sed s/^name=//) + ln -s $SUBSYS $CGROUP/$NAME + } + + # Likewise, on at least one system, it has been reported that + # systemd would mount the CPU and CPU accounting controllers + # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu" + # but on a directory called "cpu,cpuacct" (note the inversion + # in the order of the groups). This tries to work around it. + [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct +done + +# Note: as I write those lines, the LXC userland tools cannot setup +# a "sub-container" properly if the "devices" cgroup is not in its +# own hierarchy. Let's detect this and issue a warning. +grep -q :devices: /proc/1/cgroup || + echo "WARNING: the 'devices' cgroup should be in its own hierarchy." +grep -qw devices /proc/1/cgroup || + echo "WARNING: it looks like the 'devices' cgroup is not mounted." + +# Now, close extraneous file descriptors. +pushd /proc/self/fd >/dev/null +for FD in * +do + case "$FD" in + # Keep stdin/stdout/stderr + [012]) + ;; + # Nuke everything else + *) + eval exec "$FD>&-" + ;; + esac +done +popd >/dev/null + + +# If a pidfile is still around (for example after a container restart), +# delete it so that docker can start. +rm -rf /var/run/docker.pid + +# If we were given a PORT environment variable, start as a simple daemon; +# otherwise, spawn a shell as well +if [ "$PORT" ] +then + exec dockerd -H 0.0.0.0:$PORT -H unix:///var/run/docker.sock \ + $DOCKER_DAEMON_ARGS +else + if [ "$LOG" == "file" ] + then + dockerd $DOCKER_DAEMON_ARGS &>/var/log/docker.log & + else + dockerd $DOCKER_DAEMON_ARGS & + fi + (( timeout = 60 + SECONDS )) + until docker info >/dev/null 2>&1 + do + if (( SECONDS >= timeout )); then + echo 'Timed out trying to connect to internal docker host.' >&2 + break + fi + sleep 1 + done + [[ $1 ]] && exec "$@" + exec bash --login +fi \ No newline at end of file