fix(ubuntu-24.04): make Ubuntu example work

bdellegrazie · bdellegrazie · commit e62b83de9bcd · 2024-11-27T18:34:16.000+01:00
* Switch to using the upstream deb archive for Docker
* use awscli v2
* Provide a user-specific override for systemd
* use machinectl to launch rootless docker
diff --git a/examples/multi-runner/README.md b/examples/multi-runner/README.md
@@ -32,7 +32,6 @@ terraform apply -var=module_version=<VERSION>
 cd -
 ```
 
-
 Before running Terraform, ensure the GitHub app is configured. See the [configuration details](https://philips-labs.github.io/terraform-aws-github-runner/configuration/) for more details.
 
 ```bash
@@ -47,47 +46,49 @@ terraform output -raw webhook_secret
 ```
 
 <!-- BEGIN_TF_DOCS -->
+
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.27 |
-| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+| Name                                                                     | Version  |
+| ------------------------------------------------------------------------ | -------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement_aws)                   | ~> 5.27  |
+| <a name="requirement_local"></a> [local](#requirement_local)             | ~> 2.0   |
+| <a name="requirement_random"></a> [random](#requirement_random)          | ~> 3.0   |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
+| Name                                                      | Version |
+| --------------------------------------------------------- | ------- |
+| <a name="provider_random"></a> [random](#provider_random) | 3.6.0   |
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
-| <a name="module_runners"></a> [runners](#module\_runners) | ../../modules/multi-runner | n/a |
-| <a name="module_webhook_github_app"></a> [webhook\_github\_app](#module\_webhook\_github\_app) | ../../modules/webhook-github-app | n/a |
+| Name                                                                                      | Source                           | Version |
+| ----------------------------------------------------------------------------------------- | -------------------------------- | ------- |
+| <a name="module_base"></a> [base](#module_base)                                           | ../base                          | n/a     |
+| <a name="module_runners"></a> [runners](#module_runners)                                  | ../../modules/multi-runner       | n/a     |
+| <a name="module_webhook_github_app"></a> [webhook_github_app](#module_webhook_github_app) | ../../modules/webhook-github-app | n/a     |
 
 ## Resources
 
-| Name | Type |
-|------|------|
+| Name                                                                                                  | Type     |
+| ----------------------------------------------------------------------------------------------------- | -------- |
 | [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region to deploy to | `string` | `"eu-west-1"` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | Environment name, used as prefix | `string` | `null` | no |
-| <a name="input_github_app"></a> [github\_app](#input\_github\_app) | GitHub for API usages. | <pre>object({<br/>    id         = string<br/>    key_base64 = string<br/>  })</pre> | n/a | yes |
+| Name                                                               | Description                      | Type                                                                  | Default       | Required |
+| ------------------------------------------------------------------ | -------------------------------- | --------------------------------------------------------------------- | ------------- | :------: |
+| <a name="input_aws_region"></a> [aws_region](#input_aws_region)    | AWS region to deploy to          | `string`                                                              | `"eu-west-1"` |    no    |
+| <a name="input_environment"></a> [environment](#input_environment) | Environment name, used as prefix | `string`                                                              | `null`        |    no    |
+| <a name="input_github_app"></a> [github_app](#input_github_app)    | GitHub for API usages.           | <pre>object({<br/> id = string<br/> key_base64 = string<br/> })</pre> | n/a           |   yes    |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_webhook_endpoint"></a> [webhook\_endpoint](#output\_webhook\_endpoint) | n/a |
-| <a name="output_webhook_secret"></a> [webhook\_secret](#output\_webhook\_secret) | n/a |
+| Name                                                                                | Description |
+| ----------------------------------------------------------------------------------- | ----------- |
+| <a name="output_webhook_endpoint"></a> [webhook_endpoint](#output_webhook_endpoint) | n/a         |
+| <a name="output_webhook_secret"></a> [webhook_secret](#output_webhook_secret)       | n/a         |
+
 <!-- END_TF_DOCS -->
diff --git a/examples/multi-runner/templates/user-data.sh b/examples/multi-runner/templates/user-data.sh
@@ -15,67 +15,72 @@ set -x
 ${pre_install}
 
 # Install AWS CLI
-apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    awscli \
+apt-get -q update
+DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
     build-essential \
+    ca-certificates \
     curl \
     git \
     iptables \
     jq \
+    systemd-container \
     uidmap \
     unzip \
     wget
 
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+chmod a+r /etc/apt/keyrings/docker.asc
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list
+apt-get -q update
+apt-get -q -y install docker-ce docker-ce-cli containerd.io docker-ce-rootless-extras docker-buildx-plugin docker-compose-plugin
+systemctl disable --now docker.socket docker.service
+
+# avoid /tmp, might be mounted no-exec
+curl -fsSL -o "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
+unzip -q awscliv2.zip
+aws/install
+rm -rf aws awscliv2.zip
+
 user_name=ubuntu
 user_id=$(id -ru $user_name)
 
 # install and configure cloudwatch logging agent
-wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
-dpkg -i -E ./amazon-cloudwatch-agent.deb
-amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:${ssm_key_cloudwatch_agent_config}
+curl -fsSL -o "/tmp/amazon-cloudwatch-agent.deb" https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
+dpkg -i -E /tmp/amazon-cloudwatch-agent.deb
+rm -f /tmp/amazon-cloudwatch-agent.deb
+amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c "ssm:${ssm_key_cloudwatch_agent_config}"
 
 # configure systemd for running service in users accounts
-cat >/etc/systemd/user@UID.service <<-EOF
-
-[Unit]
-Description=User Manager for UID %i
-After=user-runtime-dir@%i.service
-Wants=user-runtime-dir@%i.service
-
-[Service]
-LimitNOFILE=infinity
-LimitNPROC=infinity
-User=%i
-PAMName=systemd-user
-Type=notify
-
-[Install]
-WantedBy=default.target
-
+mkdir -p /etc/systemd/system/user-$user_id.slice.d
+cat > /etc/systemd/system/user-$user_id.slice.d/resources.conf <<- EOF
+[Slice]
+TasksMax=infinity
 EOF
-
-echo export XDG_RUNTIME_DIR=/run/user/$user_id >>/home/$user_name/.bashrc
+mkdir -p /home/$user_name/.config/systemd/
+cat > /home/$user_name/.config/systemd/user.conf <<- EOF
+[Manager]
+DefaultLimitNOFILE=infinity
+DefaultLimitNPROC=infinity
+EOF
+chown $user_name:$user_name /home/$user_name/.config/systemd/user.conf /home/$user_name/.config/systemd /home/$user_name/.config/
 
 systemctl daemon-reload
-systemctl enable user@UID.service
-systemctl start user@UID.service
 
-curl -fsSL https://get.docker.com/rootless >>/opt/rootless.sh && chmod 755 /opt/rootless.sh
-su -l $user_name -c /opt/rootless.sh
-echo export DOCKER_HOST=unix:///run/user/$user_id/docker.sock >>/home/$user_name/.bashrc
-echo export PATH=/home/$user_name/bin:$PATH >>/home/$user_name/.bashrc
+echo export XDG_RUNTIME_DIR="/run/user/$user_id" >> "/home/$user_name/.bashrc"
 
 # Run docker service by default
 loginctl enable-linger $user_name
-su -l $user_name -c "systemctl --user enable docker"
+machinectl shell "$user_name@.host" /usr/bin/dockerd-rootless-setuptool.sh install
+echo export DOCKER_HOST="unix:///run/user/$user_id/docker.sock" >> "/home/$user_name/.bashrc"
+echo export PATH="/home/$user_name/bin:$PATH" >> "/home/$user_name/.bashrc"
 
 ${install_runner}
 
 # config runner for rootless docker
 cd /opt/actions-runner/
-echo DOCKER_HOST=unix:///run/user/$user_id/docker.sock >>.env
-echo PATH=/home/$user_name/bin:$PATH >>.env
+echo DOCKER_HOST="unix:///run/user/$user_id/docker.sock" >> .env
+echo PATH="/home/$user_name/bin:$PATH" >> .env
 
 ${post_install}
 
