From e62b83de9bcd8d86494db599036839ee7044806c Mon Sep 17 00:00:00 2001 From: Brett Delle Grazie Date: Wed, 13 Nov 2024 08:59:32 +0100 Subject: [PATCH] fix(ubuntu-24.04): make Ubuntu example work * Switch to using the upstream deb archive for Docker * use awscli v2 * Provide a user-specific override for systemd * use machinectl to launch rootless docker --- examples/multi-runner/README.md | 53 +++++++------- examples/multi-runner/templates/user-data.sh | 73 +++++++++++--------- 2 files changed, 66 insertions(+), 60 deletions(-) diff --git a/examples/multi-runner/README.md b/examples/multi-runner/README.md index f0b08351de..8a3da5ff1f 100644 --- a/examples/multi-runner/README.md +++ b/examples/multi-runner/README.md @@ -32,7 +32,6 @@ terraform apply -var=module_version= cd - ``` - Before running Terraform, ensure the GitHub app is configured. See the [configuration details](https://philips-labs.github.io/terraform-aws-github-runner/configuration/) for more details. ```bash @@ -47,47 +46,49 @@ terraform output -raw webhook_secret ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0 | -| [aws](#requirement\_aws) | ~> 5.27 | -| [local](#requirement\_local) | ~> 2.0 | -| [random](#requirement\_random) | ~> 3.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.3.0 | +| [aws](#requirement_aws) | ~> 5.27 | +| [local](#requirement_local) | ~> 2.0 | +| [random](#requirement_random) | ~> 3.0 | ## Providers -| Name | Version | -|------|---------| -| [random](#provider\_random) | 3.6.0 | +| Name | Version | +| --------------------------------------------------------- | ------- | +| [random](#provider_random) | 3.6.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [base](#module\_base) | ../base | n/a | -| [runners](#module\_runners) | ../../modules/multi-runner | n/a | -| [webhook\_github\_app](#module\_webhook\_github\_app) | ../../modules/webhook-github-app | n/a | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------- | -------------------------------- | ------- | +| [base](#module_base) | ../base | n/a | +| [runners](#module_runners) | ../../modules/multi-runner | n/a | +| [webhook_github_app](#module_webhook_github_app) | ../../modules/webhook-github-app | n/a | ## Resources -| Name | Type | -|------|------| +| Name | Type | +| ----------------------------------------------------------------------------------------------------- | -------- | | [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_region](#input\_aws\_region) | AWS region to deploy to | `string` | `"eu-west-1"` | no | -| [environment](#input\_environment) | Environment name, used as prefix | `string` | `null` | no | -| [github\_app](#input\_github\_app) | GitHub for API usages. | 
object({
    id         = string
    key_base64 = string
  })
| n/a | yes | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------ | -------------------------------- | --------------------------------------------------------------------- | ------------- | :------: | +| [aws_region](#input_aws_region) | AWS region to deploy to | `string` | `"eu-west-1"` | no | +| [environment](#input_environment) | Environment name, used as prefix | `string` | `null` | no | +| [github_app](#input_github_app) | GitHub for API usages. | 
object({
 id = string
 key_base64 = string
 })
| n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| [webhook\_endpoint](#output\_webhook\_endpoint) | n/a | -| [webhook\_secret](#output\_webhook\_secret) | n/a | +| Name | Description | +| ----------------------------------------------------------------------------------- | ----------- | +| [webhook_endpoint](#output_webhook_endpoint) | n/a | +| [webhook_secret](#output_webhook_secret) | n/a | + diff --git a/examples/multi-runner/templates/user-data.sh b/examples/multi-runner/templates/user-data.sh index 752a0de0e3..bb5d490f3b 100644 --- a/examples/multi-runner/templates/user-data.sh +++ b/examples/multi-runner/templates/user-data.sh @@ -15,67 +15,72 @@ set -x ${pre_install} # Install AWS CLI -apt-get update -DEBIAN_FRONTEND=noninteractive apt-get install -y \ - awscli \ +apt-get -q update +DEBIAN_FRONTEND=noninteractive apt-get install -q -y \ build-essential \ + ca-certificates \ curl \ git \ iptables \ jq \ + systemd-container \ uidmap \ unzip \ wget +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc +chmod a+r /etc/apt/keyrings/docker.asc +echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list +apt-get -q update +apt-get -q -y install docker-ce docker-ce-cli containerd.io docker-ce-rootless-extras docker-buildx-plugin docker-compose-plugin +systemctl disable --now docker.socket docker.service + +# avoid /tmp, might be mounted no-exec +curl -fsSL -o "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" +unzip -q awscliv2.zip +aws/install +rm -rf aws awscliv2.zip + user_name=ubuntu user_id=$(id -ru $user_name) # install and configure cloudwatch logging agent -wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb -dpkg -i -E ./amazon-cloudwatch-agent.deb -amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:${ssm_key_cloudwatch_agent_config} +curl -fsSL -o "/tmp/amazon-cloudwatch-agent.deb" https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb +dpkg -i -E /tmp/amazon-cloudwatch-agent.deb +rm -f /tmp/amazon-cloudwatch-agent.deb +amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c "ssm:${ssm_key_cloudwatch_agent_config}" # configure systemd for running service in users accounts -cat >/etc/systemd/user@UID.service <<-EOF - -[Unit] -Description=User Manager for UID %i -After=user-runtime-dir@%i.service -Wants=user-runtime-dir@%i.service - -[Service] -LimitNOFILE=infinity -LimitNPROC=infinity -User=%i -PAMName=systemd-user -Type=notify - -[Install] -WantedBy=default.target - +mkdir -p /etc/systemd/system/user-$user_id.slice.d +cat > /etc/systemd/system/user-$user_id.slice.d/resources.conf <<- EOF +[Slice] +TasksMax=infinity EOF - -echo export XDG_RUNTIME_DIR=/run/user/$user_id >>/home/$user_name/.bashrc +mkdir -p /home/$user_name/.config/systemd/ +cat > /home/$user_name/.config/systemd/user.conf <<- EOF +[Manager] +DefaultLimitNOFILE=infinity +DefaultLimitNPROC=infinity +EOF +chown $user_name:$user_name /home/$user_name/.config/systemd/user.conf /home/$user_name/.config/systemd /home/$user_name/.config/ systemctl daemon-reload -systemctl enable user@UID.service -systemctl start user@UID.service -curl -fsSL https://get.docker.com/rootless >>/opt/rootless.sh && chmod 755 /opt/rootless.sh -su -l $user_name -c /opt/rootless.sh -echo export DOCKER_HOST=unix:///run/user/$user_id/docker.sock >>/home/$user_name/.bashrc -echo export PATH=/home/$user_name/bin:$PATH >>/home/$user_name/.bashrc +echo export XDG_RUNTIME_DIR="/run/user/$user_id" >> "/home/$user_name/.bashrc" # Run docker service by default loginctl enable-linger $user_name -su -l $user_name -c "systemctl --user enable docker" +machinectl shell "$user_name@.host" /usr/bin/dockerd-rootless-setuptool.sh install +echo export DOCKER_HOST="unix:///run/user/$user_id/docker.sock" >> "/home/$user_name/.bashrc" +echo export PATH="/home/$user_name/bin:$PATH" >> "/home/$user_name/.bashrc" ${install_runner} # config runner for rootless docker cd /opt/actions-runner/ -echo DOCKER_HOST=unix:///run/user/$user_id/docker.sock >>.env -echo PATH=/home/$user_name/bin:$PATH >>.env +echo DOCKER_HOST="unix:///run/user/$user_id/docker.sock" >> .env +echo PATH="/home/$user_name/bin:$PATH" >> .env ${post_install}