implement rootless image

2023-05-22 15:32:37 +00:00 · 2023-05-22 15:32:37 +00:00 · 3452b8cdec
commit 3452b8cdec
parent 84386c1b16
4 changed files with 45 additions and 0 deletions
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -0,0 +1,24 @@
+FROM golang:1.20-alpine3.17 as builder
+# Do not remove `git` here, it is required for getting runner version when executing `make build`
+RUN apk add --no-cache make=4.3-r1 git=2.38.5-r0
+
+COPY . /opt/src/act_runner
+WORKDIR /opt/src/act_runner
+
+RUN make clean && make build
+
+FROM docker:dind-rootless
+USER root
+RUN apk add --no-cache \
+  git=2.40.1-r0 bash=5.2.15-r3 supervisor=4.2.5-r2 \
+  && rm -rf /var/cache/apk/*
+
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY /scripts/supervisord.conf /etc/supervisord.conf
+COPY /scripts/run.sh /opt/act/run.sh
+
+RUN mkdir /data \
+    && chown rootless:rootless /data
+
+USER rootless
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
--- a/2
+++ b/2
@ -19,6 +19,7 @@ GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "genera
 DOCKER_IMAGE ?= gitea/act_runner
 DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
+DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE)_rootless:$(DOCKER_TAG)

 ifneq ($(shell uname), Darwin)
 	EXTLDFLAGS = -extldflags "-static" $(null)
@ -169,6 +170,7 @@ docker:
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
+	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless .

 clean:
 	$(GO) clean -x -i ./...
--- a/scripts/run.sh
+++ b/scripts/run.sh
@ -44,4 +44,10 @@ fi
 # Prevent reading the token from the act_runner process
 unset GITEA_RUNNER_REGISTRATION_TOKEN

+# wait for docker daemon
+while ! nc -z localhost 2376 </dev/null; do
+  echo 'waiting for docker daemon...'
+  sleep 5
+done
+
 act_runner daemon ${CONFIG_ARG}
--- a/scripts/supervisord.conf
+++ b/scripts/supervisord.conf
@ -0,0 +1,13 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+
+[program:dockerd]
+command=/usr/local/bin/dockerd-entrypoint.sh
+
+[program:act_runner]
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+command=/opt/act/run.sh