From 1c4ac1fffb46e3186e30dc478bcc1e1c93e90cea Mon Sep 17 00:00:00 2001 From: continuist Date: Mon, 8 Sep 2025 23:15:05 -0400 Subject: [PATCH] Fix bugs preventing containers in PiP from reaching Forgejo instance --- .forgejo/workflows/ci.yml | 7 ++- CI_CD_PIPELINE_SETUP_GUIDE.md | 82 ++++++++++++++++++++++++++++++----- 2 files changed, 76 insertions(+), 13 deletions(-) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 467706b..68341b9 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -31,6 +31,11 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Network/DNS sanity from job container + run: | + getent hosts git.gcdo.org || true + curl -sS -o /dev/null -w 'status=%{http_code}\n' https://git.gcdo.org/api/healthz || true + - name: Verify pinned digests provided run: | for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do @@ -97,7 +102,7 @@ jobs: --network integ-'"$RUN_ID"' \ -v "$WORKSPACE":/workspace \ -w /workspace \ - -e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \ + -e DATABASE_URL=postgres://postgres:password@test-postgres:5432/sharenet_test \ "'"${RUST_IMG_DIGEST}"'" \ sh -c "cargo test --test '"'"'*'"'"' -- --test-threads=1"' diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index b9aa5c0..ee9565b 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -867,18 +867,18 @@ forgejo-runner register \ ```bash # Create system config directory for Forgejo runner -sudo mkdir -p /etc/forgejo-runner +sudo mkdir -p /var/lib/forgejo-runner # Copy the runner configuration to system location -sudo mv /home/CI_DEPLOY_USER/.runner /etc/forgejo-runner/.runner +sudo mv /home/CI_DEPLOY_USER/.runner /var/lib/forgejo-runner/.runner # Set proper ownership and permissions -sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/forgejo-runner/.runner -sudo chmod 600 /etc/forgejo-runner/.runner +sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/forgejo-runner/.runner +sudo chmod 600 /var/lib/forgejo-runner/.runner ``` **What this does**: -- Copies the configuration to the system location (`/etc/forgejo-runner/.runner`) +- Copies the configuration to the system location (`/var/lib/forgejo-runner/.runner`) - Sets proper ownership and permissions for CI_SERVICE_USER to access the config - Registers the runner with your Forgejo instance - Sets up the runner with appropriate labels for Ubuntu and Docker environments @@ -887,28 +887,73 @@ sudo chmod 600 /etc/forgejo-runner/.runner ```bash sudo tee /etc/systemd/system/forgejo-runner.service > /dev/null << 'EOF' +# /etc/systemd/system/forgejo-runner.service [Unit] -Description=Forgejo Actions Runner -After=network.target +Description=Forgejo Actions Runner (CI, rootless) +Wants=network-online.target user@%U.service +After=network-online.target user@%U.service [Service] -Type=simple -WorkingDirectory=/etc/forgejo-runner -ExecStart=/usr/bin/forgejo-runner daemon +User=ci-service +Group=ci-service + +# Point runner at the rootless Podman user socket; no TCP sockets. +Environment=XDG_RUNTIME_DIR=/run/user/%U +Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%U/bus +Environment=DOCKER_HOST=unix:///run/user/%U/podman/podman.sock + +# Use your config that gives job containers outbound DNS/HTTPS (egress only) +ExecStart=/usr/bin/forgejo-runner daemon --config /etc/forgejo-runner-ci.yaml Restart=always -RestartSec=10 +RestartSec=2 +NoNewPrivileges=yes + +# Lock it down; allow writes only where needed for jobs/state +ProtectSystem=strict +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +CapabilityBoundingSet= +AmbientCapabilities= +SystemCallArchitectures=native +ReadWritePaths=/home/ci-service/.cache/act /var/lib/forgejo-runner-ci [Install] WantedBy=multi-user.target EOF +# One-time prep as CI_DEPLOY_USER: + +SVC=ci-service +RUN_UID=$(id -u "$SVC") + +# Ensure the user manager + user socket exist +sudo loginctl enable-linger "$SVC" +sudo systemctl start "user@${RUN_UID}.service" +sudo -u "$SVC" XDG_RUNTIME_DIR=/run/user/$RUN_UID DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$RUN_UID/bus \ + systemctl --user enable --now podman.socket + +# Create writable dirs for the hardened unit +sudo install -d -o "$SVC" -g "$SVC" -m 0750 /home/$SVC/.cache/act /var/lib/forgejo-runner-ci + +# Point your runner config to the token in /var/lib (least privilege) +# /etc/forgejo-runner/config.yaml -> runner.file: /var/lib/forgejo-runner/.runner + +# Reload + start the system unit +sudo systemctl daemon-reload +sudo systemctl enable --now forgejo-runner.service + # Enable the service via user manager sudo systemctl enable forgejo-runner.service ``` **What this does**: - Creates the systemd service configuration for the Forgejo runner -- Sets the working directory to `/etc/forgejo-runner` where the `.runner` configuration file is located +- Sets the working directory to `/var/lib/forgejo-runner` where the `.runner` configuration file is located - The runner will start here but the CI workflow will deploy the application to `/opt/APP_NAME` - Enables the service to start automatically on boot - Sets up proper restart behavior for reliability @@ -1001,6 +1046,19 @@ fi if ! grep -q "^${SVC_USER}:" /etc/subuid; then echo "${SVC_USER}:100000:65536" | sudo tee -a /etc/subuid >/dev/null; fi if ! grep -q "^${SVC_USER}:" /etc/subgid; then echo "${SVC_USER}:100000:65536" | sudo tee -a /etc/subgid >/dev/null; fi + +# TODO: Try this instead of the below few steps +# one-time +sudo apt-get update -y && sudo apt-get install -y systemd-container +sudo loginctl enable-linger ci-service +sudo systemctl start "user@$(id -u ci-service).service" + +# now you can do this anywhere, no env exports: +sudo systemctl --user --machine=ci-service@ daemon-reload +sudo systemctl --user --machine=ci-service@ enable --now podman.socket +sudo systemctl --user --machine=ci-service@ status podman.socket --no-pager + + # 3) Enable linger so the user's manager runs without login sudo loginctl enable-linger "$SVC_USER" loginctl show-user "$SVC_USER" | grep -q '^Linger=yes' || { echo "Linger not enabled"; exit 1; }