Update CI DinD container steps

2025-06-30 00:35:53 -04:00 · 2025-06-30 00:35:53 -04:00 · 4a4eddbb72
commit 4a4eddbb72
parent 117022cac6
2 changed files with 32 additions and 50 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -1034,6 +1034,9 @@ forgejo-runner register \
 **Step 4: Set Up System Configuration**

 ```bash
+# Create system config directory for Forgejo runner
+sudo mkdir -p /etc/forgejo-runner
+
 # Copy the runner configuration to system location
 sudo cp /home/DEPLOY_USER/.runner /etc/forgejo-runner/.runner

@ -1042,12 +1045,9 @@ sudo chown SERVICE_USER:SERVICE_USER /etc/forgejo-runner/.runner
 sudo chmod 600 /etc/forgejo-runner/.runner
 ```

-**Important**: Replace `your-forgejo-instance` with your actual Forgejo instance URL and `YOUR_REGISTRATION_TOKEN` with the token you copied from Step 2.

-**Note**: The `your-forgejo-instance` should be the **base URL** of your Forgejo instance (e.g., `https://git.<your-domain>/`), not the full path to the repository. The runner registration process will handle connecting to the specific repository based on the token you provide.

-**What this does**: 
- Creates the required `.runner` configuration file in the DEPLOY_USER's home directory
+**What this does**:
 - Copies the configuration to the system location (`/etc/forgejo-runner/.runner`)
 - Sets proper ownership and permissions for SERVICE_USER to access the config
 - Registers the runner with your Forgejo instance
@ -1056,9 +1056,6 @@ sudo chmod 600 /etc/forgejo-runner/.runner
 **Step 5: Create and Enable Systemd Service**

 ```bash
-# Create system config directory for Forgejo runner
-sudo mkdir -p /etc/forgejo-runner
-
 sudo tee /etc/systemd/system/forgejo-runner.service > /dev/null << 'EOF'
 [Unit]
 Description=Forgejo Actions Runner
@ -1134,10 +1131,17 @@ sudo journalctl -u forgejo-runner.service -f --no-pager

 #### 8.1 Create Containerized CI/CD Environment

+
 ```bash
+# Switch to DEPLOY_USER (who has sudo access for Docker operations)
+sudo su - DEPLOY_USER
+
+# Navigate to the application directory
+cd /opt/APP_NAME
+
 # Start DinD container for isolated Docker operations
-docker run -d \
-  --name ci-cd-dind \
+sudo docker run -d \
+  --name ci-dind \
  --privileged \
  -p 2375:2375 \
  -e DOCKER_TLS_CERTDIR="" \
@ -1145,10 +1149,10 @@ docker run -d \

 # Wait for DinD to be ready
 echo "Waiting for DinD container to be ready..."
-timeout 60 bash -c 'until docker exec ci-cd-dind docker version; do sleep 2; done'
+timeout 60 bash -c 'until sudo docker exec ci-dind docker version; do sleep 2; done'

 # Test DinD connectivity
-docker exec ci-cd-dind docker version
+sudo docker exec ci-dind docker version
 ```

 **What this does**:
@ -1156,25 +1160,31 @@ docker exec ci-cd-dind docker version
 - **Health checks**: Ensures DinD is fully ready before proceeding
 - **Simple setup**: Direct Docker commands for maximum flexibility

+**Why DEPLOY_USER**: The DEPLOY_USER handles deployment orchestration and has sudo access for Docker operations, following the principle of least privilege.
+
 #### 8.2 Configure DinD for Harbor Registry

+
 ```bash
+# Navigate to the application directory
+cd /opt/APP_NAME
+
 # Configure Docker daemon in DinD for Harbor registry
-docker exec ci-cd-dind sh -c 'echo "{\"insecure-registries\": [\"localhost:5000\"]}" > /etc/docker/daemon.json'
+sudo docker exec ci-dind sh -c 'echo "{\"insecure-registries\": [\"localhost:5000\"]}" > /etc/docker/daemon.json'

 # Reload Docker daemon in DinD
-docker exec ci-cd-dind sh -c 'kill -HUP 1'
+sudo docker exec ci-dind sh -c 'kill -HUP 1'

 # Wait for Docker daemon to reload
 sleep 5

 # Test Harbor connectivity from DinD
-docker exec ci-cd-dind docker pull alpine:latest
-docker exec ci-cd-dind docker tag alpine:latest localhost:5000/test/alpine:latest
-docker exec ci-cd-dind docker push localhost:5000/test/alpine:latest
+sudo docker exec ci-dind docker pull alpine:latest
+sudo docker exec ci-dind docker tag alpine:latest localhost:5000/test/alpine:latest
+sudo docker exec ci-dind docker push localhost:5000/test/alpine:latest

 # Clean up test image
-docker exec ci-cd-dind docker rmi localhost:5000/test/alpine:latest
+sudo docker exec ci-dind docker rmi localhost:5000/test/alpine:latest
 ```

 **What this does**:
@ -1225,15 +1235,15 @@ The CI/CD pipeline uses a three-stage approach with dedicated environments for e

 ```bash
 # Test DinD functionality
-docker exec ci-cd-dind docker run --rm alpine:latest echo "DinD is working!"
+docker exec ci-dind docker run --rm alpine:latest echo "DinD is working!"

 # Test Harbor integration
-docker exec ci-cd-dind docker pull alpine:latest
-docker exec ci-cd-dind docker tag alpine:latest localhost:5000/test/dind-test:latest
-docker exec ci-cd-dind docker push localhost:5000/test/dind-test:latest
+docker exec ci-dind docker pull alpine:latest
+docker exec ci-dind docker tag alpine:latest localhost:5000/test/dind-test:latest
+docker exec ci-dind docker push localhost:5000/test/dind-test:latest

 # Clean up test
-docker exec ci-cd-dind docker rmi localhost:5000/test/dind-test:latest
+docker exec ci-dind docker rmi localhost:5000/test/dind-test:latest
 ```

 **Expected Output**:
--- a/ci-cd-compose.yml
+++ b/ci-cd-compose.yml
@ -1,28 +0,0 @@
-version: '3.8'
-
-services:
-  ci-cd-dind:
-    image: docker:dind
-    container_name: ci-cd-dind
-    privileged: true
-    restart: unless-stopped
-    ports:
-      - "2376:2376"
-    volumes:
-      - ci-cd-data:/var/lib/docker
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./backend:/workspace/backend
-      - ./frontend:/workspace/frontend
-      - ./scripts:/workspace/scripts
-    environment:
-      - DOCKER_TLS_CERTDIR=/certs
-    healthcheck:
-      test: ["CMD", "docker", "version"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 40s
-
-volumes:
-  ci-cd-data:
-    driver: local