From 4a4eddbb725ed67f80702194136433a9b39e0112 Mon Sep 17 00:00:00 2001 From: continuist Date: Mon, 30 Jun 2025 00:35:53 -0400 Subject: [PATCH] Update CI DinD container steps --- CI_CD_PIPELINE_SETUP_GUIDE.md | 54 +++++++++++++++++++++-------------- ci-cd-compose.yml | 28 ------------------ 2 files changed, 32 insertions(+), 50 deletions(-) delete mode 100644 ci-cd-compose.yml diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 61da07e..b8228e5 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -1034,6 +1034,9 @@ forgejo-runner register \ **Step 4: Set Up System Configuration** ```bash +# Create system config directory for Forgejo runner +sudo mkdir -p /etc/forgejo-runner + # Copy the runner configuration to system location sudo cp /home/DEPLOY_USER/.runner /etc/forgejo-runner/.runner @@ -1042,12 +1045,9 @@ sudo chown SERVICE_USER:SERVICE_USER /etc/forgejo-runner/.runner sudo chmod 600 /etc/forgejo-runner/.runner ``` -**Important**: Replace `your-forgejo-instance` with your actual Forgejo instance URL and `YOUR_REGISTRATION_TOKEN` with the token you copied from Step 2. -**Note**: The `your-forgejo-instance` should be the **base URL** of your Forgejo instance (e.g., `https://git./`), not the full path to the repository. The runner registration process will handle connecting to the specific repository based on the token you provide. -**What this does**: -- Creates the required `.runner` configuration file in the DEPLOY_USER's home directory +**What this does**: - Copies the configuration to the system location (`/etc/forgejo-runner/.runner`) - Sets proper ownership and permissions for SERVICE_USER to access the config - Registers the runner with your Forgejo instance @@ -1056,9 +1056,6 @@ sudo chmod 600 /etc/forgejo-runner/.runner **Step 5: Create and Enable Systemd Service** ```bash -# Create system config directory for Forgejo runner -sudo mkdir -p /etc/forgejo-runner - sudo tee /etc/systemd/system/forgejo-runner.service > /dev/null << 'EOF' [Unit] Description=Forgejo Actions Runner @@ -1134,10 +1131,17 @@ sudo journalctl -u forgejo-runner.service -f --no-pager #### 8.1 Create Containerized CI/CD Environment + ```bash +# Switch to DEPLOY_USER (who has sudo access for Docker operations) +sudo su - DEPLOY_USER + +# Navigate to the application directory +cd /opt/APP_NAME + # Start DinD container for isolated Docker operations -docker run -d \ - --name ci-cd-dind \ +sudo docker run -d \ + --name ci-dind \ --privileged \ -p 2375:2375 \ -e DOCKER_TLS_CERTDIR="" \ @@ -1145,10 +1149,10 @@ docker run -d \ # Wait for DinD to be ready echo "Waiting for DinD container to be ready..." -timeout 60 bash -c 'until docker exec ci-cd-dind docker version; do sleep 2; done' +timeout 60 bash -c 'until sudo docker exec ci-dind docker version; do sleep 2; done' # Test DinD connectivity -docker exec ci-cd-dind docker version +sudo docker exec ci-dind docker version ``` **What this does**: @@ -1156,25 +1160,31 @@ docker exec ci-cd-dind docker version - **Health checks**: Ensures DinD is fully ready before proceeding - **Simple setup**: Direct Docker commands for maximum flexibility +**Why DEPLOY_USER**: The DEPLOY_USER handles deployment orchestration and has sudo access for Docker operations, following the principle of least privilege. + #### 8.2 Configure DinD for Harbor Registry + ```bash +# Navigate to the application directory +cd /opt/APP_NAME + # Configure Docker daemon in DinD for Harbor registry -docker exec ci-cd-dind sh -c 'echo "{\"insecure-registries\": [\"localhost:5000\"]}" > /etc/docker/daemon.json' +sudo docker exec ci-dind sh -c 'echo "{\"insecure-registries\": [\"localhost:5000\"]}" > /etc/docker/daemon.json' # Reload Docker daemon in DinD -docker exec ci-cd-dind sh -c 'kill -HUP 1' +sudo docker exec ci-dind sh -c 'kill -HUP 1' # Wait for Docker daemon to reload sleep 5 # Test Harbor connectivity from DinD -docker exec ci-cd-dind docker pull alpine:latest -docker exec ci-cd-dind docker tag alpine:latest localhost:5000/test/alpine:latest -docker exec ci-cd-dind docker push localhost:5000/test/alpine:latest +sudo docker exec ci-dind docker pull alpine:latest +sudo docker exec ci-dind docker tag alpine:latest localhost:5000/test/alpine:latest +sudo docker exec ci-dind docker push localhost:5000/test/alpine:latest # Clean up test image -docker exec ci-cd-dind docker rmi localhost:5000/test/alpine:latest +sudo docker exec ci-dind docker rmi localhost:5000/test/alpine:latest ``` **What this does**: @@ -1225,15 +1235,15 @@ The CI/CD pipeline uses a three-stage approach with dedicated environments for e ```bash # Test DinD functionality -docker exec ci-cd-dind docker run --rm alpine:latest echo "DinD is working!" +docker exec ci-dind docker run --rm alpine:latest echo "DinD is working!" # Test Harbor integration -docker exec ci-cd-dind docker pull alpine:latest -docker exec ci-cd-dind docker tag alpine:latest localhost:5000/test/dind-test:latest -docker exec ci-cd-dind docker push localhost:5000/test/dind-test:latest +docker exec ci-dind docker pull alpine:latest +docker exec ci-dind docker tag alpine:latest localhost:5000/test/dind-test:latest +docker exec ci-dind docker push localhost:5000/test/dind-test:latest # Clean up test -docker exec ci-cd-dind docker rmi localhost:5000/test/dind-test:latest +docker exec ci-dind docker rmi localhost:5000/test/dind-test:latest ``` **Expected Output**: diff --git a/ci-cd-compose.yml b/ci-cd-compose.yml deleted file mode 100644 index d9c0dd3..0000000 --- a/ci-cd-compose.yml +++ /dev/null @@ -1,28 +0,0 @@ -version: '3.8' - -services: - ci-cd-dind: - image: docker:dind - container_name: ci-cd-dind - privileged: true - restart: unless-stopped - ports: - - "2376:2376" - volumes: - - ci-cd-data:/var/lib/docker - - /var/run/docker.sock:/var/run/docker.sock - - ./backend:/workspace/backend - - ./frontend:/workspace/frontend - - ./scripts:/workspace/scripts - environment: - - DOCKER_TLS_CERTDIR=/certs - healthcheck: - test: ["CMD", "docker", "version"] - interval: 30s - timeout: 10s - retries: 3 - start_period: 40s - -volumes: - ci-cd-data: - driver: local \ No newline at end of file