From efbf332583ae3026bf702b855186e855353c9669 Mon Sep 17 00:00:00 2001 From: continuist Date: Fri, 5 Sep 2025 16:15:24 -0400 Subject: [PATCH] Needed to make changes to use service user lingering --- .forgejo/workflows/ci.yml | 38 +++++++++++++++---------------------- podman-host-socket.service | 13 +++++++++++++ secure_pip_setup.sh | 39 ++++++++++---------------------------- 3 files changed, 38 insertions(+), 52 deletions(-) create mode 100644 podman-host-socket.service diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 0282811..6618521 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -85,12 +85,11 @@ jobs: podman exec ci-pip-$RUN_ID podman rm test-postgres 2>/dev/null || true podman exec ci-pip-$RUN_ID podman network rm integ-$RUN_ID 2>/dev/null || true - - name: Per-job cleanup (host socket) + - name: Per-job cleanup (container only) if: always() run: | - SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" - pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true - rm -rf "${SOCKET_DIR}" 2>/dev/null || true + # Only cleanup the PiP container, socket is managed by systemd service + podman rm -f ci-pip-$RUN_ID 2>/dev/null || true test-frontend: runs-on: [self-hosted, ci] @@ -118,12 +117,11 @@ jobs: node:20@sha256:7890abcdef1234567890abcdef1234567890abcdef1234567890abcdef123456 \ sh -c "npm ci && npm run test"' - - name: Per-job cleanup (host socket) + - name: Per-job cleanup (container only) if: always() run: | - SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" - pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true - rm -rf "${SOCKET_DIR}" 2>/dev/null || true + # Only cleanup the PiP container, socket is managed by systemd service + podman rm -f ci-pip-$RUN_ID 2>/dev/null || true build-backend: runs-on: [self-hosted, ci] @@ -158,12 +156,11 @@ jobs: podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \ ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"' - - name: Per-job cleanup (host socket) + - name: Per-job cleanup (container only) if: always() run: | - SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" - pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true - rm -rf "${SOCKET_DIR}" 2>/dev/null || true + # Only cleanup the PiP container, socket is managed by systemd service + podman rm -f ci-pip-$RUN_ID 2>/dev/null || true build-frontend: runs-on: [self-hosted, ci] @@ -198,23 +195,18 @@ jobs: podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \ ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"' - - name: Per-job cleanup (host socket) + - name: Per-job cleanup (container only) if: always() run: | - SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" - pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true - rm -rf "${SOCKET_DIR}" 2>/dev/null || true + # Only cleanup the PiP container, socket is managed by systemd service + podman rm -f ci-pip-$RUN_ID 2>/dev/null || true cleanup: runs-on: [self-hosted, ci] needs: [build-backend, build-frontend] if: always() steps: - - name: Cleanup PiP container and per-run socket + - name: Cleanup PiP container run: | - podman rm -f ci-pip-$RUN_ID 2>/dev/null || true - SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" - if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" >/dev/null; then - pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true - fi - rm -rf "${SOCKET_DIR}" 2>/dev/null || true \ No newline at end of file + # Only cleanup the PiP container, socket is managed by systemd service + podman rm -f ci-pip-$RUN_ID 2>/dev/null || true \ No newline at end of file diff --git a/podman-host-socket.service b/podman-host-socket.service new file mode 100644 index 0000000..c21835f --- /dev/null +++ b/podman-host-socket.service @@ -0,0 +1,13 @@ +[Unit] +Description=Rootless Podman REST (UNIX socket only) +After=default.target + +[Service] +Type=simple +Environment="XDG_RUNTIME_DIR=/run/user/%U" +ExecStart=/usr/bin/podman system service --time=0 unix://${XDG_RUNTIME_DIR}/podman-host/podman.sock +Restart=always +RestartSec=2 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/secure_pip_setup.sh b/secure_pip_setup.sh index 6e84765..7c4a199 100644 --- a/secure_pip_setup.sh +++ b/secure_pip_setup.sh @@ -7,45 +7,26 @@ set -euo pipefail # Configuration RUN_ID="${GITHUB_RUN_ID:-local}" PIP_CONTAINER_NAME="ci-pip-${RUN_ID}" -SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}" -SOCKET_PATH="${SOCKET_DIR}/podman.sock" +SOCKET_PATH="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host/podman.sock" PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890" WORKSPACE="${GITHUB_WORKSPACE:-$PWD}" -# Clean up any existing container and socket for this run -echo "๐Ÿงน Cleaning up any existing PiP container and socket for run ${RUN_ID}..." +# Clean up any existing container for this run +echo "๐Ÿงน Cleaning up any existing PiP container for run ${RUN_ID}..." podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true -# Kill any host service bound to this specific socket path -if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" >/dev/null; then - echo "๐Ÿ›‘ Stopping existing host service for this socket..." - pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" | awk '{print $1}' | xargs -r kill || true -fi - -# Remove existing socket directory -rm -rf "${SOCKET_DIR}" 2>/dev/null || true - -# Create secure per-run socket directory -echo "๐Ÿ“ Creating per-run socket directory..." -mkdir -p "${SOCKET_DIR}" -chmod 700 "${SOCKET_DIR}" - -# Start host Podman service on UNIX socket (background) -echo "๐Ÿ”ง Starting host Podman service on UNIX socket..." -podman system service --time=0 "unix://${SOCKET_PATH}" & -HOST_PODMAN_PID=$! -sleep 2 - -# Verify socket was created +# Verify the systemd-managed socket exists +echo "๐Ÿ” Checking for systemd-managed Podman socket..." if [[ ! -S "${SOCKET_PATH}" ]]; then - echo "โŒ ERROR: Podman socket not created at ${SOCKET_PATH}" - kill ${HOST_PODMAN_PID} 2>/dev/null || true + echo "โŒ ERROR: Podman socket not found at ${SOCKET_PATH}" + echo " Ensure the podman-host-socket.service is running:" + echo " sudo -u ci-service systemctl --user enable --now podman-host-socket.service" exit 1 fi -# Set secure permissions on socket +# Set secure permissions on socket (in case they were reset) echo "๐Ÿ”’ Setting secure socket permissions..." -chmod 660 "${SOCKET_PATH}" +chmod 660 "${SOCKET_PATH}" 2>/dev/null || true # Create ephemeral PiP container as client only (no inner daemon) echo "๐Ÿณ Creating secure PiP client container with workspace mount..."