Needed to make changes to use service user lingering
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / cleanup (push) Blocked by required conditions
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / cleanup (push) Blocked by required conditions
This commit is contained in:
parent
2b9df36966
commit
efbf332583
3 changed files with 38 additions and 52 deletions
|
|
@ -85,12 +85,11 @@ jobs:
|
||||||
podman exec ci-pip-$RUN_ID podman rm test-postgres 2>/dev/null || true
|
podman exec ci-pip-$RUN_ID podman rm test-postgres 2>/dev/null || true
|
||||||
podman exec ci-pip-$RUN_ID podman network rm integ-$RUN_ID 2>/dev/null || true
|
podman exec ci-pip-$RUN_ID podman network rm integ-$RUN_ID 2>/dev/null || true
|
||||||
|
|
||||||
- name: Per-job cleanup (host socket)
|
- name: Per-job cleanup (container only)
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
# Only cleanup the PiP container, socket is managed by systemd service
|
||||||
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
|
podman rm -f ci-pip-$RUN_ID 2>/dev/null || true
|
||||||
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
||||||
|
|
||||||
test-frontend:
|
test-frontend:
|
||||||
runs-on: [self-hosted, ci]
|
runs-on: [self-hosted, ci]
|
||||||
|
|
@ -118,12 +117,11 @@ jobs:
|
||||||
node:20@sha256:7890abcdef1234567890abcdef1234567890abcdef1234567890abcdef123456 \
|
node:20@sha256:7890abcdef1234567890abcdef1234567890abcdef1234567890abcdef123456 \
|
||||||
sh -c "npm ci && npm run test"'
|
sh -c "npm ci && npm run test"'
|
||||||
|
|
||||||
- name: Per-job cleanup (host socket)
|
- name: Per-job cleanup (container only)
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
# Only cleanup the PiP container, socket is managed by systemd service
|
||||||
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
|
podman rm -f ci-pip-$RUN_ID 2>/dev/null || true
|
||||||
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
||||||
|
|
||||||
build-backend:
|
build-backend:
|
||||||
runs-on: [self-hosted, ci]
|
runs-on: [self-hosted, ci]
|
||||||
|
|
@ -158,12 +156,11 @@ jobs:
|
||||||
podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \
|
podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \
|
||||||
ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"'
|
ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"'
|
||||||
|
|
||||||
- name: Per-job cleanup (host socket)
|
- name: Per-job cleanup (container only)
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
# Only cleanup the PiP container, socket is managed by systemd service
|
||||||
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
|
podman rm -f ci-pip-$RUN_ID 2>/dev/null || true
|
||||||
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
||||||
|
|
||||||
build-frontend:
|
build-frontend:
|
||||||
runs-on: [self-hosted, ci]
|
runs-on: [self-hosted, ci]
|
||||||
|
|
@ -198,23 +195,18 @@ jobs:
|
||||||
podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \
|
podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \
|
||||||
ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"'
|
ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"'
|
||||||
|
|
||||||
- name: Per-job cleanup (host socket)
|
- name: Per-job cleanup (container only)
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
# Only cleanup the PiP container, socket is managed by systemd service
|
||||||
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
|
podman rm -f ci-pip-$RUN_ID 2>/dev/null || true
|
||||||
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
runs-on: [self-hosted, ci]
|
runs-on: [self-hosted, ci]
|
||||||
needs: [build-backend, build-frontend]
|
needs: [build-backend, build-frontend]
|
||||||
if: always()
|
if: always()
|
||||||
steps:
|
steps:
|
||||||
- name: Cleanup PiP container and per-run socket
|
- name: Cleanup PiP container
|
||||||
run: |
|
run: |
|
||||||
|
# Only cleanup the PiP container, socket is managed by systemd service
|
||||||
podman rm -f ci-pip-$RUN_ID 2>/dev/null || true
|
podman rm -f ci-pip-$RUN_ID 2>/dev/null || true
|
||||||
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
|
||||||
if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" >/dev/null; then
|
|
||||||
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
|
|
||||||
fi
|
|
||||||
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
||||||
13
podman-host-socket.service
Normal file
13
podman-host-socket.service
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Rootless Podman REST (UNIX socket only)
|
||||||
|
After=default.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
Environment="XDG_RUNTIME_DIR=/run/user/%U"
|
||||||
|
ExecStart=/usr/bin/podman system service --time=0 unix://${XDG_RUNTIME_DIR}/podman-host/podman.sock
|
||||||
|
Restart=always
|
||||||
|
RestartSec=2
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
||||||
|
|
@ -7,45 +7,26 @@ set -euo pipefail
|
||||||
# Configuration
|
# Configuration
|
||||||
RUN_ID="${GITHUB_RUN_ID:-local}"
|
RUN_ID="${GITHUB_RUN_ID:-local}"
|
||||||
PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
|
PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
|
||||||
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
SOCKET_PATH="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host/podman.sock"
|
||||||
SOCKET_PATH="${SOCKET_DIR}/podman.sock"
|
|
||||||
PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890"
|
PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890"
|
||||||
WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
|
WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
|
||||||
|
|
||||||
# Clean up any existing container and socket for this run
|
# Clean up any existing container for this run
|
||||||
echo "🧹 Cleaning up any existing PiP container and socket for run ${RUN_ID}..."
|
echo "🧹 Cleaning up any existing PiP container for run ${RUN_ID}..."
|
||||||
podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true
|
podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true
|
||||||
|
|
||||||
# Kill any host service bound to this specific socket path
|
# Verify the systemd-managed socket exists
|
||||||
if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" >/dev/null; then
|
echo "🔍 Checking for systemd-managed Podman socket..."
|
||||||
echo "🛑 Stopping existing host service for this socket..."
|
|
||||||
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" | awk '{print $1}' | xargs -r kill || true
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remove existing socket directory
|
|
||||||
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
||||||
|
|
||||||
# Create secure per-run socket directory
|
|
||||||
echo "📁 Creating per-run socket directory..."
|
|
||||||
mkdir -p "${SOCKET_DIR}"
|
|
||||||
chmod 700 "${SOCKET_DIR}"
|
|
||||||
|
|
||||||
# Start host Podman service on UNIX socket (background)
|
|
||||||
echo "🔧 Starting host Podman service on UNIX socket..."
|
|
||||||
podman system service --time=0 "unix://${SOCKET_PATH}" &
|
|
||||||
HOST_PODMAN_PID=$!
|
|
||||||
sleep 2
|
|
||||||
|
|
||||||
# Verify socket was created
|
|
||||||
if [[ ! -S "${SOCKET_PATH}" ]]; then
|
if [[ ! -S "${SOCKET_PATH}" ]]; then
|
||||||
echo "❌ ERROR: Podman socket not created at ${SOCKET_PATH}"
|
echo "❌ ERROR: Podman socket not found at ${SOCKET_PATH}"
|
||||||
kill ${HOST_PODMAN_PID} 2>/dev/null || true
|
echo " Ensure the podman-host-socket.service is running:"
|
||||||
|
echo " sudo -u ci-service systemctl --user enable --now podman-host-socket.service"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Set secure permissions on socket
|
# Set secure permissions on socket (in case they were reset)
|
||||||
echo "🔒 Setting secure socket permissions..."
|
echo "🔒 Setting secure socket permissions..."
|
||||||
chmod 660 "${SOCKET_PATH}"
|
chmod 660 "${SOCKET_PATH}" 2>/dev/null || true
|
||||||
|
|
||||||
# Create ephemeral PiP container as client only (no inner daemon)
|
# Create ephemeral PiP container as client only (no inner daemon)
|
||||||
echo "🐳 Creating secure PiP client container with workspace mount..."
|
echo "🐳 Creating secure PiP client container with workspace mount..."
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue