-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
115 lines (101 loc) · 5.83 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Karellen GitHub Actions container for Sysbox
FROM ubuntu:noble
ARG RUNNER_VERSION
ARG RUNNER_ARCH
ARG BUILDX_VERSION=0.19.3
ARG RUNNER_CONTAINER_HOOKS_VERSION=0.6.1
RUN mkdir -p /home/runner
WORKDIR /home/runner
ENV DEBIAN_FRONTEND=noninteractive
COPY docker_arch.sh /tmp
#
# Systemd installation
#
RUN set -x && \
apt-get update && \
apt-get install -y --no-install-recommends \
systemd \
systemd-sysv \
libsystemd0 \
ca-certificates \
dbus \
iptables \
iproute2 \
kmod \
locales \
sudo \
curl \
apt-utils \
unzip \
python3 \
python3-pip \
patch \
less \
lsb-release \
gpg-agent \
software-properties-common \
udev && \
\
mkdir -p -m 755 /etc/apt/keyrings && \
curl -Ls https://cli.github.com/packages/githubcli-archive-keyring.gpg -o /etc/apt/keyrings/githubcli-archive-keyring.gpg && \
chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list && \
apt-get update && apt-get install -y --no-install-recommends gh && \
gh --version && \
DOCKER_ARCH=$(/tmp/docker_arch.sh ${RUNNER_ARCH}) && \
# Install Docker \
curl -fsSL https://get.docker.com -o get-docker.sh && \
sh get-docker.sh && \
rm get-docker.sh && \
mkdir -p /usr/local/lib/docker/cli-plugins && \
curl -fLo /usr/local/lib/docker/cli-plugins/docker-buildx \
"https://github.com/docker/buildx/releases/download/v${BUILDX_VERSION}/buildx-v${BUILDX_VERSION}.linux-${DOCKER_ARCH}" && \
chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx && \
\
curl -f -L -o runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz \
&& tar xzf ./runner.tar.gz \
&& rm runner.tar.gz && \
\
curl -f -L -o runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v${RUNNER_CONTAINER_HOOKS_VERSION}/actions-runner-hooks-docker-${RUNNER_CONTAINER_HOOKS_VERSION}.zip \
&& unzip ./runner-container-hooks.zip -d ./docker \
&& rm runner-container-hooks.zip && \
\
./bin/installdependencies.sh && \
\
# Housekeeping \
apt-get clean -y && \
rm -rf \
/var/cache/debconf/* \
/var/lib/apt/lists/* \
/var/log/* \
/tmp/* \
/var/tmp/* \
/usr/share/doc/* \
/usr/share/man/* \
/usr/share/local/*
# Disable systemd services/units that are unnecessary within a container.
RUN systemctl mask systemd-udevd.service \
systemd-udevd-kernel.socket \
systemd-udevd-control.socket \
systemd-modules-load.service \
sys-kernel-debug.mount \
sys-kernel-tracing.mount
# Make use of stopsignal (instead of sigterm) to stop systemd containers.
STOPSIGNAL SIGRTMIN+3
# Prevents journald from reading kernel messages from /dev/kmsg
RUN echo -e "ReadKMsg=no\nForwardToConsole=yes\nStorage=none" >> /etc/systemd/journald.conf
RUN adduser --disabled-password --gecos "" --uid 1001 runner \
&& usermod -aG sudo runner \
&& usermod -aG docker runner \
&& echo "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
&& echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers \
&& chown -R runner:runner /home/runner
# Disable root account
RUN passwd root -ld
ENV RUNNER_MANUALLY_TRAP_SIG=1
ENV ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT=1
COPY karellen-gha-runner-configure.service /lib/systemd/system
COPY karellen-gha-runner.service /lib/systemd/system
RUN systemctl enable karellen-gha-runner-configure karellen-gha-runner
# Set systemd as entrypoint.
ENTRYPOINT [ "/sbin/init", "--log-level=warning" ]