runner

3.7 KB•J2

forgejo-Dockerfile.j2

3.7 KB • 80 lines • plaintext

1FROM {{ forgejo_runner_base_image }}
2
3ARG RUNNER_VERSION={{ forgejo_runner_version }}
4ARG RUNNER_USER={{ forgejo_runner_user }}
5ARG RUNNER_UID={{ forgejo_runner_uid }}
6
7ENV DEBIAN_FRONTEND=noninteractive \
8    PATH="/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin"
9
10# Base tools + Node 20 + Docker CLI (client) + Buildx + Compose + GnuPG + jq
11RUN apt-get update && apt-get install -y --no-install-recommends \
12      ca-certificates curl wget git git-lfs jq gnupg dirmngr bash coreutils xz-utils gosu \
13 && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
14 && apt-get update && apt-get install -y --no-install-recommends nodejs \
15 && install -m 0755 -d /etc/apt/keyrings \
16 && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
17 && chmod a+r /etc/apt/keyrings/docker.asc \
18 && . /etc/os-release \
19 && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $VERSION_CODENAME stable" \
20      > /etc/apt/sources.list.d/docker.list \
21 && apt-get update && apt-get install -y --no-install-recommends \
22      docker-ce-cli docker-buildx-plugin docker-compose-plugin \
23 && rm -rf /var/lib/apt/lists/*
24
25RUN update-ca-certificates
26
27# Download forgejo-runner (latest or pinned), verify with GPG, install
28RUN set -eux; \
29  arch="$(uname -m)"; \
30  case "$arch" in \
31    x86_64)  rel_arch=linux-amd64 ;; \
32    aarch64) rel_arch=linux-arm64 ;; \
33    armv7l)  rel_arch=linux-arm-7 ;; \
34    *) echo "Unsupported arch: $arch" >&2; exit 1 ;; \
35  esac; \
36  if [ "$RUNNER_VERSION" = "latest" ]; then \
37    RUNNER_VERSION="$(curl -fsSL https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest | jq -r .name | sed 's/^v//')"; \
38  fi; \
39  echo "Using forgejo-runner version: $RUNNER_VERSION (${rel_arch})"; \
40  base="https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-${rel_arch}"; \
41  curl -fL "$base"     -o /usr/local/bin/forgejo-runner; \
42  curl -fL "$base.asc" -o /tmp/forgejo-runner.asc; \
43  export GNUPGHOME=/tmp/gnupg; mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"; \
44  curl -fsSL "https://keys.openpgp.org/vks/v1/by-fingerprint/EB114F5E6C0DC2BCDD183550A4B61A2DC5923710" \
45    -o /tmp/forgejo-release-key.asc; \
46  gpg --import /tmp/forgejo-release-key.asc; \
47  gpg --batch --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner; \
48  chmod +x /usr/local/bin/forgejo-runner; \
49  /usr/local/bin/forgejo-runner --version; \
50  rm -rf "$GNUPGHOME" /tmp/forgejo-runner.asc /tmp/forgejo-release-key.asc
51
52
53
54# Create non-root runner user + docker group (GID will be aligned at runtime)
55RUN groupadd -g 2000 docker || true \
56 && useradd -m -u ${RUNNER_UID} -s /bin/bash ${RUNNER_USER} \
57 && usermod -aG docker ${RUNNER_USER}
58
59# Entrypoint: align docker.sock group to host, then drop to runner user
60RUN printf '%s\n' \
61'#!/usr/bin/env bash' \
62'set -euo pipefail' \
63'mkdir -p /data && chown -R '"${RUNNER_USER}"':'"${RUNNER_USER}"' /data' \
64'if [ -S /var/run/docker.sock ]; then' \
65'  SOCK_GID=$(stat -c "%g" /var/run/docker.sock || echo 0)' \
66'  if [ "$SOCK_GID" != "0" ]; then' \
67'    if getent group docker >/dev/null; then groupmod -g "$SOCK_GID" docker || true; else groupadd -g "$SOCK_GID" docker || true; fi' \
68'    usermod -aG docker '"${RUNNER_USER}"' || true' \
69'  fi' \
70'fi' \
71'echo "Runner user: '"${RUNNER_USER}"' (uid=$(id -u '"${RUNNER_USER}"'), groups: $(id -nG '"${RUNNER_USER}"'))"' \
72'echo "Node: $(node -v 2>/dev/null || echo missing)"' \
73'echo "Docker CLI: $(docker --version 2>/dev/null || echo missing)"' \
74'exec gosu '"${RUNNER_USER}"' "$@"' \
75> /usr/local/bin/runner-entry.sh \
76 && chmod +x /usr/local/bin/runner-entry.sh
77
78WORKDIR /data
79ENTRYPOINT ["/usr/local/bin/runner-entry.sh"]
80

1FROM {{ forgejo_runner_base_image }} 2 3ARG RUNNER_VERSION={{ forgejo_runner_version }} 4ARG RUNNER_USER={{ forgejo_runner_user }} 5ARG RUNNER_UID={{ forgejo_runner_uid }} 6 7ENV DEBIAN_FRONTEND=noninteractive \ 8 PATH="/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin" 9 10# Base tools + Node 20 + Docker CLI (client) + Buildx + Compose + GnuPG + jq 11RUN apt-get update && apt-get install -y --no-install-recommends \ 12 ca-certificates curl wget git git-lfs jq gnupg dirmngr bash coreutils xz-utils gosu \ 13 && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \ 14 && apt-get update && apt-get install -y --no-install-recommends nodejs \ 15 && install -m 0755 -d /etc/apt/keyrings \ 16 && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \ 17 && chmod a+r /etc/apt/keyrings/docker.asc \ 18 && . /etc/os-release \ 19 && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $VERSION_CODENAME stable" \ 20 > /etc/apt/sources.list.d/docker.list \ 21 && apt-get update && apt-get install -y --no-install-recommends \ 22 docker-ce-cli docker-buildx-plugin docker-compose-plugin \ 23 && rm -rf /var/lib/apt/lists/* 24 25RUN update-ca-certificates 26 27# Download forgejo-runner (latest or pinned), verify with GPG, install 28RUN set -eux; \ 29 arch="$(uname -m)"; \ 30 case "$arch" in \ 31 x86_64) rel_arch=linux-amd64 ;; \ 32 aarch64) rel_arch=linux-arm64 ;; \ 33 armv7l) rel_arch=linux-arm-7 ;; \ 34 *) echo "Unsupported arch: $arch" >&2; exit 1 ;; \ 35 esac; \ 36 if [ "$RUNNER_VERSION" = "latest" ]; then \ 37 RUNNER_VERSION="$(curl -fsSL https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest | jq -r .name | sed 's/^v//')"; \ 38 fi; \ 39 echo "Using forgejo-runner version: $RUNNER_VERSION (${rel_arch})"; \ 40 base="https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-${rel_arch}"; \ 41 curl -fL "$base" -o /usr/local/bin/forgejo-runner; \ 42 curl -fL "$base.asc" -o /tmp/forgejo-runner.asc; \ 43 export GNUPGHOME=/tmp/gnupg; mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"; \ 44 curl -fsSL "https://keys.openpgp.org/vks/v1/by-fingerprint/EB114F5E6C0DC2BCDD183550A4B61A2DC5923710" \ 45 -o /tmp/forgejo-release-key.asc; \ 46 gpg --import /tmp/forgejo-release-key.asc; \ 47 gpg --batch --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner; \ 48 chmod +x /usr/local/bin/forgejo-runner; \ 49 /usr/local/bin/forgejo-runner --version; \ 50 rm -rf "$GNUPGHOME" /tmp/forgejo-runner.asc /tmp/forgejo-release-key.asc 51 52 53 54# Create non-root runner user + docker group (GID will be aligned at runtime) 55RUN groupadd -g 2000 docker || true \ 56 && useradd -m -u ${RUNNER_UID} -s /bin/bash ${RUNNER_USER} \ 57 && usermod -aG docker ${RUNNER_USER} 58 59# Entrypoint: align docker.sock group to host, then drop to runner user 60RUN printf '%s\n' \ 61'#!/usr/bin/env bash' \ 62'set -euo pipefail' \ 63'mkdir -p /data && chown -R '"${RUNNER_USER}"':'"${RUNNER_USER}"' /data' \ 64'if [ -S /var/run/docker.sock ]; then' \ 65' SOCK_GID=$(stat -c "%g" /var/run/docker.sock || echo 0)' \ 66' if [ "$SOCK_GID" != "0" ]; then' \ 67' if getent group docker >/dev/null; then groupmod -g "$SOCK_GID" docker || true; else groupadd -g "$SOCK_GID" docker || true; fi' \ 68' usermod -aG docker '"${RUNNER_USER}"' || true' \ 69' fi' \ 70'fi' \ 71'echo "Runner user: '"${RUNNER_USER}"' (uid=$(id -u '"${RUNNER_USER}"'), groups: $(id -nG '"${RUNNER_USER}"'))"' \ 72'echo "Node: $(node -v 2>/dev/null || echo missing)"' \ 73'echo "Docker CLI: $(docker --version 2>/dev/null || echo missing)"' \ 74'exec gosu '"${RUNNER_USER}"' "$@"' \ 75> /usr/local/bin/runner-entry.sh \ 76 && chmod +x /usr/local/bin/runner-entry.sh 77 78WORKDIR /data 79ENTRYPOINT ["/usr/local/bin/runner-entry.sh"] 80