selfhoster1312/lxc-ramdisk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add gitlab-runner helpers/template

Browse Source
This commit is contained in:
selfhoster selfhoster 2023-06-06 12:48:59 +02:00
parent 787a678a79
commit 0fc31dfa56
5 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
README.md
View File

@ -15,6 +15,7 @@ The following systems are supported:
- `bullseye`: Debian 11 Bullseye
- `archlinux`: Archlinux
- `gitlab-runner`: based on Archlinux
## Setup
@ -67,7 +68,7 @@ The `mkvm.sh` script takes the type of container to run as first argument. That
Unless the `--keep` argument is passed, the container is also destroyed after running.
## Edit the template filesystem
### Edit the template filesystem
If you need to change a template's rootfs, for running updates or adding packages, you can use the `editvm.sh` script:
@ -79,6 +80,33 @@ This will fail if the ramdisk service is still running, so first stop all your c
If the LXC you want to use does not use a rootfs with its own name in the `/ramdisk/persist/` folder, the script will also error out.
### Run a gitlab-runner for CI
Once you have the archlinux rootfs configured, you can use the `gitlab-runner` template for running a CI/CD runner. It is strongly recommended to only use it for CI and not CD, or to run it only on approved input, as the LXC configuration disables many security features. If you use it to run arbitrary code from random users, kittens may fall from the sky.
A helper script `gitlab-runner.sh` is provided, to which you must give a `gitlab-runner/config.toml` as first argument. For example:
```
gitlab-runner.sh /root/ci.toml
```
This will bootstrap a container with gitlab-runner with the provided config file. If you'd like it to run on boot, create a systemd service for that purpose. We may provide a service for that in the future.
Note that the config file needs to be bootstrapped first in order for that to work. You can bootstrap it with an archlinux container, like this:
```
mkvm.sh archlinux bash
while ! ping -c 1 google.com; do
echo "Waiting for network..."
done
pacman -Sy
pacman -S gitlab-runner
gitlab-runner register
# Answer the questions, selecting "docker" as runner backend
cat /etc/gitlab-runner/config.toml
# Copy this file to the host
```
## License
GNU aGPL v3

14
bin/gitlab-runner-helper.sh Executable file
View File

@ -0,0 +1,14 @@
#! /usr/bin/env bash
echo "Waiting for network to come online..."
while ! ping -c 1 google.fr ; do
sleep 1
done
pacman -Sy
pacman --noconfirm -S gitlab-runner docker
ln -sf /etc/gitlab-runner.toml /etc/gitlab-runner/config.toml
systemctl enable gitlab-runner docker
systemctl start docker
systemctl restart gitlab-runner

14
bin/gitlab-runner.sh Executable file
View File

@ -0,0 +1,14 @@
#! /usr/bin/env bash
if [ $# -lt 1 ]; then
echo "gitlab-runner.sh CONFIG"
echo " where CONFIG is a /etc/gitlab-runner/config.toml file"
exit 1
fi
if [ ! -f "$1" ]; then
echo "WRONG CONFIG FILE: "$1""
exit 1
fi
mkvm.sh -k --copy "$1" /etc/gitlab-runner.toml --copy /usr/sbin/gitlab-runner-helper.sh /usr/sbin/gitlab-runner-helper.sh gitlab-runner /usr/sbin/gitlab-runner-helper.sh

3
setup.sh
View File

@ -10,12 +10,15 @@ mkdir -p /ramdisk/persist
ln -sf "$(pwd)"/bin/ramdisk.sh /usr/sbin/
ln -sf "$(pwd)"/bin/mkvm.sh /usr/sbin/
ln -sf "$(pwd)"/bin/editvm.sh /usr/sbin/
ln -sf "$(pwd)"/bin/gitlab-runner.sh /usr/sbin/
ln -sf "$(pwd)"/bin/gitlab-runner-helper.sh /usr/sbin/
ln -sf "$(pwd)"/ramdisk.service /etc/systemd/system/
systemctl daemon-reload
ln -sf "$(pwd)"/templates/archlinux.template /var/lib/lxc/
ln -sf "$(pwd)"/templates/bullseye.template /var/lib/lxc/
ln -sf "$(pwd)"/templates/gitlab-runner.template /var/lib/lxc/
setup_debian() {
apt install lxc debootstrap

29
templates/gitlab-runner.template Normal file
View File

@ -0,0 +1,29 @@
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r bullseye
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
lxc.net.0.type = veth
#lxc.net.0.hwaddr = 00:16:3e:5e:7b:d0
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
# Don't use LXCROOTFS, as we cannot edit this template's rootfs (which is archlinux)
lxc.rootfs.path = overlayfs:/ramdisk/sys/archlinux:/ramdisk/tmp/$VMNAME
# Common configuration
lxc.include = /usr/share/lxc/config/archlinux.common.conf
# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = $VMNAME
lxc.arch = amd64
lxc.pty.max = 1024
# For running docker in LXC container
security.nesting = true
lxc.cap.drop =