From 1171e881592c109c9bdf9afb6e3cea1363c8ba9d Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 29 Sep 2022 11:08:02 -0700 Subject: [PATCH 01/17] Add windows runner support. * Add windows runner related files. * Do not explicitly set privileged bit in security context to false. Privileged mode is false by default and setting it explicitly to false causes GKE to not admin windows runner pod. --- controllers/runner_controller.go | 10 ++++------ runner/actions-runner-windows.dockerfile | 20 ++++++++++++++++++++ runner/runner.ps1 | 2 ++ 3 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 runner/actions-runner-windows.dockerfile create mode 100644 runner/runner.ps1 diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index ae306edcbc..5b5d8bdb67 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -849,10 +849,6 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru runnerContainerIndex = -1 runnerContainer = &corev1.Container{ Name: containerName, - SecurityContext: &corev1.SecurityContext{ - // Runner need to run privileged if it contains DinD - Privileged: &dockerdInRunnerPrivileged, - }, } } @@ -887,8 +883,10 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru runnerContainer.SecurityContext = &corev1.SecurityContext{} } - if runnerContainer.SecurityContext.Privileged == nil { - // Runner need to run privileged if it contains DinD + // Runner need to run privileged if it contains DinD. + // Do not explicitly set SecurityContext.Privileged to false which is default, + // otherwise Windows pods don't get admitted on GKE. + if dockerdInRunnerPrivileged == true { runnerContainer.SecurityContext.Privileged = &dockerdInRunnerPrivileged } diff --git a/runner/actions-runner-windows.dockerfile b/runner/actions-runner-windows.dockerfile new file mode 100644 index 0000000000..11588962c7 --- /dev/null +++ b/runner/actions-runner-windows.dockerfile @@ -0,0 +1,20 @@ +FROM mcr.microsoft.com/windows/servercore:ltsc2019 + +SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop';$ProgressPreference='silentlyContinue';"] + +ARG RUNNER_VERSION=2.298.2 + +RUN Invoke-WebRequest \ + -Uri 'https://aka.ms/install-powershell.ps1' \ + -OutFile install-powershell.ps1; \ + powershell -ExecutionPolicy Unrestricted -File ./install-powershell.ps1 -AddToPath + +RUN Invoke-WebRequest \ + -Uri https://github.com/actions/runner/releases/download/v$env:RUNNER_VERSION/actions-runner-win-x64-$env:RUNNER_VERSION.zip \ + -OutFile runner.zip; \ + Expand-Archive -Path C:/runner.zip -DestinationPath C:/actions-runner; \ + Remove-Item -Path C:\runner.zip; \ + setx /M PATH $(${Env:PATH} + \";${Env:ProgramFiles}\Git\bin\") + +ADD runner.ps1 C:/runner.ps1 +CMD ["pwsh", "-ExecutionPolicy", "Unrestricted", "-File", ".\\runner.ps1"] diff --git a/runner/runner.ps1 b/runner/runner.ps1 new file mode 100644 index 0000000000..1d30fd38ee --- /dev/null +++ b/runner/runner.ps1 @@ -0,0 +1,2 @@ +.\actions-runner\config.cmd --unattended --replace --url https://github.com/${env:RUNNER_REPO} --token $env:RUNNER_TOKEN --name $env:RUNNER_NAME --work $env:RUNNER_WORKDIR; +.\actions-runner\run.cmd; From 190afb2600f6bbfad46937f2a2780befa1d12d94 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 16:49:36 -0800 Subject: [PATCH 02/17] Add windows docker build job with build step --- .github/workflows/runners.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 91f1c3143f..cee7486b67 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -83,3 +83,24 @@ jobs: ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ env.sha_short }} cache-from: type=gha,scope=build-${{ matrix.name }} cache-to: type=gha,mode=max,scope=build-${{ matrix.name }} + + build-windows-runners: + runs-on: windows-2019 + permissions: + packages: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Docker Environment + id: vars + uses: ./.github/actions/setup-docker-environment + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + ghcr_username: ${{ github.actor }} + ghcr_password: ${{ secrets.GITHUB_TOKEN }} + - name: Docker Build + run: | + cd runner + docker build --build-arg RUNNER_VEDRSION=${{ env.RUNNER_VERSION }} -f actions-runner-windows.dockerfile . From cc48605f0ae996efe6ab20a3338fb40a6b264bbe Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 17:19:19 -0800 Subject: [PATCH 03/17] Handle windows platform in setup-docker-environment action --- .github/actions/setup-docker-environment/action.yaml | 6 ++++++ .github/workflows/runners.yaml | 1 + 2 files changed, 7 insertions(+) diff --git a/.github/actions/setup-docker-environment/action.yaml b/.github/actions/setup-docker-environment/action.yaml index 2418fdd4dc..53f2de4bbe 100644 --- a/.github/actions/setup-docker-environment/action.yaml +++ b/.github/actions/setup-docker-environment/action.yaml @@ -13,6 +13,10 @@ inputs: ghcr_password: description: "GHCR password. Usually set from the secrets.GITHUB_TOKEN variable" required: true + platform: + description: "Platform (either linux or windows)." + default: linux + required: false runs: using: "composite" @@ -24,9 +28,11 @@ runs: shell: bash - name: Set up QEMU + if: inputs.platform == 'linux' uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx + if: inputs.platform == 'linux' uses: docker/setup-buildx-action@v2 with: version: latest diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index cee7486b67..2f4b193b37 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -100,6 +100,7 @@ jobs: password: ${{ secrets.DOCKER_ACCESS_TOKEN }} ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.GITHUB_TOKEN }} + platform: windows - name: Docker Build run: | cd runner From 38c854e86c2c4a6e4d2aed9751d4daad78055ae2 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 17:36:21 -0800 Subject: [PATCH 04/17] Update tests to handle Privileged bit --- .github/workflows/runners.yaml | 2 +- controllers/new_runner_pod_test.go | 12 ------------ 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 2f4b193b37..26f6c4e2e0 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -104,4 +104,4 @@ jobs: - name: Docker Build run: | cd runner - docker build --build-arg RUNNER_VEDRSION=${{ env.RUNNER_VERSION }} -f actions-runner-windows.dockerfile . + docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -f actions-runner-windows.dockerfile . diff --git a/controllers/new_runner_pod_test.go b/controllers/new_runner_pod_test.go index 2d95601e6e..8e40dcdc14 100644 --- a/controllers/new_runner_pod_test.go +++ b/controllers/new_runner_pod_test.go @@ -160,9 +160,6 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: func() *bool { v := false; return &v }(), - }, }, { Name: "docker", @@ -366,9 +363,6 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: boolPtr(false), - }, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -690,9 +684,6 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: func() *bool { v := false; return &v }(), - }, }, { Name: "docker", @@ -930,9 +921,6 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: boolPtr(false), - }, }, }, RestartPolicy: corev1.RestartPolicyNever, From c0cd503b8d148422b6e63f2ec26af95295b27ba7 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 17:46:34 -0800 Subject: [PATCH 05/17] Fix test for Privileged bit --- controllers/new_runner_pod_test.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/controllers/new_runner_pod_test.go b/controllers/new_runner_pod_test.go index 8e40dcdc14..732846836c 100644 --- a/controllers/new_runner_pod_test.go +++ b/controllers/new_runner_pod_test.go @@ -160,6 +160,9 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + Privileged: func() *bool { v := nil; return &v }(), + }, }, { Name: "docker", @@ -363,6 +366,9 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + Privileged: boolPtr(false), + }, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -684,6 +690,9 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + Privileged: func() *bool { v := nil; return &v }(), + }, }, { Name: "docker", @@ -921,6 +930,9 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + Privileged: boolPtr(false), + }, }, }, RestartPolicy: corev1.RestartPolicyNever, From d5f3ca693a44c9af7582d3f22e471967781c0a1f Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 17:57:28 -0800 Subject: [PATCH 06/17] Fix test for Privileged bit --- controllers/new_runner_pod_test.go | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/controllers/new_runner_pod_test.go b/controllers/new_runner_pod_test.go index 732846836c..8e40dcdc14 100644 --- a/controllers/new_runner_pod_test.go +++ b/controllers/new_runner_pod_test.go @@ -160,9 +160,6 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: func() *bool { v := nil; return &v }(), - }, }, { Name: "docker", @@ -366,9 +363,6 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: boolPtr(false), - }, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -690,9 +684,6 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: func() *bool { v := nil; return &v }(), - }, }, { Name: "docker", @@ -930,9 +921,6 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - Privileged: boolPtr(false), - }, }, }, RestartPolicy: corev1.RestartPolicyNever, From fe0c13b956f1748c9a8c5a094c4048baedb4ea87 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 18:06:08 -0800 Subject: [PATCH 07/17] Fix test for Privileged bit --- controllers/new_runner_pod_test.go | 8 ++++++++ controllers/runner_controller.go | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/controllers/new_runner_pod_test.go b/controllers/new_runner_pod_test.go index 8e40dcdc14..888a5e6272 100644 --- a/controllers/new_runner_pod_test.go +++ b/controllers/new_runner_pod_test.go @@ -160,6 +160,8 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + }, }, { Name: "docker", @@ -363,6 +365,8 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + }, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -684,6 +688,8 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + }, }, { Name: "docker", @@ -921,6 +927,8 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, + SecurityContext: &corev1.SecurityContext{ + }, }, }, RestartPolicy: corev1.RestartPolicyNever, diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index 5b5d8bdb67..f217cd5961 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -886,7 +886,7 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru // Runner need to run privileged if it contains DinD. // Do not explicitly set SecurityContext.Privileged to false which is default, // otherwise Windows pods don't get admitted on GKE. - if dockerdInRunnerPrivileged == true { + if dockerdInRunnerPrivileged { runnerContainer.SecurityContext.Privileged = &dockerdInRunnerPrivileged } From c6b7be3536b50e760a0a3e9c0de18027fd991db1 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Wed, 9 Nov 2022 18:15:28 -0800 Subject: [PATCH 08/17] Fix test for Privileged bit --- controllers/new_runner_pod_test.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/controllers/new_runner_pod_test.go b/controllers/new_runner_pod_test.go index 888a5e6272..54fd75ada1 100644 --- a/controllers/new_runner_pod_test.go +++ b/controllers/new_runner_pod_test.go @@ -160,8 +160,7 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - }, + SecurityContext: &corev1.SecurityContext{}, }, { Name: "docker", @@ -365,8 +364,7 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - }, + SecurityContext: &corev1.SecurityContext{}, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -688,8 +686,7 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - }, + SecurityContext: &corev1.SecurityContext{}, }, { Name: "docker", @@ -927,8 +924,7 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{ - }, + SecurityContext: &corev1.SecurityContext{}, }, }, RestartPolicy: corev1.RestartPolicyNever, From f774907de243537ec8a1dee95ea6367a7ad7d4ba Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 10:14:06 -0800 Subject: [PATCH 09/17] Add tagging and pushing to win runner workflow --- .github/workflows/runners.yaml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 26f6c4e2e0..62a4fe418a 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -84,11 +84,15 @@ jobs: cache-from: type=gha,scope=build-${{ matrix.name }} cache-to: type=gha,mode=max,scope=build-${{ matrix.name }} - build-windows-runners: + build-runners-win2019: runs-on: windows-2019 permissions: packages: write contents: read + env: + name: actions-runner-windows + os-name: win + os-version: 2019 steps: - name: Checkout uses: actions/checkout@v3 @@ -101,7 +105,22 @@ jobs: ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.GITHUB_TOKEN }} platform: windows - - name: Docker Build + - name: Build run: | cd runner - docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -f actions-runner-windows.dockerfile . + docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -t ${{ env.name }} -f ${{ env.name }}.dockerfile . + - name: Tag and Push + run: | + tags=( + "${{ env.DOCKERHUB_USERNAME }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}" + "${{ env.DOCKERHUB_USERNAME }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}-${{ steps.vars.outputs.sha_short }}" + "${{ env.DOCKERHUB_USERNAME }}/${{ env.name }}:latest" + "ghcr.io/${{ github.repository }}/${{ env.name }}:latest" + "ghcr.io/${{ github.repository }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}" + "ghcr.io/${{ github.repository }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}-${{ steps.vars.outputs.sha_short }}" + ) + + for tag in "${tags[@]}" ; do + docker tag ${{ env.name }}:latest "$tag" + #docker push "$tag" + done From 675f5f976f475ea64169b5c7d49850a2569b72c4 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 10:26:01 -0800 Subject: [PATCH 10/17] Add tagging and pushing to win runner workflow --- .github/workflows/runners.yaml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 62a4fe418a..8cbbab393d 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -85,14 +85,18 @@ jobs: cache-to: type=gha,mode=max,scope=build-${{ matrix.name }} build-runners-win2019: + name: Build ${{ matrix.name }}-${{ matrix.os-name }}-${{ matrix.os-version }} runs-on: windows-2019 permissions: packages: write contents: read - env: - name: actions-runner-windows - os-name: win - os-version: 2019 + strategy: + fail-fast: false + matrix: + include: + - name: actions-runner-windows + os-name: win + os-version: 2019 steps: - name: Checkout uses: actions/checkout@v3 @@ -106,21 +110,23 @@ jobs: ghcr_password: ${{ secrets.GITHUB_TOKEN }} platform: windows - name: Build + shell: bash run: | cd runner - docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -t ${{ env.name }} -f ${{ env.name }}.dockerfile . + docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -t ${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }} -f ${{ matrix.name }}.dockerfile . - name: Tag and Push + shell: bash run: | - tags=( - "${{ env.DOCKERHUB_USERNAME }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}" - "${{ env.DOCKERHUB_USERNAME }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}-${{ steps.vars.outputs.sha_short }}" - "${{ env.DOCKERHUB_USERNAME }}/${{ env.name }}:latest" - "ghcr.io/${{ github.repository }}/${{ env.name }}:latest" - "ghcr.io/${{ github.repository }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}" - "ghcr.io/${{ github.repository }}/${{ env.name }}:v${{ env.RUNNER_VERSION }}-${{ env.os-name }}-${{ env.os-version }}-${{ steps.vars.outputs.sha_short }}" + tags=( \ + "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}" \ + "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ steps.vars.outputs.sha_short }}" \ + "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:latest" \ + "ghcr.io/${{ github.repository }}/${{ matrix.name }}:latest" \ + "ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}" \ + "ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ steps.vars.outputs.sha_short }}" \ ) for tag in "${tags[@]}" ; do - docker tag ${{ env.name }}:latest "$tag" + docker tag ${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}:latest "$tag" #docker push "$tag" done From 36eeb1b541254eb15e3b7279d3fe5a5467b73a9e Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 10:31:28 -0800 Subject: [PATCH 11/17] Add tagging and pushing to win runner workflow --- .github/workflows/runners.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 8cbbab393d..1f1d9788e2 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -113,7 +113,7 @@ jobs: shell: bash run: | cd runner - docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -t ${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }} -f ${{ matrix.name }}.dockerfile . + docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -t ${{ matrix.name }} -f ${{ matrix.name }}.dockerfile . - name: Tag and Push shell: bash run: | @@ -127,6 +127,6 @@ jobs: ) for tag in "${tags[@]}" ; do - docker tag ${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}:latest "$tag" + docker tag ${{ matrix.name }}:latest "$tag" #docker push "$tag" done From d64281662452cc8b7d4e3d14764c9432942beb9f Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 10:41:12 -0800 Subject: [PATCH 12/17] Add tagging and pushing to win runner workflow --- .github/workflows/runners.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 1f1d9788e2..6af9518043 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -117,6 +117,7 @@ jobs: - name: Tag and Push shell: bash run: | + set -x tags=( \ "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}" \ "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ steps.vars.outputs.sha_short }}" \ From 00e046d87726866c56c464cc9ee8808de8634d26 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 10:56:43 -0800 Subject: [PATCH 13/17] Add tagging and pushing to win runner workflow --- .github/workflows/runners.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 6af9518043..9bd5ace491 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -120,11 +120,11 @@ jobs: set -x tags=( \ "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}" \ - "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ steps.vars.outputs.sha_short }}" \ + "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ env.sha_short }}" \ "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:latest" \ "ghcr.io/${{ github.repository }}/${{ matrix.name }}:latest" \ "ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}" \ - "ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ steps.vars.outputs.sha_short }}" \ + "ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ env.sha_short }}" \ ) for tag in "${tags[@]}" ; do From 13d082c5a975a54c415df4dd25826c060c02b4cb Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 11:07:58 -0800 Subject: [PATCH 14/17] Add tagging and pushing to win runner workflow --- .github/workflows/runners.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/runners.yaml b/.github/workflows/runners.yaml index 9bd5ace491..29fdc7be20 100644 --- a/.github/workflows/runners.yaml +++ b/.github/workflows/runners.yaml @@ -115,9 +115,9 @@ jobs: cd runner docker build --build-arg RUNNER_VERSION=${{ env.RUNNER_VERSION }} -t ${{ matrix.name }} -f ${{ matrix.name }}.dockerfile . - name: Tag and Push + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} shell: bash run: | - set -x tags=( \ "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}" \ "${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ env.sha_short }}" \ @@ -129,5 +129,5 @@ jobs: for tag in "${tags[@]}" ; do docker tag ${{ matrix.name }}:latest "$tag" - #docker push "$tag" + docker push "$tag" done From 59cf47878c9ea61c25f352ee4cc9beef40498490 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 13:58:49 -0800 Subject: [PATCH 15/17] Add windows runer build to the Makefile --- runner/Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/runner/Makefile b/runner/Makefile index 930caf5592..fc22c6310b 100644 --- a/runner/Makefile +++ b/runner/Makefile @@ -1,6 +1,7 @@ DOCKER_USER ?= summerwind DOCKER ?= docker NAME ?= ${DOCKER_USER}/actions-runner +WIN_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner-windows DIND_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner-dind TAG ?= latest TARGETPLATFORM ?= $(shell arch) @@ -65,3 +66,10 @@ docker-buildx-ubuntu: -f actions-runner-dind.dockerfile \ -t "${DIND_RUNNER_NAME}:${TAG}" \ . ${PUSH_ARG} + + +docker-build-windows: + ${DOCKER} build \ + --build-arg RUNNER_VERSION=${RUNNER_VERSION} \ + -f actions-runner-windows.dockerfile \ + -t ${WIN_RUNNER_NAME}:${TAG} . From fa7ef2be91a1d4ce6e9e822a6c90c5d99a45e5b3 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 14:01:28 -0800 Subject: [PATCH 16/17] Add docker-push-windows target to Makefile --- runner/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/runner/Makefile b/runner/Makefile index fc22c6310b..3492d5b544 100644 --- a/runner/Makefile +++ b/runner/Makefile @@ -73,3 +73,6 @@ docker-build-windows: --build-arg RUNNER_VERSION=${RUNNER_VERSION} \ -f actions-runner-windows.dockerfile \ -t ${WIN_RUNNER_NAME}:${TAG} . + +docker-push-windows: + ${DOCKER} push ${WIN_RUNNER_NAME}:${TAG} From 403daaa0d48a97fd42ac4ca935c3473b0e7ab2b1 Mon Sep 17 00:00:00 2001 From: Igor Sarkisov Date: Thu, 10 Nov 2022 16:42:48 -0800 Subject: [PATCH 17/17] Revert change to ARC affecting Privileged bit --- controllers/new_runner_pod_test.go | 16 ++++++++++++---- controllers/runner_controller.go | 10 ++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/controllers/new_runner_pod_test.go b/controllers/new_runner_pod_test.go index 54fd75ada1..2d95601e6e 100644 --- a/controllers/new_runner_pod_test.go +++ b/controllers/new_runner_pod_test.go @@ -160,7 +160,9 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{}, + SecurityContext: &corev1.SecurityContext{ + Privileged: func() *bool { v := false; return &v }(), + }, }, { Name: "docker", @@ -364,7 +366,9 @@ func TestNewRunnerPod(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{}, + SecurityContext: &corev1.SecurityContext{ + Privileged: boolPtr(false), + }, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -686,7 +690,9 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{}, + SecurityContext: &corev1.SecurityContext{ + Privileged: func() *bool { v := false; return &v }(), + }, }, { Name: "docker", @@ -924,7 +930,9 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) { }, }, ImagePullPolicy: corev1.PullAlways, - SecurityContext: &corev1.SecurityContext{}, + SecurityContext: &corev1.SecurityContext{ + Privileged: boolPtr(false), + }, }, }, RestartPolicy: corev1.RestartPolicyNever, diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index f217cd5961..ae306edcbc 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -849,6 +849,10 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru runnerContainerIndex = -1 runnerContainer = &corev1.Container{ Name: containerName, + SecurityContext: &corev1.SecurityContext{ + // Runner need to run privileged if it contains DinD + Privileged: &dockerdInRunnerPrivileged, + }, } } @@ -883,10 +887,8 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru runnerContainer.SecurityContext = &corev1.SecurityContext{} } - // Runner need to run privileged if it contains DinD. - // Do not explicitly set SecurityContext.Privileged to false which is default, - // otherwise Windows pods don't get admitted on GKE. - if dockerdInRunnerPrivileged { + if runnerContainer.SecurityContext.Privileged == nil { + // Runner need to run privileged if it contains DinD runnerContainer.SecurityContext.Privileged = &dockerdInRunnerPrivileged }