lix-project/lix-install-action
1
0
Fork 0
Code Issues 11 Pull requests Actions Packages Projects Releases Wiki Activity

Support GitHub Enterprise Server using ARC #59

Merged
grahamc merged 14 commits from graham/fh-82-nix-installer-action-explore-how-to-support-arc into main 2023-12-04 19:17:47 +00:00
Conversation 0 Commits 14 Files changed 15 +525 -558
grahamc commented 2023-12-04 16:48:03 +00:00 (Migrated from github.com)
Copy link
Description

This PR improves the action's support for environments unlike GitHub's own hosted runners. In particular, runners that don't expose systemd as PID1. This is common for GitHub Enterprise Server users, which often use something called ARC: https://github.com/actions/actions-runner-controller.

As a happy coincidence, this also closely matches other third party runners, like Namespace.

The implementation here is to fall back to borrowing Docker as a process supervisor if all three of the following are true:

  1. The machine is running Linux
  2. Docker is available
  3. Systemd is not available

This PR includes a pre-built Docker image for arm64 and amd64 in the repository, since the images are completely empty other than some configuration. This patch also updates the trusted-users configuration option, to use the OS to get the username instead of using an environment variable, which is not always available.

This patch has been tested in GHES and on Namespace, and confirmed to work.

Checklist
  • Tested changes against a test repository
  • Added or updated relevant documentation (leave unchecked if not applicable)
  • (If this PR is for a release) Updated README to point to the new tag (leave unchecked if not applicable)
##### Description This PR improves the action's support for environments unlike GitHub's own hosted runners. In particular, runners that don't expose systemd as PID1. This is common for GitHub Enterprise Server users, which often use something called ARC: https://github.com/actions/actions-runner-controller. As a happy coincidence, this also closely matches other third party runners, like Namespace. The implementation here is to fall back to borrowing Docker as a process supervisor if all three of the following are true: 1. The machine is running Linux 2. Docker is available 3. Systemd is not available This PR includes a pre-built Docker image for arm64 and amd64 in the repository, since the images are completely empty other than some configuration. This patch also updates the `trusted-users` configuration option, to use the OS to get the username instead of using an environment variable, which is not always available. This patch has been tested in GHES and on Namespace, and confirmed to work. ##### Checklist - [x] Tested changes against a test repository - [x] Added or updated relevant documentation (leave unchecked if not applicable) - [ ] (If this PR is for a release) Updated README to point to the new tag (leave unchecked if not applicable)
cole-h (Migrated from github.com) reviewed 2023-12-04 16:51:34 +00:00
docker-shim/Dockerfile
@ -0,0 +16,4 @@
--timeout=3s \
CMD ["/nix/var/nix/profiles/default/bin/nix", "store", "ping", "--store", "daemon"]
COPY ./Dockerfile /README.md
cole-h (Migrated from github.com) commented 2023-12-04 16:51:34 +00:00
Copy link

...seems weird to be copying this Dockerfile into a README.md file in the root of the image...?

...seems weird to be copying this Dockerfile into a `README.md` file in the root of the image...?
cole-h (Migrated from github.com) reviewed 2023-12-04 16:56:33 +00:00
src/main.ts
cole-h (Migrated from github.com) commented 2023-12-04 16:54:39 +00:00
Copy link

This looks wrong. Error message says "shim set to true" but this is checking the opposite?

This looks wrong. Error message says "shim set to true" but this is checking the opposite?
src/main.ts
@ -99,0 +145,4 @@
}
},
},
});
cole-h (Migrated from github.com) commented 2023-12-04 16:53:09 +00:00
Copy link

This seems like it should be an error to me...?

This seems like it should be an error to me...?
src/main.ts
@ -99,1 +175,4 @@
actions_core.endGroup();
}
private async executionEnvironment(): Promise<ExecuteEnvironment> {
cole-h (Migrated from github.com) commented 2023-12-04 16:54:00 +00:00
Copy link

Just double-checking: this will only show up if the action is being run in GHA's "debug" mode (i.e. it failed and you checked the box saying "pls run in debug mode"), right?

Just double-checking: this will only show up if the action is being run in GHA's "debug" mode (i.e. it failed and you checked the box saying "pls run in debug mode"), right?
grahamc (Migrated from github.com) reviewed 2023-12-04 16:56:36 +00:00
docker-shim/Dockerfile
@ -0,0 +16,4 @@
--timeout=3s \
CMD ["/nix/var/nix/profiles/default/bin/nix", "store", "ping", "--store", "daemon"]
COPY ./Dockerfile /README.md
grahamc (Migrated from github.com) commented 2023-12-04 16:56:36 +00:00
Copy link

It turns out if the Docker image is actually empty, a lot of Docker's tools break. So I figured the most friendly thing to do is to copy in the Dockerfile to give context about what the thing is. I didn't overthink it, just wanted to put something not entirely useless inside the container.

It turns out if the Docker image is *actually* empty, a lot of Docker's tools break. So I figured the most friendly thing to do is to copy in the Dockerfile to give context about what the thing is. I didn't overthink it, just wanted to put something not entirely useless inside the container.
colemickens (Migrated from github.com) approved these changes 2023-12-04 16:57:13 +00:00
docker-shim/README.md
@ -0,0 +47,4 @@
```
tar --options gzip:compression-level=9 -zcf ../arm64.tar.gz .
```
colemickens (Migrated from github.com) commented 2023-12-04 16:57:09 +00:00
Copy link

nit/question: I guess this is just building the arm64 version but ... "manually", thus not requiring an arm64 builder?

nit/question: I guess this is just building the arm64 version but ... "manually", thus not requiring an arm64 builder?
src/main.ts
colemickens (Migrated from github.com) commented 2023-12-04 16:53:24 +00:00
Copy link

Do you want a --restart always or --restart on-failure maybe?

Do you want a `--restart always` or `--restart on-failure` maybe?
grahamc (Migrated from github.com) reviewed 2023-12-04 16:57:46 +00:00
src/main.ts
@ -99,1 +175,4 @@
actions_core.endGroup();
}
private async executionEnvironment(): Promise<ExecuteEnvironment> {
grahamc (Migrated from github.com) commented 2023-12-04 16:57:46 +00:00
Copy link

I should double check that.

I should double check that.
grahamc (Migrated from github.com) reviewed 2023-12-04 16:57:56 +00:00
src/main.ts
grahamc (Migrated from github.com) commented 2023-12-04 16:57:55 +00:00
Copy link

Nice idea.

Nice idea.
cole-h (Migrated from github.com) reviewed 2023-12-04 16:58:17 +00:00
docker-shim/Dockerfile
@ -0,0 +16,4 @@
--timeout=3s \
CMD ["/nix/var/nix/profiles/default/bin/nix", "store", "ping", "--store", "daemon"]
COPY ./Dockerfile /README.md
cole-h (Migrated from github.com) commented 2023-12-04 16:58:16 +00:00
Copy link

Right, it just seems weird that you're copying in the Dockerfile and not the, y'know, README.md in the same directory 😆

Right, it just seems weird that you're copying in the _Dockerfile_ and not the, y'know, `README.md` in the same directory :laughing:
grahamc (Migrated from github.com) reviewed 2023-12-04 16:58:21 +00:00
docker-shim/README.md
@ -0,0 +47,4 @@
```
tar --options gzip:compression-level=9 -zcf ../arm64.tar.gz .
```
grahamc (Migrated from github.com) commented 2023-12-04 16:58:21 +00:00
Copy link

Right. Unfortunately there is no way to say "hey I promise this ~empty image can run a bunch of places :)"

Right. Unfortunately there is no way to say "hey I promise this ~empty image can run a bunch of places :)"
grahamc (Migrated from github.com) reviewed 2023-12-04 16:58:43 +00:00
src/main.ts
grahamc (Migrated from github.com) commented 2023-12-04 16:58:42 +00:00
Copy link

Neat.

Neat.
grahamc (Migrated from github.com) reviewed 2023-12-04 16:59:23 +00:00
docker-shim/Dockerfile
@ -0,0 +16,4 @@
--timeout=3s \
CMD ["/nix/var/nix/profiles/default/bin/nix", "store", "ping", "--store", "daemon"]
COPY ./Dockerfile /README.md
grahamc (Migrated from github.com) commented 2023-12-04 16:59:23 +00:00
Copy link

The README is for us :)

The README is for us :)
grahamc (Migrated from github.com) reviewed 2023-12-04 17:00:45 +00:00
src/main.ts
@ -99,0 +145,4 @@
}
},
},
});
grahamc (Migrated from github.com) commented 2023-12-04 17:00:45 +00:00
Copy link

I could make it a hard error. My thinking is if someone forces it true, then who am I to say they shouldn't be allowed to keep both pieces? But I can also imagine a thing about being conservative about our inputs. wdyt?

I could make it a hard error. My thinking is if someone _forces_ it true, then who am I to say they shouldn't be allowed to keep both pieces? But I can also imagine a thing about being conservative about our inputs. wdyt?
cole-h (Migrated from github.com) reviewed 2023-12-04 17:01:32 +00:00
docker-shim/Dockerfile
@ -0,0 +16,4 @@
--timeout=3s \
CMD ["/nix/var/nix/profiles/default/bin/nix", "store", "ping", "--store", "daemon"]
COPY ./Dockerfile /README.md
cole-h (Migrated from github.com) commented 2023-12-04 17:01:32 +00:00
Copy link

I think it would make more sense if the Dockerfile were copied to /Dockerfile, but I won't block on that.

I think it would make more sense if the Dockerfile were copied to `/Dockerfile`, but I won't block on that.
cole-h (Migrated from github.com) reviewed 2023-12-04 17:04:01 +00:00
src/main.ts
@ -99,0 +145,4 @@
}
},
},
});
cole-h (Migrated from github.com) commented 2023-12-04 17:04:01 +00:00
Copy link

If it's going to be a warning, it'd be nice to make the "keep both pieces" more explicit somehow ("unsupported" is a lot softer than "this may break at any moment, we're not responsible if it blows up your cat or locks your key inside your car").

If it's going to be a warning, it'd be nice to make the "keep both pieces" more explicit somehow ("unsupported" is a lot softer than "this may break at any moment, we're not responsible if it blows up your cat or locks your key inside your car").
grahamc (Migrated from github.com) reviewed 2023-12-04 17:14:09 +00:00
src/main.ts
@ -99,0 +145,4 @@
}
},
},
});
grahamc (Migrated from github.com) commented 2023-12-04 17:14:09 +00:00
Copy link

I'm inclined to leave it as a warning and indicate we won't setup the docker shim if you're not on Linux.

I'm inclined to leave it as a warning and indicate we won't setup the docker shim if you're not on Linux.
cole-h (Migrated from github.com) approved these changes 2023-12-04 17:15:41 +00:00
grahamc (Migrated from github.com) reviewed 2023-12-04 17:33:13 +00:00
src/main.ts
grahamc (Migrated from github.com) commented 2023-12-04 17:33:13 +00:00
Copy link

Fixed, thanks!

Fixed, thanks!
grahamc (Migrated from github.com) reviewed 2023-12-04 17:33:48 +00:00
src/main.ts
@ -99,1 +175,4 @@
actions_core.endGroup();
}
private async executionEnvironment(): Promise<ExecuteEnvironment> {
grahamc (Migrated from github.com) commented 2023-12-04 17:33:48 +00:00
Copy link

It was in fact doing that, but now it is not :).

It was in fact doing that, but now it is not :).
cole-h (Migrated from github.com) approved these changes 2023-12-04 19:17:22 +00:00
cole-h (Migrated from github.com) left a comment
Copy link

Seems fine.

Seems fine.
Sign in to join this conversation.
Reviewers
No reviewers
colemickens
cole-h
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix-install-action#59
No description provided.
Delete branch "graham/fh-82-nix-installer-action-explore-how-to-support-arc"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?