Merge branch 'master' into deregistration

Dockerfile

@@ -5,7 +5,7 @@ LABEL maintainer="myoung34@my.apsu.edu"
 ENV AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache
 RUN mkdir -p /opt/hostedtoolcache
 
-ARG GH_RUNNER_VERSION="2.281.1"
+ARG GH_RUNNER_VERSION="2.282.0"
 ARG TARGETPLATFORM
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -17,8 +17,8 @@ RUN chmod +x /actions-runner/install_actions.sh \
   && /actions-runner/install_actions.sh ${GH_RUNNER_VERSION} ${TARGETPLATFORM} \
   && rm /actions-runner/install_actions.sh
 
-COPY token.sh entrypoint.sh /
-RUN chmod +x /token.sh /entrypoint.sh
+COPY token.sh entrypoint.sh ephemeral-runner.sh /
+RUN chmod +x /token.sh /entrypoint.sh /ephemeral-runner.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/actions-runner/bin/runsvc.sh"]

Dockerfile.base

@@ -12,13 +12,14 @@ ARG DOCKER_KEY="7EA0A9C3F273FCD8"
 
 ENV DOCKER_COMPOSE_VERSION="1.27.4"
 ENV LANG=en_US.UTF-8
-ENV LANGUAGE=en_US:en
-ENV LC_ALL=en_US.UTF-8 
+ENV LANGUAGE=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 ENV DEBIAN_FRONTEND=noninteractive
 # hadolint ignore=DL3003,DL4001
-RUN apt-get update && \
-  apt-get install -y --no-install-recommends \
+RUN echo en_US.UTF-8 UTF-8 >> /etc/locale.gen \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends \
     awscli \
     curl \
     tar \
@@ -45,8 +46,6 @@ RUN apt-get update && \
     python \
     dumb-init \
   && pip3 install --no-cache-dir awscliv2 \
-  && locale-gen en_US.UTF-8 \
-  && dpkg-reconfigure locales \
   && c_rehash \
   && cd /tmp \
   && curl -sL https://www.kernel.org/pub/software/scm/git/git-${GIT_VERSION}.tar.gz -o git.tgz \
@@ -56,9 +55,14 @@ RUN apt-get update && \
   && make \
   && make install \
   && cd / \
+  # Determine the Distro name (Debian, Ubuntu, etc)
+  && distro=$(lsb_release -is | awk '{print tolower($0)}') \
+  # Determine the Distro version (bullseye, xenial, etc)
+  # Note: sid is aliased to bullseye, because Docker doesn't have a matching apt repo
   && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ${DOCKER_KEY} \
-  && curl -fsSL https://download.docker.com/linux/$(lsb_release -is | awk '{print tolower($0)}')/gpg | apt-key add - \
-  && ( add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/$(lsb_release -is | awk '{print tolower($0)}') $(lsb_release -cs) stable" ) \
+  && curl -fsSL https://download.docker.com/linux/${distro}/gpg | apt-key add - \
+  && version=$(lsb_release -cs | awk '{gsub("sid", "bullseye"); print $0}') \
+  && ( add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/${distro} ${version} stable" ) \
   && apt-get update \
   && apt-get install -y docker-ce docker-ce-cli containerd.io --no-install-recommends --allow-unauthenticated \
   && [[ $(lscpu -J | jq -r '.lscpu[] | select(.field == "Vendor ID:") | .data') == "ARM" ]] && echo "Not installing docker-compose. See https://github.com/docker/compose/issues/6831" || ( curl -sL "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose ) \

README.md

@@ -28,9 +28,9 @@ A workaround exists, please see [here](https://github.com/myoung34/docker-github
 | --- | --- | --- | --- | --- | --- |
 | ubuntu focal | `x86_64`,`arm64` | `/\d\.\d{3}\.\d+/` | [latest](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=latest) | This is the latest build (Rebuilt nightly and on master merges). Tags without an OS name are included. | Tags without an OS name *before* 9/17/2020 are `eoan`. `armv7` support stopped 9/18/2020 due to inconsistent docker-ce packaging |
 | ubuntu bionic | `x86_64`,`armv7`,`arm64` | `/\d\.\d{3}\.\d+-ubuntu-bionic/` | [ubuntu-bionic](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=ubuntu-bionic) | This is the latest build from bionic (Rebuilt nightly and on master merges). Tags with `-ubuntu-bionic` are included and created on [upstream tags](https://github.com/actions/runner/tags). | |
-| debian buster | `x86_64`,`arm64`,`armv7` |  `/\d\.\d{3}\.\d+-debian-buster/` | [debian-buster](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=debian-buster) | This is the latest build from buster (Rebuilt nightly and on master merges). Tags with `-debian-buster` are included and created on [upstream tags](https://github.com/actions/runner/tags). | |
-| debian bullseye | `x86_64`,`arm64`,`armv7` |  `/\d\.\d{3}\.\d+-debian-bullseye/` | [debian-bullseye](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=debian-bullseye) | This is the latest build from bullseye (Rebuilt nightly and on master merges). Tags with `-debian-bullseye` are included and created on [upstream tags](https://github.com/actions/runner/tags). | Debian Bullseye will be the next stable release of Debian Linux. |
-| debian sid | `x86_64`,`arm64`,`admv7` |  `/\d\.\d{3}\.\d+-debian-sid/` | [debian-sid](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=debian-sid) | This is the latest build from sid (Rebuilt nightly and on master merges). Tags with `-debian-sid` are included and created on [upstream tags](https://github.com/actions/runner/tags). | Debian sid is considered unstable by Debian. |
+| debian buster | `x86_64`,`arm64`,`armv7` |  `/\d\.\d{3}\.\d+-debian-buster/` | [debian-buster](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=debian-buster) | This is the latest build from buster (Rebuilt nightly and on master merges). Tags with `-debian-buster` are included and created on [upstream tags](https://github.com/actions/runner/tags). | Buster is Debians current old-stable release. |
+| debian bullseye | `x86_64`,`arm64`,`armv7` |  `/\d\.\d{3}\.\d+-debian-bullseye/` | [debian-bullseye](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=debian-bullseye) | This is the latest build from bullseye (Rebuilt nightly and on master merges). Tags with `-debian-bullseye` are included and created on [upstream tags](https://github.com/actions/runner/tags). | Bullseye is Debians current stable release. |
+| debian sid | `x86_64`,`arm64`,`admv7` |  `/\d\.\d{3}\.\d+-debian-sid/` | [debian-sid](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=debian-sid) | This is the latest build from sid (Rebuilt nightly and on master merges). Tags with `-debian-sid` are included and created on [upstream tags](https://github.com/actions/runner/tags). | Sid is considered unstable by Debian. |
 | ubuntu xenial | `x86_64`,`arm64` |  `/\d\.\d{3}\.\d+-ubuntu-xenial/` | [ubuntu-xenial](https://hub.docker.com/r/myoung34/github-runner/tags?page=1&name=ubuntu-xenial) | This is the latest build from xenial (Rebuilt nightly and on master merges). Tags with `-ubuntu-xenial` are included and created on [upstream tags](https://github.com/actions/runner/tags). | This is deprecated as of 7/15/2021 and will no longer receive tags. |
 
 These containers are built via Github actions that [copy the dockerfile](https://github.com/myoung34/docker-github-actions-runner/blob/master/.github/workflows/deploy.yml#L47), changing the `FROM` and building to provide simplicity.
@@ -315,3 +315,56 @@ docker run -d --restart always --name github-runner \
   -v /tmp/github-runner-your-repo:/tmp/github-runner-your-repo \
   myoung34/github-runner:latest
 ```
+
+## Ephemeral mode
+
+GitHub's hosted runners are completely ephemeral.  You can remove all its data without breaking all future jobs.
+
+To achieve the same resilience in a self-hosted runner:
+  1. override the command for your runner with `/ephemeral-runner.sh` (which will terminate after one job executes)
+  2. don't mount a local folder into `RUNNER_WORKDIR` (to ensure no filesystem persistence)
+  3. run the container with `--rm` (to delete it after termination)
+  4. wrap the container execution in a system service that restarts (to start a fresh container after each job)
+
+Here's an example service definition for systemd:
+
+```
+# Install with:
+#   sudo install -m 644 ephemeral-github-actions-runner.service /etc/systemd/system/
+#   sudo systemctl daemon-reload
+#   sudo systemctl enable ephemeral-github-actions-runner
+# Run with:
+#   sudo systemctl start ephemeral-github-actions-runner
+# Stop with:
+#   sudo systemctl stop ephemeral-github-actions-runner
+# See live logs with:
+#   journalctl -f -u ephemeral-github-actions-runner.service --no-hostname --no-tail
+
+[Unit]
+Description=Ephemeral GitHub Actions Runner Container
+After=docker.service
+Requires=docker.service
+
+[Service]
+TimeoutStartSec=0
+Restart=always
+ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker rm %n
+ExecStartPre=-/usr/bin/docker pull myoung34/github-runner:latest
+ExecStart=/usr/bin/docker run --rm --env-file /etc/ephemeral-github-actions-runner.env --name %n myoung34/ephemeral-github-actions-runner:latest /ephemeral-runner.sh
+
+[Install]
+WantedBy=multi-user.target
+```
+
+And an example of the corresponding env file that the service reads from:
+
+```
+# Install with:
+#   sudo install -m 600 ephemeral-github-actions-runner.env /etc/
+REPO_URL=https://github.com/your-org/your-repo
+RUNNER_NAME=your-runner-name-here
+ACCESS_TOKEN=foo-access-token
+RUNNER_WORKDIR=/tmp/runner/work
+LABELS=any-custom-labels-go-here
+```

ephemeral-runner.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+echo "*** Starting ephemeral runner. ***"
+/actions-runner/run.sh --once
+rv=$?
+
+# See exit code constants in the runner source here:
+# https://github.com/actions/runner/blob/be96323/src/Runner.Common/Constants.cs#L135
+if [[ $rv == 4 ]]; then
+  # The runner software was updated.
+  echo "*** Software update detected. ***"
+
+  echo "*** Waiting for update to complete. ***"
+  # Hard-coded sleep.  Without some delay, the update is still in progress in
+  # the background, leading to failures when we re-launch.
+  sleep 10
+
+  # Now add an adaptive delay, where we loop and check if the Runner is usable
+  # yet.  As soon as it is, break.
+  for i in $(seq 10); do
+    if /actions-runner/bin/Runner.Listener --version &>/dev/null; then
+      break
+    fi
+
+    echo "*** Update still in progress... ***"
+    sleep 5
+  done
+
+  # Now re-launch the script.
+  echo "*** Re-launching runner. ***"
+  exec "$0"
+fi
+
+# For any other return value, let the script and the Docker container terminate.
+echo "*** Exit code $rv ***"
+exit $rv