feat: image factory runner images

.github/workflows/docker-build-if-runner.yml

@@ -0,0 +1,41 @@
+name: Build Image Factory Runner
+
+on:
+ push:
+ paths:
+ - ".github/workflows/docker-build-if-runner.yml"
+ - "images/docker/image-factory-runner/**"
+ workflow_dispatch:
+
+jobs:
+ docker-build:
+ runs-on: ubuntu-latest
+
+ env: 
+ IMAGE_NAME: "image-factory-runner"
+ IMAGE_TAG: "${{ github.run_number }}"
+ REGISTRY: ${{ secrets.REGISTRY }}
+
+ steps:
+ - name: Checkout Repository
+ uses: actions/checkout@v4
+
+ - name: Log in to Azure Container Registry
+ uses: azure/docker-login@v1
+ with:
+ login-server: ${{ secrets.REGISTRY }}
+ username: ${{ secrets.ACR_USERNAME }}
+ password: ${{ secrets.ACR_PASSWORD }}
+
+ - name: Build Docker Image
+ run: docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG images/docker/image-factory-runner
+
+ - name: Push Docker image
+ run: |
+ docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG
+
+ - name: Tag and push Docker image as latest
+ # if: github.ref == 'refs/heads/main' # TODO: uncomment once we are done with development
+ run: |
+ docker tag $REGISTRY/$IMAGE_NAME:$IMAGE_TAG $REGISTRY/$IMAGE_NAME:latest
+ docker push $REGISTRY/$IMAGE_NAME:latest

.github/workflows/packer-build-if-vm.yml

@@ -0,0 +1,95 @@
+name: Build Image Factory VM
+
+on:
+ push:
+ paths:
+ - ".github/workflows/packer-build-if-vm.yml"
+ - "images/packer/image-factory-vm/**"
+ workflow_dispatch:
+
+jobs:
+
+ packer-build:
+ runs-on: ubuntu-latest
+
+ env:
+ AZ_CLI_VERSION: 2.64.0
+ PACKER_VERSION: 1.9.4
+
+ AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+ AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
+ AZURE_ACG: ${{ vars.AZURE_ACG }}
+ AZURE_CREDENTIALS: |
+ {
+ "clientId": "${{ secrets.AZURE_CLIENT_ID }}",
+ "clientSecret": "${{ secrets.AZURE_CLIENT_SECRET }}",
+ "subscriptionId": "${{ secrets.AZURE_SUBSCRIPTION_ID }}",
+ "tenantId": "${{ secrets.AZURE_TENANT_ID }}"
+ }
+
+ IMAGE_NAME: "image-factory-vm"
+ IMAGE_PUBLISHER: "wp10-image-factory"
+ IMAGE_OFFER: "wp10-image-factory-vm"
+ IMAGE_SKU: "v1"
+ IMAGE_OS_TYPE: "linux"
+ IMAGE_VERSION: "${{ github.run_number }}"
+
+ steps:
+ - name: Checkout Repository
+ uses: actions/checkout@v4
+
+ - name: Azure Login
+ uses: azure/login@v2
+ with:
+ creds: ${{ env.AZURE_CREDENTIALS }}
+
+ - name: Create Azure Image Definition
+ uses: azure/cli@v2
+ with:
+ azcliversion: ${{ env.AZ_CLI_VERSION }}
+ inlineScript: |
+ set +e
+ az sig image-definition show \
+ --resource-group "$AZURE_RESOURCE_GROUP" \
+ --gallery-name "$AZURE_ACG" \
+ --gallery-image-definition "$IMAGE_NAME" \
+ --query "name" -o tsv
+ az_exit_code=$?
+ set -e
+ if [ $az_exit_code -eq 3 ]; then
+ echo "Image definition does not exist. Creating it..."
+ az sig image-definition create \
+ --resource-group "$AZURE_RESOURCE_GROUP" \
+ --gallery-name "$AZURE_ACG" \
+ --gallery-image-definition "$IMAGE_NAME" \
+ --publisher "$IMAGE_PUBLISHER" \
+ --offer "$IMAGE_OFFER" \
+ --sku "$IMAGE_SKU" \
+ --os-type "$IMAGE_OS_TYPE"
+ else
+ echo "Image definition '$IMAGE_NAME' already exists."
+ fi
+
+ - name: Template Packer vars file
+ uses: cuchi/[email protected]
+ with:
+ template: images/packer/image-factory-vm/values.auto.pkrvars.hcl.j2
+ output_file: images/packer/image-factory-vm/values.auto.pkrvars.hcl
+
+ - name: Setup Packer
+ uses: hashicorp/setup-packer@main
+ with:
+ version: ${{ env.PACKER_VERSION }}
+
+ - name: Packer Init
+ run: packer init images/packer/image-factory-vm
+
+ - name: Packer Build
+ run: |
+ packer build \
+ -var "client_id=${{ secrets.AZURE_CLIENT_ID }}" \
+ -var "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \
+ -var "tenant_id=${{ secrets.AZURE_TENANT_ID }}" \
+ -var "subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }}" \
+ images/packer/image-factory-vm
+

images/docker/image-factory-runner/Dockerfile

@@ -0,0 +1,87 @@
+FROM ubuntu:22.04
+
+ARG RUNNER_VERSION=2.319.1
+ARG RUNNER_ARCH=x64
+
+ENV DEBIAN_FRONTEND=noninteractive \
+ USER_NAME=gha \
+ USER_GROUP=gha \
+ USER_HOME=/opt/gha
+
+# Update and install packadges and dependencies
+RUN apt-get update -y && \
+ apt-get upgrade -y && \
+ apt-get install --no-install-recommends -y \
+ apt-transport-https \
+ buildah \
+ ca-certificates \
+ curl \
+ git \
+ gnupg \
+ jq \
+ libcap2-bin \
+ lsb-release \
+ podman \
+ slirp4netns \
+ software-properties-common \
+ unzip \
+ vim \
+ wget && \
+ rm -rf /var/lib/apt/lists/*
+
+
+# Create runner user
+RUN mkdir -p ${USER_HOME} && \
+ useradd -r -d ${USER_HOME} -s /sbin/nologin -c "GitHub Actions User" ${USER_NAME} && \ 
+ chown ${USER_GROUP}:${USER_NAME} ${USER_HOME}
+
+# Add podman configuration file(s) 
+ADD files/containers.conf /etc/containers/containers.conf
+RUN chmod 644 /etc/containers/containers.conf
+
+# Setup for rootless podman
+RUN usermod --add-subuids 100000-165535 --add-subgids 100000-165535 ${USER_NAME}
+
+# Enable rootless podman to setup namespace using newuidmap
+# - referrence: https://github.com/containers/podman/issues/2788#issuecomment-1016301663
+RUN chmod u-s /usr/bin/newuidmap /usr/bin/newgidmap && \
+ setcap cap_setuid+eip /usr/bin/newuidmap && \
+ setcap cap_setgid+eip /usr/bin/newgidmap 
+
+# Change to runner workdir
+WORKDIR ${USER_HOME}
+
+# Download GitHub Actions runner
+RUN mkdir actions-runner && \
+ cd actions-runner && \
+ curl -o actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz && \
+ tar xzf ./actions-runner-linux-${RUNNER_ARCH}-${RUNNER_VERSION}.tar.gz && \
+ chown -R ${USER_NAME} ${USER_HOME}
+
+# Install additional dependencies
+RUN actions-runner/bin/installdependencies.sh
+
+# Add start script and make it executable
+ADD scripts/start-github-runner.sh start-github-runner.sh
+RUN chmod +x start-github-runner.sh
+
+# Install packer
+RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \
+ apt-add-repository "deb [arch=${RUNNER_ARCH}] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \
+ apt-get update -y && \
+ apt-get install packer
+
+# Install Azure CLI
+RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+
+# Install Trivy
+RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - && \
+ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list && \
+ apt-get update && \
+ apt-get install trivy
+
+# Set runner user
+USER ${USER_NAME}
+
+# Set start script as an entrypoint
+ENTRYPOINT ["./start-github-runner.sh"]

images/docker/image-factory-runner/files/containers.conf

@@ -0,0 +1,2 @@
+[containers]
+# further configuration will be needed to support podman run command

images/docker/image-factory-runner/scripts/start-github-runner.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+GITHUB_OWNER=$GITHUB_OWNER
+GITHUB_REPOSITORY=$GITHUB_REPOSITORY
+GITHUB_TOKEN=$(cat /.pat/.token)
+GITHUB_RUNNER_NAME="image-factory-runner"
+
+echo "Getting runner registration token from GitHub..."
+REG_TOKEN=$(curl -sX POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/${GITHUB_OWNER}/${GITHUB_REPOSITORY}/actions/runners/registration-token | jq .token --raw-output)
+
+# Add this part once PAT token generation is set up on the runner host VM 
+# - new PAT token will be generated as a pre task to each runner container start
+#
+# echo "Removing PAT token from runner filesystem"
+# rm -rf /.pat/.token
+
+echo "Connect runner to GitHub:"
+cd actions-runner
+./config.sh \
+ --url https://github.com/${GITHUB_OWNER}/${GITHUB_REPOSITORY} \
+ --token ${REG_TOKEN} \
+ --name ${RUNNER_NAME} \
+ --unattended \
+ --ephemeral \
+ --replace \
+ --disableupdate
+
+./run.sh & wait $!

images/packer/image-factory-vm/azure.pkr.hcl

@@ -0,0 +1,31 @@
+source "azure-arm" "vm" {
+ client_id = var.client_id
+ client_secret = var.client_secret
+ subscription_id = var.subscription_id
+ tenant_id = var.tenant_id
+ location = var.location
+
+ managed_image_name = "${var.gallery_image_name}-${formatdate("DD-MMM-YYYY-hh-mm-ss", timestamp())}"
+ managed_image_resource_group_name = var.resource_group
+
+ communicator = "ssh"
+ os_type = "Linux"
+ image_publisher = "Canonical"
+ image_offer = "0001-com-ubuntu-server-jammy"
+ image_sku = "22_04-lts-gen2"
+
+ vm_size = "Standard_B2ms"
+
+ public_ip_sku = "Standard"
+
+ shared_image_gallery_destination {
+ subscription = var.subscription_id
+ resource_group = var.resource_group
+ gallery_name = var.gallery_name
+ image_name = var.gallery_image_name
+ image_version = var.gallery_image_version
+ target_region {
+ name = var.location
+ }
+ }
+}

images/packer/image-factory-vm/build.pkr.hcl

@@ -0,0 +1,21 @@
+build {
+ sources = [
+ "source.azure-arm.vm"
+ ]
+
+ provisioner "file" {
+ source = "images/packer/image-factory-vm/scripts/setup-vm.sh"
+ destination = "/tmp/setup.sh"
+ }
+
+ provisioner "shell" {
+ execute_command = "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'"
+
+ inline = [
+ "chmod +x /tmp/setup.sh",
+ "/tmp/setup.sh"
+ ]
+
+ inline_shebang = "/bin/sh -x"
+ }
+}

images/packer/image-factory-vm/plugins.pkr.hcl

@@ -0,0 +1,8 @@
+packer {
+ required_plugins {
+ azure = {
+ source = "github.com/hashicorp/azure"
+ version = "~> 1"
+ }
+ }
+}

images/packer/image-factory-vm/scripts/setup-vm.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -e
+
+# Set the DEBIAN_FRONTEND to noninteractive
+export DEBIAN_FRONTEND=noninteractive
+
+# Update and upgrade the system
+apt-get update
+apt-get upgrade -y
+
+# Deprovision user
+/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync
+
+# Install required packages
+apt-get install --no-install-recommends -y \
+ apt-transport-https \
+ buildah \
+ ca-certificates \
+ curl \
+ git \
+ gnupg \
+ jq \
+ libcap2-bin \
+ lsb-release \
+ podman \
+ slirp4netns \
+ software-properties-common \
+ unzip \
+ vim \
+ wget
+
+# Clean up
+rm -rf /var/lib/apt/lists/*
+
+# Install Azure CLI
+curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+
+# Set up Trivy repository and install Trivy
+wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
+echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list
+apt-get update
+apt-get install -y trivy

images/packer/image-factory-vm/values.auto.pkrvars.hcl.j2

@@ -0,0 +1,5 @@
+location = "{{ env['AZURE_LOCATION'] }}"
+resource_group = "{{ env['AZURE_RESOURCE_GROUP'] }}"
+gallery_name = "{{ env['AZURE_ACG'] }}"
+gallery_image_name = "{{ env['IMAGE_NAME'] }}"
+gallery_image_version = "1.0.{{ env['IMAGE_VERSION'] }}"