chor: Update ubuntu example with rootless docker and non privileged user (#433)

* Update ubuntu example:
- stream log to clouwatch
- re-use install and configure from module
- add rootless docker
- install in non privileges user account (runners)

Update module
- refactor user_data, splitting in seperate parts

* Run pre-commit forced

Author: npalm

README.md

@@ -27,9 +27,9 @@ module "runners" {
     webhook_secret = random_password.random.result
   }
 
-  webhook_lambda_zip                = "lambdas-download/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
-  runners_lambda_zip                = "lambdas-download/runners.zip"
+  # webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  # runners_lambda_zip                = "lambdas-download/runners.zip"
 
   enable_organization_runners = false
   runner_extra_labels         = "ubuntu,example"
@@ -49,6 +49,17 @@ module "runners" {
     device_name = "/dev/sda1"
   }
 
+  runner_log_files = [
+    {
+      "file_path" : "/var/log/user-data.log",
+      "log_stream_name" : "{instance_id}/user_data"
+    },
+    {
+      "file_path" : "/home/runners/actions-runner/_diag/Runner_**.log",
+      "log_stream_name" : "{instance_id}/runner"
+    }
+  ]
+
   # Uncommet idle config to have idle runners from 9 to 5 in time zone Amsterdam
   # idle_config = [{
   #   cron      = "* * 9-17 * * *"

examples/ubuntu/main.tf

@@ -1,37 +1,63 @@
-#!/bin/bash -e
+#!/bin/bash -x
 exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
 
+${pre_install}
+
 # Install AWS CLI
 apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get install -y awscli jq
+DEBIAN_FRONTEND=noninteractive apt-get install -y awscli jq curl wget git uidmap
+
+USER_NAME=runners
+useradd -m -s /bin/bash $USER_NAME
+USER_ID=$(id -ru $USER_NAME)
+
+# install and configure cloudwatch logging agent
+wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
+dpkg -i -E ./amazon-cloudwatch-agent.deb
+amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:${ssm_key_cloudwatch_agent_config}
+
+# configure systemd for running service in users accounts
+cat >/etc/systemd/[email protected] <<-EOF
+
+[Unit]
+Description=User Manager for UID %i
+After=user-runtime-dir@%i.service
+Wants=user-runtime-dir@%i.service
+
+[Service]
+LimitNOFILE=infinity
+LimitNPROC=infinity
+User=%i
+PAMName=systemd-user
+Type=notify
+
+[Install]
+WantedBy=default.target
 
-# Install runner
-cd /home/ubuntu
-mkdir actions-runner && cd actions-runner
+EOF
 
-aws s3 cp ${s3_location_runner_distribution} actions-runner.tar.gz
-tar xzf ./actions-runner.tar.gz
-rm -rf actions-runner.tar.gz
+echo export XDG_RUNTIME_DIR=/run/user/$USER_ID >>/home/$USER_NAME/.profile
 
-INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+systemctl daemon-reload
+systemctl enable [email protected]
+systemctl start [email protected]
 
-echo wait for configuration
-while [[ $(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value") == null ]]; do
-    echo Waiting for configuration ...
-    sleep 1
-done
-CONFIG=$(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value")
-aws ssm delete-parameter --name ${environment}-$INSTANCE_ID --region $REGION
+curl -fsSL https://get.docker.com/rootless >>/opt/rootless.sh && chmod 755 /opt/rootless.sh
+su -l $USER_NAME -c /opt/rootless.sh
+echo export DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock >>/home/$USER_NAME/.profile
+echo export PATH=/home/$USER_NAME/bin:$PATH >>/home/$USER_NAME/.profile
 
-export RUNNER_ALLOW_RUNASROOT=1
+# Run docker service by default
+loginctl enable-linger $USER_NAME
+su -l $USER_NAME -c "systemctl --user enable docker"
 
-sudo -u ubuntu mkdir /home/ubuntu/work
+${install_config_runner}
 
-./bin/installdependencies.sh
-./config.sh --unattended --name $INSTANCE_ID --work "/home/ubuntu/work" $CONFIG
+# config runner for rootless docker
+cd /home/$USER_NAME/actions-runner/
+echo DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock >>.env
+echo PATH=/home/$USER_NAME/bin:$PATH >>.env
 
-chown -R ubuntu:ubuntu .
-./svc.sh install ubuntu
+${post_install}
 
 ./svc.sh start

examples/ubuntu/templates/user-data.sh

@@ -119,7 +119,7 @@ module "runner_binaries" {
 
   distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
 
-  runner_architecture              = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
+  runner_architecture              = local.runner_architecture
   runner_allow_prerelease_binaries = var.runner_allow_prerelease_binaries
 
   lambda_s3_bucket                = var.lambda_s3_bucket

main.tf

@@ -9,12 +9,14 @@ locals {
     var.tags,
   )
 
-  name_sg               = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
-  name_runner           = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"]
-  role_path             = var.role_path == null ? "/${var.environment}/" : var.role_path
-  instance_profile_path = var.instance_profile_path == null ? "/${var.environment}/" : var.instance_profile_path
-  lambda_zip            = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
-  userdata_template     = var.userdata_template == null ? "${path.module}/templates/user-data.sh" : var.userdata_template
+  name_sg                        = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
+  name_runner                    = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"]
+  role_path                      = var.role_path == null ? "/${var.environment}/" : var.role_path
+  instance_profile_path          = var.instance_profile_path == null ? "/${var.environment}/" : var.instance_profile_path
+  lambda_zip                     = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
+  userdata_template              = var.userdata_template == null ? "${path.module}/templates/user-data.sh" : var.userdata_template
+  userdata_arm_patch             = "${path.module}/templates/arm-runner-patch.tpl"
+  userdata_install_config_runner = "${path.module}/templates/install-config-runner.sh"
 }
 
 data "aws_ami" "runner" {
@@ -81,16 +83,24 @@ resource "aws_launch_template" "runner" {
     environment                     = var.environment
     pre_install                     = var.userdata_pre_install
     post_install                    = var.userdata_post_install
-    s3_location_runner_distribution = var.s3_location_runner_binaries
-    service_user                    = var.runner_as_root ? "root" : "ec2-user"
-    runner_architecture             = var.runner_architecture
     enable_cloudwatch_agent         = var.enable_cloudwatch_agent
     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : ""
+    install_config_runner           = local.install_config_runner
   }))
 
   tags = local.tags
 }
 
+locals {
+  arm_patch = var.runner_architecture == "arm64" ? templatefile(local.userdata_arm_patch, {}) : ""
+  install_config_runner = templatefile(local.userdata_install_config_runner, {
+    environment                     = var.environment
+    s3_location_runner_distribution = var.s3_location_runner_binaries
+    run_as_root_user                = var.runner_as_root ? "root" : ""
+    arm_patch                       = local.arm_patch
+  })
+}
+
 resource "aws_security_group" "runner_sg" {
   name_prefix = "${var.environment}-github-actions-runner-sg"
   description = "Github Actions Runner security group"

modules/runners/main.tf

@@ -0,0 +1,49 @@
+# Patch for ARM64 (no ICU install by default)
+yum install -y patch
+patch -p1 <<ICU_PATCH
+diff -Naur a/bin/Runner.Listener.runtimeconfig.json b/bin/Runner.Listener.runtimeconfig.json
+--- a/bin/Runner.Listener.runtimeconfig.json	2020-07-01 02:21:09.000000000 +0000
++++ b/bin/Runner.Listener.runtimeconfig.json	2020-07-28 00:02:38.748868613 +0000
+@@ -8,7 +8,8 @@
+       }
+     ],
+     "configProperties": {
+-      "System.Runtime.TieredCompilation.QuickJit": true
++      "System.Runtime.TieredCompilation.QuickJit": true,
++      "System.Globalization.Invariant": true
+     }
+   }
+-}
+\ No newline at end of file
++}
+diff -Naur a/bin/Runner.PluginHost.runtimeconfig.json b/bin/Runner.PluginHost.runtimeconfig.json
+--- a/bin/Runner.PluginHost.runtimeconfig.json	2020-07-01 02:21:22.000000000 +0000
++++ b/bin/Runner.PluginHost.runtimeconfig.json	2020-07-28 00:02:59.358680003 +0000
+@@ -8,7 +8,8 @@
+       }
+     ],
+     "configProperties": {
+-      "System.Runtime.TieredCompilation.QuickJit": true
++      "System.Runtime.TieredCompilation.QuickJit": true,
++      "System.Globalization.Invariant": true
+     }
+   }
+-}
+\ No newline at end of file
++}
+diff -Naur a/bin/Runner.Worker.runtimeconfig.json b/bin/Runner.Worker.runtimeconfig.json
+--- a/bin/Runner.Worker.runtimeconfig.json	2020-07-01 02:21:16.000000000 +0000
++++ b/bin/Runner.Worker.runtimeconfig.json	2020-07-28 00:02:19.159028531 +0000
+@@ -8,7 +8,8 @@
+       }
+     ],
+     "configProperties": {
+-      "System.Runtime.TieredCompilation.QuickJit": true
++      "System.Runtime.TieredCompilation.QuickJit": true,
++      "System.Globalization.Invariant": true
+     }
+   }
+-}
+\ No newline at end of file
++}
+ICU_PATCH

modules/runners/templates/arm-runner-patch.tpl

@@ -0,0 +1,33 @@
+cd /home/$USER_NAME
+mkdir actions-runner && cd actions-runner
+
+aws s3 cp ${s3_location_runner_distribution} actions-runner.tar.gz
+tar xzf ./actions-runner.tar.gz
+rm -rf actions-runner.tar.gz
+
+${arm_patch}
+
+INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
+REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+
+echo wait for configuration
+while [[ $(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value") == null ]]; do
+    echo Waiting for configuration ...
+    sleep 1
+done
+CONFIG=$(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value")
+aws ssm delete-parameter --name ${environment}-$INSTANCE_ID --region $REGION
+
+export RUNNER_ALLOW_RUNASROOT=1
+os_id=$(awk -F= '/^ID/{print $2}' /etc/os-release)
+if [[ "$os_id" =~ ^ubuntu.* ]]; then
+    ./bin/installdependencies.sh
+fi
+
+./config.sh --unattended --name $INSTANCE_ID --work "_work" $CONFIG
+
+chown -R $USER_NAME:$USER_NAME .
+OVERWRITE_SERVICE_USER=${run_as_root_user}
+SERVICE_USER=$${OVERWRITE_SERVICE_USER:-$USER_NAME}
+
+./svc.sh install $SERVICE_USER

modules/runners/templates/install-config-runner.sh

@@ -17,82 +17,8 @@ usermod -a -G docker ec2-user
 
 yum install -y curl jq git
 
-# Install runner
-cd /home/ec2-user
-mkdir actions-runner && cd actions-runner
-
-aws s3 cp ${s3_location_runner_distribution} actions-runner.tar.gz
-tar xzf ./actions-runner.tar.gz
-rm -rf actions-runner.tar.gz
-
-%{ if runner_architecture == "arm64" ~}
-# Patch for ARM64 (no ICU install by default)
-yum install -y patch
-patch -p1 <<ICU_PATCH
-diff -Naur a/bin/Runner.Listener.runtimeconfig.json b/bin/Runner.Listener.runtimeconfig.json
---- a/bin/Runner.Listener.runtimeconfig.json	2020-07-01 02:21:09.000000000 +0000
-+++ b/bin/Runner.Listener.runtimeconfig.json	2020-07-28 00:02:38.748868613 +0000
-@@ -8,7 +8,8 @@
-       }
-     ],
-     "configProperties": {
--      "System.Runtime.TieredCompilation.QuickJit": true
-+      "System.Runtime.TieredCompilation.QuickJit": true,
-+      "System.Globalization.Invariant": true
-     }
-   }
--}
-\ No newline at end of file
-+}
-diff -Naur a/bin/Runner.PluginHost.runtimeconfig.json b/bin/Runner.PluginHost.runtimeconfig.json
---- a/bin/Runner.PluginHost.runtimeconfig.json	2020-07-01 02:21:22.000000000 +0000
-+++ b/bin/Runner.PluginHost.runtimeconfig.json	2020-07-28 00:02:59.358680003 +0000
-@@ -8,7 +8,8 @@
-       }
-     ],
-     "configProperties": {
--      "System.Runtime.TieredCompilation.QuickJit": true
-+      "System.Runtime.TieredCompilation.QuickJit": true,
-+      "System.Globalization.Invariant": true
-     }
-   }
--}
-\ No newline at end of file
-+}
-diff -Naur a/bin/Runner.Worker.runtimeconfig.json b/bin/Runner.Worker.runtimeconfig.json
---- a/bin/Runner.Worker.runtimeconfig.json	2020-07-01 02:21:16.000000000 +0000
-+++ b/bin/Runner.Worker.runtimeconfig.json	2020-07-28 00:02:19.159028531 +0000
-@@ -8,7 +8,8 @@
-       }
-     ],
-     "configProperties": {
--      "System.Runtime.TieredCompilation.QuickJit": true
-+      "System.Runtime.TieredCompilation.QuickJit": true,
-+      "System.Globalization.Invariant": true
-     }
-   }
--}
-\ No newline at end of file
-+}
-ICU_PATCH
-%{ endif ~}
-
-INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
-
-echo wait for configuration
-while [[ $(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value") == null ]]; do
-  echo Waiting for configuration ...
-  sleep 1
-done
-CONFIG=$(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value")
-aws ssm delete-parameter --name ${environment}-$INSTANCE_ID --region $REGION
-
-export RUNNER_ALLOW_RUNASROOT=1
-./config.sh --unattended --name $INSTANCE_ID --work "_work" $CONFIG
-
-chown -R ec2-user:ec2-user .
-./svc.sh install ${service_user}
+USER_NAME=ec2-user
+${install_config_runner}
 
 ${post_install}