Merge pull request #5573 from mook-as/e2e/runner-linux

GitHub Linux runner infra

.github/actions/spelling/excludes.txt

@@ -40,6 +40,7 @@
 \.jks$
 \.jpe?g$
 \.key$
+\.kiwi$
 \.lib$
 \.lock$
 \.map$
@@ -92,3 +93,4 @@ ignore$
 ^\Qpkg/rancher-desktop/utils/_demo_marketplace_items.js\E$
 ^\Qpkg/rancher-desktop/utils/_demo_metadata.js\E$
 (?:^|/)pkg/rancher-desktop/nuxt/
+^\Qsrc/disk-images/github-runner-linux/root/etc/sysconfig/network/ifcfg-\E

.github/actions/spelling/expect.txt

@@ -258,6 +258,7 @@ gazornaanplatt
 gcs
 GENERALIZEDTIME
 getwindowid
+ghp
 gitmodules
 gitrepo
 gke
@@ -336,12 +337,14 @@ itp
 iwr
 jan
 jetstack
+jitconfig
 joycelin
 jpe
 jsmith
 julianb
 karl
 Kaspersky
+kata
 kde
 KDM
 keychain
@@ -502,6 +505,7 @@ nsis
 NSISUNINSTALLCOMMAND
 nspr
 nss
+nullglob
 nuxt
 nuxtjs
 nxt
@@ -544,6 +548,7 @@ pdp
 persistentvolume
 persistentvolumeclaim
 PFlags
+PGID
 pgrep
 pidfile
 pids
@@ -567,6 +572,8 @@ portforward
 portmap
 portproxy
 postrotate
+Powerdown
+poweroff
 PQgrl
 prakhar
 prebuilds
@@ -589,6 +596,7 @@ pushable
 pvc
 PWSTR
 qcow
+qmp
 rackspace
 rancherdesktop
 rancherkubernetesengine
@@ -763,6 +771,7 @@ vde
 ventura
 vertificate
 vfoo
+vhdx
 virt
 virtio
 virtiofs

.github/actions/spelling/patterns.txt

@@ -96,6 +96,9 @@ regexp?\.MustCompile\(`[^`]*`\)
 # gist github
 \bgist\.github\.com/[^/\s"]+/[0-9a-f]+
 
+# GitHub repositories and paths from there
+\bgithub\.com/[/a-zA-Z0-f_-]*/
+
 # Questionably acceptable forms of `in to`
 # Personally, I prefer `log into`, but people object
 # https://www.tprteaching.com/log-into-log-in-to-login/
@@ -140,8 +143,14 @@ regexp?\.MustCompile\(`[^`]*`\)
 \b([A-Za-z])\g{-1}{3,}\b
 
 # Don't check names in dependabot.yml reviewers section
-^\s+reviewers:\s*\[\s*"(?:Nino-K|ericpromislow)"\s*\]
+^\s+reviewers:\s*\[\s*"[^",]+"\s*\]
 
-# Directives to skip the current full line (intended for extension names and 
+# Directives to skip the current full line (intended for extension names and
 # their related account names):
 ^.*spellcheck-ignore-line.*$
+
+# Don't check package names
+^\s*zypper\b.*\binstall\b.*
+
+# Allow golangci in GitHub workflows:
+\buses:\s*golangci/golangci-lint-action\b

.github/dependabot.yml

@@ -55,6 +55,14 @@ updates:
     labels: ["component/dependencies"]
     reviewers: [ "Nino-K" ]
 
+  - package-ecosystem: "gomod"
+    directory: "/src/go/github-runner-monitor"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 1
+    labels: ["component/dependencies"]
+    reviewers: [ "mook-as" ]
+
   - package-ecosystem: "gomod"
     directory: "/src/go/mock-wsl"
     schedule:

.github/workflows/github-runner-build-image.yaml

@@ -0,0 +1,31 @@
+# This workflow builds the Linux self-hosted GitHub Runner disk image.
+name: 'GitHub Runner: Build Linux Image'
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container:
+      image: registry.opensuse.org/opensuse/leap:15
+      options: --privileged
+    steps:
+    - run: >-
+        zypper --non-interactive install python3-kiwi kiwi-systemdeps-disk-images sudo tar
+    - run: echo 'ALL ALL=(ALL:ALL) NOPASSWD:ALL' > /etc/sudoers.d/nopasswd
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+        sparse-checkout: src/disk-images/github-runner-linux
+    - run: ./build-image.sh
+      working-directory: src/disk-images/github-runner-linux
+    - uses: actions/upload-artifact@v3
+      with:
+        name: github-runner-image.qcow2.zip
+        path: src/disk-images/github-runner-linux/*.qcow2
+        if-no-files-found: error

.github/workflows/github-runner-monitor-build.yaml

@@ -0,0 +1,38 @@
+# This workflow builds the GitHub runner
+name: 'GitHub Runner: Build Monitor'
+
+on:
+  push:
+    paths: [ src/go/github-runner-monitor/** ]
+  pull_request:
+    paths: [ src/go/github-runner-monitor/** ]
+  workflow_dispatch:
+
+permissions:
+  # This uses external actions, lock things down to read-only.
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+        sparse-checkout: src/go/github-runner-monitor
+    - uses: actions/setup-go@v4
+      with:
+        go-version-file: src/go/github-runner-monitor/go.mod
+        cache-dependency-path: src/go/github-runner-monitor/go.sum
+    - run: go build .
+      working-directory: src/go/github-runner-monitor
+    - uses: actions/upload-artifact@v3
+      with:
+        name: github-runner-linux
+        path: src/go/github-runner-monitor/github-runner-monitor
+        if-no-files-found: error
+    - uses: golangci/[email protected]
+      # This is only safe because this workflow does not allow writing
+      with:
+        working-directory: src/go/github-runner-monitor
+        only-new-issues: true

docs/development/github-runner-setup.md

@@ -66,3 +66,45 @@ Icon | Context
 [Scoop]: https://github.com/ScoopInstaller/Install#typical-installation
 [requires admin]: https://github.com/actions/setup-python/blob/main/docs/advanced-usage.md#windows
 [instructions]: https://github.com/rancher-sandbox/rancher-desktop/settings/actions/runners/new?arch=x64&os=win
+
+## Linux
+
+### Prerequisites
+
+- A host machine with `qemu-system-x86_64` (ideally with working KVM
+  acceleration).
+- A minimum of 6GB of RAM per ephemeral worker (plus overhead).
+
+### Configuration
+
+1. Build the image found in [`/src/disk-images/github-runner-linux`], or
+   download the image built via GitHub Actions.
+1. Build [`/src/go/github-runner-monitor`], or download the executable built via
+   GitHub Actions.
+1. Generate a GitHub access token (classic coarse-grained) with `repo`
+   privileges.
+1. On the runner host, execute the monitor:
+   ```
+   /usr/bin/env GITHUB_AUTH_TOKEN=ghp_000000000000000000 ./github-runner-monitor
+   ```
+   Use `./github-runner-monitor --help` to see options available, such as the
+   number of CPUs / amount of RAM to allocate per runner, or the number of
+   runners to maintain at a time.
+1. Alternatively, set up a systemd unit or similar, possibly based on:
+   ```ini
+   [Unit]
+   Description=GitHub Runner Monitor
+   After=network.target
+
+   [Service]
+   Type=simple
+   TimeoutStopSec=5min
+   Environment="GITHUB_AUTH_TOKEN=ghp_000000000000000000"
+   ExecStart=/usr/local/bin/github-runner-monitor
+
+   [Install]
+   WantedBy=multi-user.target
+   ```
+
+[`/src/disk-images/github-runner-linux`]: /src/disk-images/github-runner-linux
+[`/src/go/github-runner-monitor`]: /src/go/github-runner-monitor

src/disk-images/.gitignore

@@ -0,0 +1,2 @@
+*.vhdx
+*.qcow2

src/disk-images/github-runner-linux/README.md

@@ -0,0 +1,10 @@
+# github-runner-linux
+
+This is a [kiwi-ng](https://osinside.github.io/kiwi/) definition for a VM disk
+image for use as a self-hosted GitHub runner.
+
+## Usage
+
+The image can be built using `./build-image.sh` from an OpenSUSE host (or a
+container running OpenSUSE).  `sudo` access will be required to delete the
+temporary directory, as well as to copy the output image around.

src/disk-images/github-runner-linux/build-image.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# Copyright © 2023 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit -o nounset
+
+cleanup() {
+    if [[ -n "${WORKDIR:-}" && -d "${WORKDIR}" ]]; then
+        sudo rm -rf "${WORKDIR}"
+    fi
+}
+trap cleanup EXIT
+
+WORKDIR="$(mktemp --tmpdir --directory kiwi.github-runner-linux.XXXXXX)"
+IMAGE_NAME="${1:-}"
+
+if [[ "${#@}" -gt 0 ]]; then
+    shift
+fi
+
+global_options=()
+local_options=()
+
+while [[ "${#@}" -gt 0 ]]; do
+    case "$1" in
+    --color-output) global_options+=("$1");;
+    --config=*) global_options+=("$1");;
+    --config) global_options+=("$1" "$2"); shift;;
+    --logfile=*) global_options+=("$1");;
+    --logfile) global_options+=("$1" "$2"); shift;;
+    --debug) global_options+=("$1");;
+    --debug-run-scripts-in-screen) global_options+=("$1");;
+    --version|-v) global_options+=("$1");;
+    --profile=*) global_options+=("$1");;
+    --profile) global_options+=("$1" "$2"); shift;;
+    --shared-cache-dir=*) global_options+=("$1");;
+    --shared-cache-dir) global_options+=("$1" "$2"); shift;;
+    --temp-dir=*) global_options+=("$1");;
+    --temp-dir) global_options+=("$1" "$2"); shift;;
+    *) local_options+=("$1");;
+    esac
+    shift
+done
+
+sudo kiwi "${global_options[@]}" system build \
+    --description "${PWD}" \
+    --target-dir "${WORKDIR}" \
+    "${local_options[@]}"
+
+shopt -s nullglob # One of the two below will be missing
+cp "${WORKDIR}"/github-runner-linux.x86_64-*.qcow2 \
+   "${WORKDIR}"/github-runner-linux.x86_64-*.vhdx \
+   "${IMAGE_NAME:-./}"

src/disk-images/github-runner-linux/config.kiwi

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<image schemaversion="7.4" name="github-runner-linux">
+    <description type="system">
+        <author>Mook-as</author>
+        <contact>[email protected]</contact>
+        <specification>GitHub runner (Linux) for Rancher Desktop</specification>
+    </description>
+    <profiles>
+        <profile name="qcow2" description="qcow2 image for qemu" import="true"/>
+        <profile name="vhdx" description="vhdx image for Hyper-V"/>
+    </profiles>
+    <preferences>
+        <version>1.0.0</version>
+        <packagemanager>zypper</packagemanager>
+        <locale>en_US</locale>
+        <keytable>us</keytable>
+        <timezone>UTC</timezone>
+        <rpm-excludedocs>true</rpm-excludedocs>
+    </preferences>
+    <preferences profiles="qcow2">
+        <type image="oem" filesystem="xfs" firmware="uefi" format="qcow2">
+            <size unit="G">1024</size>
+            <oemconfig>
+                <oem-unattended>true</oem-unattended>
+            </oemconfig>
+        </type>
+    </preferences>
+    <preferences profiles="vhdx">
+        <type image="oem" filesystem="xfs" firmware="uefi" format="vhdx">
+            <size unit="G">1024</size>
+            <oemconfig>
+                <oem-unattended>true</oem-unattended>
+            </oemconfig>
+        </type>
+    </preferences>
+    <repository type="rpm-md" imageinclude="true">
+        <source path="obs://openSUSE:Leap:15.5/standard"/>
+    </repository>
+    <packages type="image">
+        <!-- base image -->
+        <package name="dracut"/>
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="kernel-default"/>
+        <package name="openSUSE-build-key"/>
+        <package name="patterns-base-bootloader"/>
+        <!-- GitHub runner dependencies -->
+        <package name="lttng-ust"/>
+        <package name="libopenssl1_1"/>
+        <package name="krb5"/>
+        <package name="zlib"/>
+        <package name="libicu &lt; 65"/>
+        <package name="sudo"/>
+        <package name="git"/>
+        <!-- Depdencies for building Rancher Desktop -->
+        <package name="jq"/>
+        <package name="nodejs-devel"/>
+        <namedCollection name="devel_basis"/>
+        <namedCollection name="devel_C_C++"/>
+        <!-- Dependencies for running Rancher Desktop -->
+        <package name="openssh-clients"/> <!-- for lima -->
+        <package name="xvfb-run"/> <!-- run things under x11 -->
+        <package name="chromium"/> <!-- things we need to run Electron -->
+        <package name="libgtk-3-0"/> <!-- also for Electron -->
+        <package name="noto-sans-fonts"/> <!-- need any font -->
+    </packages>
+    <packages type="bootstrap">
+        <package name="glibc-locale"/>
+        <package name="openSUSE-release"/>
+    </packages>
+    <users>
+        <user pwdformat="plain" password="suse" home="/root" name="root" groups="root"/>
+        <user pwdformat="plain" password="suse" name="runner" groups="runner,docker,kvm"/>
+    </users>
+</image>