Initial commit
This commit is contained in:
commit
6bad640821
33
.SRCINFO
Normal file
33
.SRCINFO
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
pkgbase = woodpecker-agent-sudo
|
||||||
|
pkgdesc = A simple CI engine with great extensibility (agent), patched to use sudo to run local pipelines
|
||||||
|
pkgver = 1.0.2
|
||||||
|
pkgrel = 1
|
||||||
|
url = https://woodpecker-ci.org
|
||||||
|
arch = x86_64
|
||||||
|
license = Apache
|
||||||
|
makedepends = git
|
||||||
|
makedepends = go
|
||||||
|
depends = glibc
|
||||||
|
depends = sudo
|
||||||
|
optdepends = docker: Docker backend
|
||||||
|
optdepends = podman: Podman backend
|
||||||
|
conflicts = woodpecker-agent
|
||||||
|
replaces = woodpecker-agent
|
||||||
|
options = !lto
|
||||||
|
backup = etc/woodpecker/agent.env
|
||||||
|
source = woodpecker::git+https://github.com/woodpecker-ci/woodpecker#commit=d9e06696bf85f260a0550d58301ac396874b32e3
|
||||||
|
source = agent-systemd.service
|
||||||
|
source = agent-sysusers.conf
|
||||||
|
source = agent-tmpfiles.conf
|
||||||
|
source = agent.env
|
||||||
|
source = sudo.patch
|
||||||
|
source = sudoers
|
||||||
|
b2sums = SKIP
|
||||||
|
b2sums = 6f5833c1d4db8f287f5a9877687fb0d8d66c91e80e9bbb0a78910f315e6dd4cba01131dfca20bcceaeb828833187ee6161b33272050967e3e1cea4cb2665cf57
|
||||||
|
b2sums = 373a5889c899445c4b583a48e6d0ff67d4572e30e0dfd0842b389e9338712771ec053ee3771202fe2874ee8bbfb7cb5965a04cf10d4071100c4f7c89cf2a14f3
|
||||||
|
b2sums = b6479a7f3b3cf1ecaf0fc4e0653de10176af29b780ff716bf038077d70b0440e45a649ccd5ad9a12d5f52c9eecf9b5d8b5a01510a53eec7b664162c8bb9153ab
|
||||||
|
b2sums = 9d64fa22d5fcfb8634926220aeb89b0fa914d8e04ee39fe14abf3f170292ab2dc875fe3fe14b054ca8173c167cec4d93518d15d5f08698bd70d86dec7728dee8
|
||||||
|
b2sums = 3f7cb5620859d171b0fc9c177c09388a830bdc2343f8182bb794c18544070a78f6fd692c699c5c9fda262bf4919bb53a696ea7396c4e9c7e987788f052e9f19f
|
||||||
|
b2sums = 85b75986c0df0853126eb20ce80861337654646bb3df02666b6c77962090df12be35eac11dab724d96c4c4b1e6c373ce0a8d6b99843232be0311273bddb1141a
|
||||||
|
|
||||||
|
pkgname = woodpecker-agent-sudo
|
93
PKGBUILD
Normal file
93
PKGBUILD
Normal file
|
@ -0,0 +1,93 @@
|
||||||
|
# Maintainer: Anthony Wang <a at exozy dot me>
|
||||||
|
# Contributor: George Rawlinson <grawlinson@archlinux.org>
|
||||||
|
# Contributor: Ersei <samb at disroot dot org>
|
||||||
|
|
||||||
|
_pkgname='woodpecker-agent'
|
||||||
|
pkgname=$_pkgname-sudo
|
||||||
|
pkgver=1.0.2
|
||||||
|
pkgrel=1
|
||||||
|
pkgdesc='A simple CI engine with great extensibility (agent), patched to use sudo to run local pipelines'
|
||||||
|
arch=('x86_64')
|
||||||
|
url='https://woodpecker-ci.org'
|
||||||
|
license=('Apache')
|
||||||
|
depends=('glibc' 'sudo')
|
||||||
|
optdepends=(
|
||||||
|
'docker: Docker backend'
|
||||||
|
'podman: Podman backend'
|
||||||
|
)
|
||||||
|
makedepends=('git' 'go')
|
||||||
|
options=('!lto')
|
||||||
|
_commit='d9e06696bf85f260a0550d58301ac396874b32e3'
|
||||||
|
replaces=($_pkgname)
|
||||||
|
conflicts=($_pkgname)
|
||||||
|
backup=('etc/woodpecker/agent.env')
|
||||||
|
source=(
|
||||||
|
"woodpecker::git+https://github.com/woodpecker-ci/woodpecker#commit=$_commit"
|
||||||
|
'agent-systemd.service'
|
||||||
|
'agent-sysusers.conf'
|
||||||
|
'agent-tmpfiles.conf'
|
||||||
|
'agent.env'
|
||||||
|
'sudo.patch'
|
||||||
|
'sudoers'
|
||||||
|
)
|
||||||
|
b2sums=('SKIP'
|
||||||
|
'6f5833c1d4db8f287f5a9877687fb0d8d66c91e80e9bbb0a78910f315e6dd4cba01131dfca20bcceaeb828833187ee6161b33272050967e3e1cea4cb2665cf57'
|
||||||
|
'373a5889c899445c4b583a48e6d0ff67d4572e30e0dfd0842b389e9338712771ec053ee3771202fe2874ee8bbfb7cb5965a04cf10d4071100c4f7c89cf2a14f3'
|
||||||
|
'b6479a7f3b3cf1ecaf0fc4e0653de10176af29b780ff716bf038077d70b0440e45a649ccd5ad9a12d5f52c9eecf9b5d8b5a01510a53eec7b664162c8bb9153ab'
|
||||||
|
'9d64fa22d5fcfb8634926220aeb89b0fa914d8e04ee39fe14abf3f170292ab2dc875fe3fe14b054ca8173c167cec4d93518d15d5f08698bd70d86dec7728dee8'
|
||||||
|
'3f7cb5620859d171b0fc9c177c09388a830bdc2343f8182bb794c18544070a78f6fd692c699c5c9fda262bf4919bb53a696ea7396c4e9c7e987788f052e9f19f'
|
||||||
|
'85b75986c0df0853126eb20ce80861337654646bb3df02666b6c77962090df12be35eac11dab724d96c4c4b1e6c373ce0a8d6b99843232be0311273bddb1141a')
|
||||||
|
|
||||||
|
pkgver() {
|
||||||
|
cd woodpecker
|
||||||
|
|
||||||
|
git describe --tags | sed 's/^v//'
|
||||||
|
}
|
||||||
|
|
||||||
|
prepare() {
|
||||||
|
cd woodpecker
|
||||||
|
|
||||||
|
patch -p1 < ../sudo.patch
|
||||||
|
|
||||||
|
# create directory for build output
|
||||||
|
mkdir -p build
|
||||||
|
|
||||||
|
# download dependencies
|
||||||
|
export GOPATH="${srcdir}"
|
||||||
|
go mod download
|
||||||
|
}
|
||||||
|
|
||||||
|
build() {
|
||||||
|
cd woodpecker
|
||||||
|
|
||||||
|
# set Go flags
|
||||||
|
export CGO_CPPFLAGS="${CPPFLAGS}"
|
||||||
|
export CGO_CFLAGS="${CFLAGS}"
|
||||||
|
export CGO_CXXFLAGS="${CXXFLAGS}"
|
||||||
|
export GOPATH="${srcdir}"
|
||||||
|
|
||||||
|
# build server/agent/cli
|
||||||
|
go build -v \
|
||||||
|
-buildmode=pie \
|
||||||
|
-mod=readonly \
|
||||||
|
-modcacherw \
|
||||||
|
-ldflags "-compressdwarf=false \
|
||||||
|
-linkmode external \
|
||||||
|
-extldflags ${LDFLAGS}" \
|
||||||
|
-o build \
|
||||||
|
./cmd/agent
|
||||||
|
}
|
||||||
|
|
||||||
|
package() {
|
||||||
|
# systemd integration
|
||||||
|
install -vDm644 agent-systemd.service "$pkgdir/usr/lib/systemd/system/$_pkgname.service"
|
||||||
|
install -vDm644 agent-sysusers.conf "$pkgdir/usr/lib/sysusers.d/$_pkgname.conf"
|
||||||
|
install -vDm644 agent-tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/$_pkgname.conf"
|
||||||
|
install -vDm644 agent.env -t "$pkgdir/etc/woodpecker"
|
||||||
|
install -vDm644 sudoers -t "$pkgdir/etc/sudoers.d/99_woodpecker"
|
||||||
|
|
||||||
|
cd woodpecker
|
||||||
|
|
||||||
|
# binary
|
||||||
|
install -vDm755 build/agent "$pkgdir/usr/bin/$_pkgname"
|
||||||
|
}
|
19
agent-systemd.service
Normal file
19
agent-systemd.service
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Woodpecker agent
|
||||||
|
Documentation=https://woodpecker-ci.org/docs/intro
|
||||||
|
Requires=network-online.target
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=woodpecker-agent
|
||||||
|
Group=woodpecker-agent
|
||||||
|
EnvironmentFile=/etc/woodpecker/agent.env
|
||||||
|
ExecStart=/usr/bin/woodpecker-agent
|
||||||
|
RestartSec=5
|
||||||
|
Restart=on-failure
|
||||||
|
SyslogIdentifier=woodpecker-agent
|
||||||
|
WorkingDirectory=/var/lib/woodpecker-agent
|
||||||
|
ReadWritePaths=/var/lib/woodpecker-agent
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
1
agent-sysusers.conf
Normal file
1
agent-sysusers.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
u woodpecker-agent - "Woodpecker agent daemon user" /var/lib/woodpecker-agent
|
1
agent-tmpfiles.conf
Normal file
1
agent-tmpfiles.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
d /var/lib/woodpecker-agent 0750 woodpecker-agent woodpecker-agent
|
59
agent.env
Normal file
59
agent.env
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
# Configures gRPC address of the server.
|
||||||
|
# Default: localhost:9000
|
||||||
|
#WOODPECKER_SERVER=
|
||||||
|
|
||||||
|
# The gRPC username.
|
||||||
|
# Default: x-oauth-basic
|
||||||
|
#WOODPECKER_USERNAME=
|
||||||
|
|
||||||
|
# A shared secret used by server and agents to authenticate communication. A secret can be generated by openssl rand -hex 32.
|
||||||
|
# Default: empty
|
||||||
|
#WOODPECKER_AGENT_SECRET=
|
||||||
|
|
||||||
|
# Configures the logging level. Possible values are trace, debug, info, warn, error, fatal, panic, disabled and empty.
|
||||||
|
# Default: empty
|
||||||
|
#WOODPECKER_LOG_LEVEL=
|
||||||
|
|
||||||
|
# Enable pretty-printed debug output.
|
||||||
|
# Default: false
|
||||||
|
#WOODPECKER_DEBUG_PRETTY=
|
||||||
|
|
||||||
|
# Disable colored debug output.
|
||||||
|
# Default: true
|
||||||
|
#WOODPECKER_DEBUG_NOCOLOR=
|
||||||
|
|
||||||
|
# Configures the agent hostname.
|
||||||
|
# Default: empty
|
||||||
|
#WOODPECKER_HOSTNAME=
|
||||||
|
|
||||||
|
# Configures the number of parallel builds.
|
||||||
|
# Default: 1
|
||||||
|
#WOODPECKER_MAX_PROCS=
|
||||||
|
|
||||||
|
# Enable healthcheck endpoint.
|
||||||
|
# Default: true
|
||||||
|
#WOODPECKER_HEALTHCHECK=
|
||||||
|
|
||||||
|
# After a duration of this time of no activity, the agent pings the server to check if the transport is still alive.
|
||||||
|
# Default: empty
|
||||||
|
#WOODPECKER_KEEPALIVE_TIME=
|
||||||
|
|
||||||
|
# After pinging for a keepalive check, the agent waits for a duration of this time before closing the connection if no activity.
|
||||||
|
# Default: 20s
|
||||||
|
#WOODPECKER_KEEPALIVE_TIMEOUT=
|
||||||
|
|
||||||
|
# Configures if the connection to WOODPECKER_SERVER should be made using a secure transport.
|
||||||
|
# Default: false
|
||||||
|
#WOODPECKER_GRPC_SECURE=
|
||||||
|
|
||||||
|
# Configures if the gRPC server certificate should be verified, only valid when WOODPECKER_GRPC_SECURE is true.
|
||||||
|
# Default: true
|
||||||
|
#WOODPECKER_GRPC_VERIFY=
|
||||||
|
|
||||||
|
# Configures the backend engine to run pipelines on. Possible values are auto-detect or docker.
|
||||||
|
# Default: auto-detect
|
||||||
|
#WOODPECKER_BACKEND=
|
||||||
|
|
||||||
|
# Path to Docker or Podman socket. Can be an SSH address.
|
||||||
|
# Default: unix:///var/run/docker.sock
|
||||||
|
#DOCKER_HOST=
|
70
sudo.patch
Normal file
70
sudo.patch
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
diff --git a/pipeline/backend/local/local.go b/pipeline/backend/local/local.go
|
||||||
|
index 2405c19bb..50321b8e7 100644
|
||||||
|
--- a/pipeline/backend/local/local.go
|
||||||
|
+++ b/pipeline/backend/local/local.go
|
||||||
|
@@ -44,7 +44,7 @@ var notAllowedEnvVarOverwrites = []string{
|
||||||
|
|
||||||
|
type workflowState struct {
|
||||||
|
stepCMDs map[string]*exec.Cmd
|
||||||
|
- baseDir string
|
||||||
|
+ user string
|
||||||
|
homeDir string
|
||||||
|
workspaceDir string
|
||||||
|
}
|
||||||
|
@@ -79,23 +79,17 @@ func (e *local) Load(context.Context) error {
|
||||||
|
func (e *local) SetupWorkflow(_ context.Context, conf *types.Config, taskUUID string) error {
|
||||||
|
log.Trace().Str("taskUUID", taskUUID).Msg("create workflow environment")
|
||||||
|
|
||||||
|
- baseDir, err := os.MkdirTemp("", "woodpecker-local-*")
|
||||||
|
- if err != nil {
|
||||||
|
- return err
|
||||||
|
- }
|
||||||
|
+ user := conf.Stages[0].Steps[0].Environment["CI_COMMIT_AUTHOR"]
|
||||||
|
|
||||||
|
state := &workflowState{
|
||||||
|
stepCMDs: make(map[string]*exec.Cmd),
|
||||||
|
- baseDir: baseDir,
|
||||||
|
- workspaceDir: filepath.Join(baseDir, "workspace"),
|
||||||
|
- homeDir: filepath.Join(baseDir, "home"),
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if err := os.Mkdir(state.homeDir, 0o700); err != nil {
|
||||||
|
- return err
|
||||||
|
+ user: user,
|
||||||
|
+ workspaceDir: filepath.Join("/tmp", user, conf.Stages[0].Steps[0].Environment["CI_REPO_NAME"]),
|
||||||
|
+ homeDir: filepath.Join("/home", user),
|
||||||
|
}
|
||||||
|
|
||||||
|
- if err := os.Mkdir(state.workspaceDir, 0o700); err != nil {
|
||||||
|
+ err := exec.Command("sudo", "-u", state.user, "mkdir", "-p", state.workspaceDir).Run()
|
||||||
|
+ if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -132,7 +126,8 @@ func (e *local) StartStep(ctx context.Context, step *types.Step, taskUUID string
|
||||||
|
// Set HOME
|
||||||
|
env = append(env, "HOME="+state.homeDir)
|
||||||
|
|
||||||
|
- var command []string
|
||||||
|
+ // Run command as commit author user
|
||||||
|
+ command := []string{"sudo", "-E", "-u", state.user}
|
||||||
|
if step.Image == constant.DefaultCloneImage {
|
||||||
|
// Default clone step
|
||||||
|
// TODO: use tmp HOME and insert netrc and delete it after clone
|
||||||
|
@@ -209,16 +204,6 @@ func (e *local) TailStep(_ context.Context, step *types.Step, taskUUID string) (
|
||||||
|
func (e *local) DestroyWorkflow(_ context.Context, conf *types.Config, taskUUID string) error {
|
||||||
|
log.Trace().Str("taskUUID", taskUUID).Msgf("delete workflow environment")
|
||||||
|
|
||||||
|
- state, err := e.getWorkflowStateFromConfig(conf)
|
||||||
|
- if err != nil {
|
||||||
|
- return err
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- err = os.RemoveAll(state.baseDir)
|
||||||
|
- if err != nil {
|
||||||
|
- return err
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
workflowID, err := e.getWorkflowIDFromConfig(conf)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
Loading…
Reference in a new issue