Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
stylenone

First see Adding Github Actions to a repo

If you have a repo or a job that is inappropriate to run on a shared resource, you may contact it@tufts.edu and request ESCP to create a custom private runner. For their convenience, include a link to this page in your request.

For ESCP:

...

If the runner is only needed by a single repo:

  • On the system where you want the runner to run, add the gitrunner1 service account, then login and sudo su - gitrunner1 become that user.

  • Browse (or have the user browse) to the repo in the GitHub web interface. Click Settings > Actions > Runners. Create a new runner. This will only be accessible by this repo.

  • They give you some instructions to install and configure the runner, but you need a few modifications:

    Code Block
    # Create a folder
    $ mkdir actions-runner && cd actions-runner
    # Download the latest runner package
    
    Use whatever latest version they gave you:
    $ curl -o actions-runner-linux-x64-[...]
    $ tar xzf ./actions-runner-linux-x64-[...]
    
    # Create the runner and start the configuration experience
    $ ./config.sh --url [...]
    # !!!!
    # !!!! When prompted for name of runner group, just press enter for default.
    # !!!! When prompted for name of runner, use hostname_username, for example, myhost-dev-01_gitrunner1
    # !!!! When prompted for additional labels, enter "rhel-8" or whatever
    # !!!! When prompted for work folder, press Enter for default _work
    # !!!!
    
    # !!!!!! DON'T DO THIS! This will launch the runner once in the terminal,
    # !!!!!! and it will die when you logout. Instead, see below
    # Last step, run it!
    $ ./run.sh
    
    # (Yes, do this). To run as a service:
    # as root:
    # In the following, Don't just copy and paste. Edit before doing it.
    #     runasuser=gitrunnerX
    #     cd /home/${runasuser}/actions-runner
    #     ./svc.sh install ${runasuser}
    #         It will create a service, and display the service name. You can start, such as:
    #         systemctl enable --now actions.runner.Tufts-Technology-Services.myhost-dev-01_${runasuser}
    
    # TODO!!
    # selinux will block the runner.
    # Going to have to do some of this:
    # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext

If the runner could be used by multiple repositories, create a restricted access Runner Group:

...

Go to the Organization. Settings > Actions > Runner groups.

...

Create a new runner group.

...

Edit the group properties, and select which permissions to apply. (Which repos are allowed to use this runner group)

...

Install the runner as described in the section above for a single runner, BUT when prompted for name of runner group, specify your new runner group.

...

Installation

You will need an on-prem machine and service account to run the runner. Either you or someone from ESCP will need root privilege to configure the service. Please contact escp-ticket@tufts.edu to create these.

Info

Note that Github maintains a matrix of requirements for self-hosted runners. When your OS version goes EOL, your runner will soon follow and may encounter difficulties starting the runner service. You’ll want to ensure that you migrate/upgrade your runner OS ahead of the EOL schedule of your OS. See:https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#linux

After the service account is created, someone with root privileges should do this:

  • If you are not a member of ESCP, document what you’re doing however you document things.

    • If you are a member of ESCP, document in the node.yaml file:

      Code Block
      # See https://tuftswork.atlassian.net/wiki/spaces/ESPTS/pages/499220519/Making+a+private+Github+Runner
      # Git Runner installed as user 'foobaruser' connected to repo [URL of github repo]
      #     Note: This runner will die after the OS is EOL. For RHEL 8 this is May 31, 2029
      #     Note: This runner will die after the OS is EOL. For RHEL 9 this is May 31, 2032
  • In your web browser, browse to your repository.

  • Go to Settings > Actions > Runners > New Self-Hosted Runner.

  • It will give you a series of commands to paste into the terminal. Instead of pasting them into the terminal, do this:

    • Find the line that says "./config.sh --url=..."

    • Get the URL and the token.

    • Read the URL to ensure it's a specific repository, not the organization or whatever.

    • Run this script as root. The script installs the runner, creates the service, and launches the service as the service account. It records the URL of which repository it's working for, in the service account's home directory under "actions-runner-url.txt":

      Code Block
      # Optionally, if you need your runner to have any custom label, you may specify --labels=
      /root/bin/create-gitrunner.sh username GithubRepositoryURL token [--labels=foobarlabel]
  • Browse back to Actions > Runners, and confirm the new runner appears there, with a green Status, and Idle.

GHA Runner service and systemd+selinux

The OOTB experience when installing the runner in a separate user’s home directory is that the runner will not operate correctly on any system with selinux enabled, such as onprem RHEL9 builds.

For generic notes on selinux, see: SELinux

While the runner installer does attempt to set things properly:

Code Block
languagebash
Creating launch runner in /etc/systemd/system/actions.runner.Tufts-Technology-Services-runner-name.service
Run as user: username
Run as uid: nnn
gid: nnn
Relabeled /etc/systemd/system/actions.runner.Tufts-Technology-Services-runner-name.service from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:systemd_unit_file_t:s0
Created symlink /etc/systemd/system/multi-user.target.wants/actions.runner.Tufts-Technology-Services-runner-name.service → /etc/systemd/system/actions.runner.Tufts-Technology-Services-runner-name.service.
Finished. Service is running.

this only changes the context of the service itself. The service will try to run a shell script inside the user directory and this will fail:

Code Block
# example outputs from systemctl/journalctl
date hostname systemd[1092642]: actions.runner.Tufts-Technology-Services-runner-name.service: Failed at step EXEC spawning /home/username/actions-runner/runsvc.sh: P>
date hostname systemd[1]: actions.runner.Tufts-Technology-Services-runner-name.service: Main process exited, code=exited, status=203/EXEC

# error if you look at selinux messages
type=AVC msg=audit(1724335071.274:92964): avc:  denied  { execute } for  pid=242535 comm="(unsvc.sh)" name="runsvc.sh" dev="dm-5" ino=407846 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclas
s=file permissive=0

The fix is to update the selinux context:

Code Block
# note that this change is not persistent across relabels
chcon -R -t bin_t /home/username/actions-runner

# this change preserves the context
semanage fcontext -a -t bin_t "/home/username/actions-runner(/.*)"

Note that you could probably skip the chcon command, run the 
semanage command, and then use restorecon to reapply the new changes.

Removing a private runner

If you installed a runner as above and need to remove it:

  • Login as root

    Code Block
    cd ${service_user}/actions-runner
    ./svc.sh uninstall
    
    rm -rf ${service_user}/actions-runner
  • Look in ${service_user}/actions-runner-url.txt

    • Browse to that repository > Settings > Actions > Runners, and force-remove the runner.

  • Finally rm ${service_user}/actions-runner-url.txt

If you need separate CI/CD runners on Dev & Prod

  • Install a runner on dev, and another on prod, using --labels=develop and --labels=main or whatever. It is customary to match your branch names.

  • Note: you should set up an ssh deploy key, and for the “first run,” you’ll need to clone your repo onto the system into your working-directory manually

  • Create two separate workflows in your repository, like this:

    • .github/workflows/autodeploy-develop.yml

      Code Block
      name: autodeploy-develop
      on:
        push:
          branches:
            - develop
      jobs:
        autodeploy:
          runs-on: [ self-hosted, develop ]
          steps:
            - working-directory: /path/to/repository
              run: git pull
    • .github/workflows/autodeploy-main.yml

      Code Block
      name: autodeploy-main
      on:
        push:
          branches:
            - main
      jobs:
        autodeploy:
          runs-on: [ self-hosted, main ]
          steps:
            - working-directory: /path/to/repository
              run: git pull