add dockerEnabled option (#191 )

Add dockerEnabled option for users who does not need docker and want not to run privileged container. if `dockerEnabled == false`, dind container not run, and there are no privileged container. Do the same as closed #96
Use tcp DOCKER_HOST instead of sharing docker.sock (#177 )
2025-12-10 11:41:27 +00:00 · 2020-11-16 09:41:12 +09:00 · 2020-11-16 09:32:29 +09:00 · 2020-11-12 09:20:06 +09:00 · 2020-11-12 08:07:52 +09:00
9 changed files with 29 additions and 13 deletions
--- a/api/v1alpha1/runner_types.go
+++ b/api/v1alpha1/runner_types.go
@@ -84,6 +84,8 @@ type RunnerSpec struct {
 	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
 	// +optional
 	DockerdWithinRunnerContainer *bool `json:"dockerdWithinRunnerContainer,omitempty"`
 	// +optional
 	DockerEnabled *bool `json:"dockerEnabled,omitempty"`
 }
 // ValidateRepository validates repository field.
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -530,6 +530,11 @@ func (in *RunnerSpec) DeepCopyInto(out *RunnerSpec) {
 		*out = new(bool)
 		**out = **in
 	}
 	if in.DockerEnabled != nil {
 		in, out := &in.DockerEnabled, &out.DockerEnabled
 		*out = new(bool)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerSpec.
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
@@ -400,6 +400,8 @@ spec:
                          - name
                        type: object
                      type: array
                    dockerEnabled:
                      type: boolean
                    dockerdContainerResources:
                      description: ResourceRequirements describes the compute resource requirements.
                      properties:
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
@@ -400,6 +400,8 @@ spec:
                          - name
                        type: object
                      type: array
                    dockerEnabled:
                      type: boolean
                    dockerdContainerResources:
                      description: ResourceRequirements describes the compute resource requirements.
                      properties:
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
@@ -393,6 +393,8 @@ spec:
                  - name
                type: object
              type: array
            dockerEnabled:
              type: boolean
            dockerdContainerResources:
              description: ResourceRequirements describes the compute resource requirements.
              properties:
--- a/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml
@@ -400,6 +400,8 @@ spec:
                          - name
                        type: object
                      type: array
                    dockerEnabled:
                      type: boolean
                    dockerdContainerResources:
                      description: ResourceRequirements describes the compute resource requirements.
                      properties:
--- a/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml
@@ -400,6 +400,8 @@ spec:
                          - name
                        type: object
                      type: array
                    dockerEnabled:
                      type: boolean
                    dockerdContainerResources:
                      description: ResourceRequirements describes the compute resource requirements.
                      properties:
--- a/config/crd/bases/actions.summerwind.dev_runners.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runners.yaml
@@ -393,6 +393,8 @@ spec:
                  - name
                type: object
              type: array
            dockerEnabled:
              type: boolean
            dockerdContainerResources:
              description: ResourceRequirements describes the compute resource requirements.
              properties:
--- a/controllers/runner_controller.go
+++ b/controllers/runner_controller.go
@@ -299,6 +299,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	var (
 		privileged      bool = true
 		dockerdInRunner bool = runner.Spec.DockerdWithinRunnerContainer != nil && *runner.Spec.DockerdWithinRunnerContainer
 		dockerEnabled   bool = runner.Spec.DockerEnabled == nil || *runner.Spec.DockerEnabled
 	)
 	runnerImage := runner.Spec.Image
@@ -373,7 +374,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 		},
 	}
-	if !dockerdInRunner {
+	if !dockerdInRunner && dockerEnabled {
 		pod.Spec.Volumes = []corev1.Volume{
 			{
 				Name: "work",
@@ -381,23 +382,17 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 					EmptyDir: &corev1.EmptyDirVolumeSource{},
 				},
 			},
 			{
 				Name: "docker",
 				VolumeSource: corev1.VolumeSource{
 					EmptyDir: &corev1.EmptyDirVolumeSource{},
 				},
 			},
 		}
 		pod.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
 			{
 				Name:      "work",
 				MountPath: "/runner/_work",
 			},
 			{
 				Name:      "docker",
 				MountPath: "/var/run",
 			},
 		}
 		pod.Spec.Containers[0].Env = append(pod.Spec.Containers[0].Env, corev1.EnvVar{
 			Name:  "DOCKER_HOST",
 			Value: "tcp://localhost:2375",
 		})
 		pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{
 			Name:  "docker",
 			Image: r.DockerImage,
@@ -406,9 +401,11 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 					Name:      "work",
 					MountPath: "/runner/_work",
 				},
 			},
 			Env: []corev1.EnvVar{
 				{
-					Name:      "docker",
+					Name:  "DOCKER_TLS_CERTDIR",
-					MountPath: "/var/run",
+					Value: "",
 				},
 			},
 			SecurityContext: &corev1.SecurityContext{
Author	SHA1	Message	Date
Shinnosuke Sawada	4371de9733	add dockerEnabled option (#191 ) Add dockerEnabled option for users who does not need docker and want not to run privileged container. if `dockerEnabled == false`, dind container not run, and there are no privileged container. Do the same as closed #96	2020-11-16 09:41:12 +09:00
Yusuke Kuoka	1fd752fca2	Use tcp DOCKER_HOST instead of sharing docker.sock (#177 ) docker:dind container creates `/var/run/docker.sock` with root user and root group. so, docker command in runner container needs root privileges to use docker.sock and docker action fails because lack of permission. Use tcp connection between runner and docker container, so runner container doesn't need root privileges to run docker, and can run docker action. Fixes #174	2020-11-16 09:32:29 +09:00
Shinnosuke Sawada	a4061d0625	gofmt ed	2020-11-12 09:20:06 +09:00
Shinnosuke Sawada	83857ba7e0	use tcp DOCKER_HOST instead of sharing docker.sock	2020-11-12 08:07:52 +09:00