Update GitLab runner scripts and add sudo permissions

The GitLab Runner installation and uninstallation scripts have been refined, including directory management improvements and user handling enhancements. The install script now exports the base directory for subprocess availability and validates script arguments presence. An uninstall script has been added for smoother user experience. Additionally, sudo permissions have been granted to the gitlab-runner user group in both scripts and the .gitlab-ci.yml file, enhancing workflow efficiency.

.gitlab-ci.yml

@@ -100,6 +100,8 @@ build:
     - touch ${BUILD_DIR}/prebuilt
     - mkdir -p ${OUTPUT_DIR}
     - shopt -s dotglob && mv ${BUILD_DIR}/* ${OUTPUT_DIR}
+  after_script:
+    - sudo chown -R comma:comma ${OUTPUT_DIR}
   artifacts:
     paths:
       - ${OUTPUT_DIR}/

release/ci/install_gitlab_runner.sh

@@ -1,80 +1,108 @@
 #!/bin/bash
+set -e
 
-# We need RW for the install process
+# Check if script arguments are present, if not exit the script
-sudo mount -o remount rw /
+if [ $# -eq 0 ]; then
+    echo "No arguments provided. A GitLab token is required to run this script."
+    exit 1
+fi
 
-# Ensure filesystem is remounted as read-only on script exit
+# Constants
-trap "sudo mount -o remount ro /" EXIT
+GITLAB_RUNNER_DOWNLOAD_URL="https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-arm64"
+GITLAB_RUNNER_USER_NAME="gitlab-runner"
+USER_GROUPS="comma,gpu,gpio,sudo"
+GITLAB_BASE_DIR="/data/gitlab"
+GITLAB_BIN_DIR="${GITLAB_BASE_DIR}/bin"
+GITLAB_BUILDS_DIR="${GITLAB_BASE_DIR}/builds"
+GITLAB_LOGS_DIR="${GITLAB_BASE_DIR}/logs"
+GITLAB_CACHE_DIR="${GITLAB_BASE_DIR}/cache"
+GITLAB_OPENPILOT_DIR="${GITLAB_BASE_DIR}/openpilot"
+SERVICE_NAME="gitlab-runner"
 
-# Define directories
+create_gitlab_runner_directories() {
-BASE_DIR="/data/gitlab"
+    sudo mkdir -p "$GITLAB_BIN_DIR" "$GITLAB_BUILDS_DIR" "$GITLAB_LOGS_DIR" "$GITLAB_CACHE_DIR" "$GITLAB_OPENPILOT_DIR"
-BIN_DIR="$BASE_DIR/bin"
+    if [[ ! -d "/data/openpilot" ]]; then
-CONFIG_DIR="$BASE_DIR"
+      sudo mkdir -p "/data/openpilot"
-BUILDS_DIR="$BASE_DIR/builds"
+      sudo chown -R comma:comma "/data/openpilot"
-OPENPILOT_DIR="$BASE_DIR/openpilot"
+    fi
-LOGS_DIR="$BASE_DIR/logs"
+}
-CACHE_DIR="$BASE_DIR/cache"
-GITLAB_RUNNER_USERNAME="gitlab-runner"
-GROUPS_NEEDED="comma,gpu,gpio"
 
-# Create necessary directories
+download_and_setup_gitlab_runner() {
-sudo mkdir -p "$BIN_DIR" "$BUILDS_DIR" "$LOGS_DIR" "$CACHE_DIR" "$OPENPILOT_DIR"
+    sudo curl -L --output "$GITLAB_BIN_DIR/gitlab-runner" "$GITLAB_RUNNER_DOWNLOAD_URL"
+    sudo chmod +x "$GITLAB_BIN_DIR/gitlab-runner"
+}
 
-# Download the GitLab Runner binary
+setup_gitlab_runner_user() {
-sudo curl -L --output "$BIN_DIR/gitlab-runner" "https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-arm64"
+    sudo useradd --comment 'GitLab Runner' --create-home --home-dir ${GITLAB_BASE_DIR} ${GITLAB_RUNNER_USER_NAME} --shell /bin/bash -G ${USER_GROUPS} || sudo usermod -aG ${USER_GROUPS} ${GITLAB_RUNNER_USER_NAME}
+    export GITLAB_BASE_DIR # Export it to make it available to sub-processes
+    sudo -u ${GITLAB_RUNNER_USER_NAME} bash -c "truncate -s 0 '${GITLAB_BASE_DIR}/.bash_logout'"
+}
 
-# Give it permission to execute
+create_sudoers_entry() {
-sudo chmod +x "$BIN_DIR/gitlab-runner"
+    sudo grep -qxF "${GITLAB_RUNNER_USER_NAME} ALL=(ALL) NOPASSWD: ALL" /etc/sudoers || echo "${GITLAB_RUNNER_USER_NAME} ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
+}
 
-# Create a GitLab Runner user
+generate_gitlab_config_file() {
-sudo useradd --comment 'GitLab Runner' --create-home --home-dir ${BASE_DIR} ${GITLAB_RUNNER_USERNAME} --shell /bin/bash -G ${GROUPS_NEEDED} || sudo usermod -aG ${GROUPS_NEEDED} gitlab-runner
+    cat <<EOL | sudo tee "$GITLAB_BASE_DIR/config.toml"
-
-# Clean bash_logout as it break gitlab pipelines
-sudo truncate -s 0 ${BASE_DIR}/.bash_logout
-
-# Create a configuration file
-cat <<EOL | sudo tee "$CONFIG_DIR/config.toml"
 [[runners]]
   name = "tici"
   url = "https://gitlab.com/"
   token = "$1"
   executor = "shell"
-  builds_dir = "$BUILDS_DIR"
+  builds_dir = "$GITLAB_BUILDS_DIR"
   [runners.custom_build_dir]
   [runners.docker]
-    volumes = ["$CACHE_DIR:/cache"]
+    volumes = ["$GITLAB_CACHE_DIR:/cache"]
   [runners.cache]
     MaxUploadedArchiveSize = 0
   [runners.custom]
-    config_exec = "$LOGS_DIR"
+    config_exec = "$GITLAB_LOGS_DIR"
 EOL
+}
 
-# Set permissions
+set_gitlab_directory_permissions() {
-sudo chown -R ${GITLAB_RUNNER_USERNAME}:comma "$BASE_DIR"
+    sudo chown -R ${GITLAB_RUNNER_USER_NAME}:comma "$GITLAB_BASE_DIR"
-sudo chmod g+rwx "$BASE_DIR"
+    sudo chmod g+rwx "$GITLAB_BASE_DIR"
-sudo chmod g+s "$BASE_DIR"
+    sudo chmod g+s "$GITLAB_BASE_DIR"
+}
 
-
+create_gitlab_runner_service() {
-# Create a systemd service file for gitlab-runner
+    cat <<EOL | sudo tee /etc/systemd/system/${SERVICE_NAME}.service
-cat <<EOL | sudo tee /etc/systemd/system/gitlab-runner.service
 [Unit]
 Description=GitLab Runner
 After=syslog.target network.target
-ConditionFileIsExecutable=$BIN_DIR/gitlab-runner
+ConditionFileIsExecutable=$GITLAB_BIN_DIR/gitlab-runner
-
 [Service]
 StartLimitInterval=5
 StartLimitBurst=10
-ExecStart=/usr/bin/unshare -m -- sh -c 'mount --bind $OPENPILOT_DIR /data/openpilot && exec $BIN_DIR/gitlab-runner "run" "--working-directory" "$BUILDS_DIR" "--config" "$CONFIG_DIR/config.toml" "--service" "gitlab-runner" "--syslog" "--user" "${GITLAB_RUNNER_USERNAME}"'
+ExecStart=/usr/bin/unshare -m -- sh -c 'mount --bind $GITLAB_OPENPILOT_DIR /data/openpilot && exec $GITLAB_BIN_DIR/gitlab-runner "run" "--working-directory" "$GITLAB_BUILDS_DIR" "--config" "$GITLAB_BASE_DIR/config.toml" "--service" "gitlab-runner" "--syslog" "--user" "${GITLAB_RUNNER_USER_NAME}"'
-
 Restart=always
 RestartSec=120
-
 [Install]
 WantedBy=multi-user.target
 EOL
+}
 
-# Reload systemd and start gitlab-runner
+start_gitlab_runner_service() {
-sudo systemctl daemon-reload
+    sudo systemctl daemon-reload
-sudo systemctl disable gitlab-runner # Intentionally, making sure the service is NOT enabled on boot.
+    sudo systemctl disable gitlab-runner # Intentionally making sure the service is NOT enabled on boot.
-sudo systemctl start gitlab-runner
+    sudo systemctl start gitlab-runner
+}
+
+# Make the filesystem writable
+sudo mount -o remount,rw /
+
+# Ensure filesystem is remounted as read-only on script exit
+trap "sudo mount -o remount,ro /" EXIT
+
+# Call functions
+setup_gitlab_runner_user
+create_sudoers_entry
+create_gitlab_runner_directories
+download_and_setup_gitlab_runner
+generate_gitlab_config_file "$1"
+set_gitlab_directory_permissions
+create_gitlab_runner_service
+start_gitlab_runner_service
+
+# End of install script

release/ci/uninstall_gitlab_runner.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# Define directories and user
+GITLAB_BASE_DIR="/data/gitlab"
+BIN_DIR="$GITLAB_BASE_DIR/bin"
+BUILDS_DIR="$GITLAB_BASE_DIR/builds"
+OPENPILOT_DIR="$GITLAB_BASE_DIR/openpilot"
+LOGS_DIR="$GITLAB_BASE_DIR/logs"
+CACHE_DIR="$GITLAB_BASE_DIR/cache"
+RUNNER_USERNAME="gitlab-runner"
+# Define the systemd service name
+SERVICE_NAME="gitlab-runner"
+USER_GROUPS="comma,gpu,gpio,sudo"
+
+# Function to stop and disable the systemd service
+stop_service() {
+    sudo systemctl stop ${SERVICE_NAME}
+    sudo systemctl disable ${SERVICE_NAME}
+}
+
+# Function to remove the systemd service file
+remove_service_file() {
+    sudo rm /etc/systemd/system/${SERVICE_NAME}.service
+    sudo systemctl daemon-reload
+}
+
+# Function to delete the GitLab Runner directories
+delete_directories() {
+    sudo rm -rf "$BIN_DIR/gitlab-runner"
+    sudo rm -rf "$GITLAB_BASE_DIR" "$BIN_DIR" "$BUILDS_DIR" "$LOGS_DIR" "$CACHE_DIR" "$OPENPILOT_DIR"
+}
+
+# Function to remove the GitLab Runner user
+delete_user() {
+    for group in ${USER_GROUPS//,/ }
+    do
+       sudo gpasswd -d ${RUNNER_USERNAME} ${group}
+    done
+    sudo userdel -r ${RUNNER_USERNAME}
+}
+
+# Function to remove sudoers entry
+remove_sudoers_entry() {
+    sudo sed -i.bak "/${RUNNER_USERNAME} ALL=(ALL) NOPASSWD: ALL/d" /etc/sudoers
+}
+
+# Make filesystem writable
+sudo mount -o remount rw /
+
+# Ensure filesystem is remounted as read-only on script exit
+trap "sudo mount -o remount ro /" EXIT
+
+# Call functions
+stop_service
+remove_service_file
+delete_directories
+delete_user
+remove_sudoers_entry
+# End of uninstall script