Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deploy a "simple" Github runner #268

Open
benoit74 opened this issue Sep 26, 2024 · 11 comments
Open

Deploy a "simple" Github runner #268

benoit74 opened this issue Sep 26, 2024 · 11 comments
Assignees
Labels
enhancement New feature or request

Comments

@benoit74
Copy link
Collaborator

For openzim/zimit#402, we would like to deploy a simple Github runner.

This runner might be used for few other cases where this runner will be superior to Github runners. This is probably going to be rare cases since we have to maintain our own image, we do not have access to Github runner images.

TbC how this should be done (Docker container on one of our k8s node? which node? dedicated small cloud instance? ...)

@benoit74 benoit74 added the enhancement New feature or request label Sep 26, 2024
@benoit74
Copy link
Collaborator Author

benoit74 commented Oct 1, 2024

For various reasons exposed in https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security, I recommend to:

  • create a new Cloud instance (Hetzner or Scaleway?), probably a very small one is sufficient, we do not plan to start many jobs
  • create a new private repo (kiwix/private-workflows?) for configuring/hosting workflows running on this machine
  • enable the runner only on this private repo

On this machine I would setup Github runner application manually, and install missing packages if needed (e.g. install Docker since we use this in our zimit job).

WDYT?

@kelson42
Copy link
Contributor

kelson42 commented Oct 1, 2024

Code coming from non-org members should go through validation before running the workflows. This is our approach to secure things. Doing this allows us to run workflows in a secure manner at the exact place where they make sense (on public repositories too).

@benoit74
Copy link
Collaborator Author

benoit74 commented Oct 1, 2024

From my PoV, this seems a bit fragile to resort only to proper workflow configuration and code review.

First because code review of workflow is hard, especially regarding security.

Second because all our maintainers (e.g. GSoC students, ...) have write access to their repo(s), and hence are not subject to the workflow validation.

I understand that not having the workflow in a public repository is a pain.

Maybe a middle-ground is to continue working on existing public repos but still create a dedicated virtual machine with "nothing" on it, considering this machine might be compromised at any point in time?

@kelson42
Copy link
Contributor

kelson42 commented Oct 1, 2024

Maybe a middle-ground is to continue working on existing public repos but still create a dedicated virtual machine with "nothing" on it, considering this machine might be compromised at any point in time?

I'm in favour of this and had the feeling this is already what you propose (you have written "create a new Cloud instance").

@benoit74
Copy link
Collaborator Author

benoit74 commented Oct 4, 2024

Do you have any idea of which specs we should target for the new VM?

I would recommend 1 CPU and 8G RAM, with at least 40-50G SSD disk). Do you have more insight?

Should we continue with Scaleway (despite recent support issues) or continue to test Hetzner (since this is not a critical service at all)?

@benoit74
Copy link
Collaborator Author

I'm going to interpret the absence of feedback as an implicit "do the best you can, I don't know and we will fix what's wrong afterwards".

@benoit74
Copy link
Collaborator Author

I've order a CAX21 server at Hetzner Helsinki. Important: it's an arm64 machine. Wait and see if it is a good decision ^^

Image

Bare VM setup is ready, host is at github-runner.kiwix.org

I'm going forward with runner setup.

@benoit74
Copy link
Collaborator Author

Machine finally re-provisionned on amd64 (CX32), zimit daily tests needs chrome-for-tests ... which is available only on amd64 on Linux, not arm64 ... Price difference is negligible, IPs kept identical.

Image

Procedure is documented at https://github.com/kiwix/operations/wiki/Restore-Github-Runner-VM

@benoit74
Copy link
Collaborator Author

This is still not working ... because Youtube is still blocking us ... they have probably blacklisted the whole AS IP ranges from Hetzner ...

Not sure how to move this forward: use ProtonVPN (or something else) to mask our IP (not sure it is very reliable for accessing Youtube) or move to another cloud provider?

@rgaudin
Copy link
Member

rgaudin commented Oct 29, 2024

Not specifically tested with ProtonVPN but in my experience, all VPN IPs are painful to use on such platforms: captcha, etc which is to be expected since those are shared across a large number of users. I wouldn't go that route.

@benoit74
Copy link
Collaborator Author

I've deleted the github-runner from Hetzner for now so that we do not pay for something useless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants