Merge pull request #11 from jitsecurity/sc-20043-self-hosted-runners-customer-scripts

k-shlomi · web-flow · commit 110052ae8c29 · 2023-08-28T14:17:23.000+03:00
Sc 20043 self hosted runners customer scripts
diff --git a/Makefile b/Makefile
@@ -28,6 +28,14 @@ create-teams:
 	 python3 src/utils/github_topics_to_json_file.py && \
 	  python3 src/scripts/create_teams.py teams.json
 
+setup-self-hosted-runner-centos:
+	sudo yum install -y jq && \
+	chmod +x src/scripts/self-hosted-runners/setup-self-hosted-runner-centos.sh && \
+	./src/scripts/self-hosted-runners/setup-self-hosted-runner-centos.sh && \
+	chmod +x src/scripts/self-hosted-runners/install-github-runner-agent.sh && \
+	./src/scripts/self-hosted-runners/install-github-runner-agent.sh $(token) $(github_organization)
+
+
 help:
 	@echo "Usage: make [target]"
 	@echo ""
diff --git a/README.md b/README.md
@@ -14,6 +14,9 @@ jit-customer-scripts/
 ├── src/
 │   └── scripts/
 │       └── create_teams.py
+|       └── self-hosted-runners
+│            └── setup-self-hosted-runner-centos.sh
+│            └── ...
 ├── src/
 │   └── utils/
 │       └── github_topic_to_json_file.py
@@ -35,6 +38,21 @@ jit-customer-scripts/
 
 - Python 3.x
 - Git
+- make
+
+To make sure you have all you can run this command:
+
+#### Centos
+
+```shell
+sudo yum install -y git make && git clone https://github.com/jitsecurity/jit-customer-scripts.git && cd jit-customer-scripts
+```
+
+#### Ubuntu
+
+```shell
+sudo apt install -y git make && git clone https://github.com/jitsecurity/jit-customer-scripts.git && cd jit-customer-scripts
+```
 
 ## Generating API Keys
 
@@ -85,6 +103,8 @@ Before running the script, you need to configure the necessary environment varia
 
 ## Usage
 
+### Creating Teams from Github Topics
+
 To run the script and create teams and update assets, use the following command:
 
 ```shell
@@ -102,9 +122,10 @@ python src/scripts/create_teams.py teams.json
 This command will fetch the repository names and topics from the GitHub API and generate the JSON file. And then it will
 create the teams and update the assets.
 
-> We recommend using something like Github Actions and Github secrets to run this script on a schedule to make sure you are always synced.
+> We recommend using something like Github Actions and Github secrets to run this script on a schedule to make sure you
+> are always synced.
 
-### Using External JSON File
+#### Using External JSON File
 
 You can also provide a JSON file containing team details using a command line argument directly. The JSON file should
 have the following structure:
@@ -154,7 +175,7 @@ python scripts/create_teams.py path/to/teams.json
 
 Replace `path/to/teams.json` with the actual path to your JSON file.
 
-## Excluding Topics
+#### Excluding Topics
 
 You can exclude certain topics from being considered when creating teams. \
 To exclude topics, you could add them in the `make configure` command or update this env var in
@@ -166,7 +187,24 @@ For example, to exclude topics that contain the word "test", you can set the var
 
 This will exclude topics with names like "test", "test123", and "abc-testing".
 
-## Development
+#### Development
 
 To override Jit's API endpoint, you can set the `JIT_API_ENDPOINT` environment variable. If the variable is not set, the
 default value will be used.
+
+### Settings Up Self-Hosted Runners
+
+To setup self-hosted runners, use the following command:
+
+You need to take the self hosted runners token from the Github Actions page of your repository.
+`https://github.com/<your-github-org-name>/jit/settings/actions/runners`
+
+#### Running on CentOS
+
+```shell
+make setup-self-hosted-runner-centos token=<your-token> github_organization=<your-github-org-name>
+```
+
+You will be prompted to answer some questions about your runner. \
+When you complete this step, restart your EC2 machine. \
+The runner will be automatically started on boot.
diff --git a/src/scripts/self-hosted-runners/install-github-runner-agent.sh b/src/scripts/self-hosted-runners/install-github-runner-agent.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Exit on error
+set -e
+
+# Assigning arguments to named variables for clarity
+user_token="$1"
+github_organization="$2"
+
+# Ensure both arguments are provided
+if [ -z "$user_token" ] || [ -z "$github_organization" ]; then
+    echo "Usage: $0 <user_token> <github_organization>"
+    exit 1
+fi
+
+mkdir actions-runner && cd actions-runner
+curl -o actions-runner-linux-x64-2.308.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.308.0/actions-runner-linux-x64-2.308.0.tar.gz
+tar xzf ./actions-runner-linux-x64-2.308.0.tar.gz
+# Create the runner and start the configuration experience
+./config.sh --url "https://github.com/$github_organization/jit" --token "$user_token"
+
+sudo ./svc.sh install ec2-user
diff --git a/src/scripts/self-hosted-runners/setup-self-hosted-runner-centos.sh b/src/scripts/self-hosted-runners/setup-self-hosted-runner-centos.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# Exit on error
+set -e
+
+# Check if script is run as root
+if [ "$EUID" -eq 0 ]; then
+    echo "Please run this script as a non-root user."
+    exit 1
+fi
+
+# Install required packages only if they aren't already installed
+
+# Check for shadow-utils
+if ! rpm -q shadow-utils &> /dev/null; then
+    echo "Installing shadow-utils..."
+    sudo yum install -y shadow-utils
+fi
+
+# Check for curl or curl-minimal
+if ! rpm -q curl &> /dev/null && ! rpm -q curl-minimal &> /dev/null; then
+    echo "Installing curl..."
+    sudo yum install -y curl
+fi
+
+# Check for iptables
+if ! rpm -q iptables &> /dev/null; then
+    echo "Installing iptables..."
+    sudo yum install -y iptables
+fi
+
+# Download Docker installation script
+echo "Installing Docker in rootless mode..."
+curl -fsSL https://get.docker.com/rootless | sh
+
+# Set environment variables
+echo "Updating environment variables..."
+USER_NAME=$(whoami)
+USER_ID=$(id -u)
+
+echo "export PATH=\$PATH:/home/$USER_NAME/bin" >> ~/.bashrc
+echo "export DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock" >> ~/.bashrc
+source ~/.bashrc
+
+# Set up Docker as a systemd user service
+
+# Create the systemd service directory and file
+mkdir -p ~/.config/systemd/user/
+cat <<EOL > ~/.config/systemd/user/docker-rootless.service
+[Unit]
+Description=Docker Rootless
+After=network-online.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=5s
+ExecStart=/home/%u/bin/dockerd-rootless.sh
+
+[Install]
+WantedBy=default.target
+EOL
+
+# Reload systemd user instance, enable and start the service
+systemctl --user daemon-reload
+systemctl --user enable docker-rootless
+systemctl --user start docker-rootless
+
+# Ensure user-level systemd services start at boot
+sudo loginctl enable-linger $(whoami)
+
+echo "Docker in rootless mode has been installed and set to start on boot."
+
+sudo yum install libicu -y
+echo "Installed libicu Dotnet for the github agent"
