Retool repository for custom semaphore env

Containerfile

@@ -0,0 +1,128 @@
+ARG PYTHON_VERSION
+ARG SEMAPHORE_VERSION
+ARG OPENTOFU_VERSION
+ARG SPECTRE_VERSION
+
+# Python Wheel Build container
+# =================================
+FROM docker.io/library/python:${PYTHON_VERSION} AS build_wheel
+
+RUN python -m pip install pip --upgrade
+RUN curl -sSL -o /install-poetry.py https://install.python-poetry.org
+RUN python /install-poetry.py --yes
+
+ADD . /build
+WORKDIR /build
+
+RUN /root/.local/bin/poetry self add poetry-plugin-export
+RUN /root/.local/bin/poetry export \
+  --format requirements.txt \
+  --output /build/requirements.txt \
+  --without-hashes
+RUN python -m pip wheel \
+  --wheel-dir /build/wheels \
+  --requirement /build/requirements.txt \
+  --disable-pip-version-check \
+  --no-cache-dir
+
+
+# Spectre Build container
+# ==================================
+FROM docker.io/library/debian:12 as build_spectre
+
+ARG SPECTRE_VERSION
+
+RUN apt-get update --yes
+RUN apt-get install --yes \
+  git \
+  build-essential \
+  libsodium-dev \
+  libjson-c-dev \
+  libxml2-dev
+RUN mkdir --parents /build
+RUN git -C /build clone https://gitlab.com/spectre.app/cli.git spectre
+
+WORKDIR /build/spectre
+
+RUN git checkout ${SPECTRE_VERSION}
+RUN git submodule update --init
+
+RUN bash ./build
+
+
+# Runtime container
+# ==================================
+# The semaphore project's official container is built on
+# alpine linux which uses musl instead of glibc. What does
+# that mean? I don't really know and I don't really care, but
+# the effect is that we can't build spectre/mpw on alpine
+# which makes them mutually exclusive. Since we need both,
+# we need a container to run both. And it's easier to repackage
+# semaphore under not-alpine than it is to get spectre to build
+# under alpine. So here we are.
+#
+FROM docker.io/library/python:${PYTHON_VERSION}-slim AS final
+
+ARG SEMAPHORE_VERSION
+ARG OPENTOFU_VERSION
+
+COPY --from=build_spectre /build/spectre/spectre /usr/local/bin/spectre
+COPY --from=build_wheel /build/wheels /tmp/wheels
+
+ADD --chmod=755 https://raw.githubusercontent.com/ansible-semaphore/semaphore/v${SEMAPHORE_VERSION}/deployment/docker/common/semaphore-wrapper /usr/local/bin/semaphore-wrapper
+
+RUN ln -s /usr/local/bin/spectre /usr/local/bin/mpw
+RUN apt-get update --yes
+RUN apt-get install --yes \
+  openssh-client \
+  apt-transport-https \
+  ca-certificates \
+  curl \
+  gnupg \
+  sshpass \
+  git \
+  tini \
+  zip \
+  unzip \
+  tar \
+  python3-aiohttp \
+  netcat-traditional
+RUN apt-get clean --yes
+
+RUN mkdir --parents /tmp/apt
+RUN curl -sSL -o /tmp/apt/opentofu.deb https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.deb
+RUN dpkg --install /tmp/apt/opentofu.deb
+RUN curl -sSL -o /tmp/apt/semaphore.deb https://github.com/ansible-semaphore/semaphore/releases/download/v${SEMAPHORE_VERSION}/semaphore_${SEMAPHORE_VERSION}_linux_amd64.deb
+RUN dpkg --install /tmp/apt/semaphore.deb
+RUN rm -rf /tmp/apt
+
+RUN python -m pip install /tmp/wheels/*.whl \
+  --upgrade \
+  --pre \
+  --no-index \
+  --no-cache-dir \
+  --find-links /tmp/wheels \
+  --disable-pip-version-check
+RUN rm -rf /tmp/wheels
+
+# From here down we are adapting the prod deployment
+# container directly from the semaphore project
+RUN adduser semaphore \
+   --disabled-password \
+   --uid 1001 \
+   --gid 0
+RUN mkdir --parents \
+  /etc/semaphore \
+  /tmp/semaphore \
+  /var/lib/semaphore
+RUN chown -R semaphore:root \
+  /etc/semaphore \
+  /tmp/semaphore \
+  /var/lib/semaphore
+
+WORKDIR /home/semaphore
+USER 1001
+
+ENTRYPOINT ["tini", "--"]
+
+CMD ["/usr/local/bin/semaphore-wrapper", "semaphore", "server", "--config", "/etc/semaphore/config.json"]

Dockerfile

@@ -1,60 +0,0 @@
-# Build container
-# =================================
-FROM python:3.11 AS build
-
-RUN python -m pip install pip --upgrade
-RUN curl -sSL -o /install-poetry.py https://install.python-poetry.org
-RUN python /install-poetry.py --yes
-
-ADD . /build
-WORKDIR /build
-
-RUN /root/.local/bin/poetry self add poetry-plugin-export
-RUN /root/.local/bin/poetry export \
-  --format requirements.txt \
-  --output /build/requirements.txt \
-  --without-hashes
-RUN python -m pip wheel \
-  --wheel-dir /build/wheels \
-  --requirement /build/requirements.txt \
-  --disable-pip-version-check \
-  --no-cache-dir
-
-
-# Runtime container
-# ==================================
-FROM python:3.11-slim
-
-ARG OPENTOFU_VERSION
-ARG SEMAPHORE_VERSION
-
-COPY --from=build /build/wheels /tmp/wheels
-
-RUN apt-get update --yes && \
-  apt-get install --yes \
-    openssh-client \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    gnupg && \
-  mkdir --parents /tmp/apt && \
-  curl -sSL -o /tmp/apt/opentofu.deb https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.deb && \
-  curl -sSL -o /tmp/apt/semaphore.deb https://github.com/ansible-semaphore/semaphore/releases/download/v${SEMAPHORE_VERSION}/semaphore_${SEMAPHORE_VERSION}_linux_amd64.deb && \
-  apt-get install --yes /tmp/apt/*.deb && \
-  apt-get clean --yes && \
-  rm -rf /tmp/apt && \
-  python -m pip install /tmp/wheels/*.whl \
-    --upgrade \
-    --pre \
-    --no-index \
-    --no-cache-dir \
-    --find-links /tmp/wheels \
-    --disable-pip-version-check && \
-  rm -rf /tmp/wheels
-
-ADD entrypoint.sh /entrypoint.sh
-ADD configure.py /configure.py
-
-VOLUME /semaphore
-
-ENTRYPOINT ["/entrypoint.sh"]

Makefile

@@ -1,6 +1,8 @@
-REPOSITORY         = vcs.enp.one/skylab/semaphore-runner
+REPOSITORY         = vcs.enp.one/skylab/semaphore-container
 OPENTOFU_VERSION   = 1.6.2
 SEMAPHORE_VERSION  = 2.9.45
+SPECTRE_VERSION    = main
+PYTHON_VERSION     = 3.11
 
 
 .PHONY: help docs
@@ -11,7 +13,7 @@ help: ## List Makefile targets
 
 
 image:  ## Build image
-	podman build . --tag $(REPOSITORY):v$(SEMAPHORE_VERSION) --build-arg "OPENTOFU_VERSION=$(OPENTOFU_VERSION)" --build-arg "SEMAPHORE_VERSION=$(SEMAPHORE_VERSION)"
+	podman build . --tag $(REPOSITORY):v$(SEMAPHORE_VERSION) --build-arg "OPENTOFU_VERSION=$(OPENTOFU_VERSION)" --build-arg "SEMAPHORE_VERSION=$(SEMAPHORE_VERSION)" --build-arg "PYTHON_VERSION=$(PYTHON_VERSION)" --build-arg "SPECTRE_VERSION=$(SPECTRE_VERSION)"
 
 push: image  ## Build and publish image
 	podman push $(REPOSITORY):v$(SEMAPHORE_VERSION)

README.md

@@ -1,12 +1,8 @@
-# semaphore-runner
+# semaphore-container
 
-Runner for semaphore runner with custom environment dependencies
+Custom container for Ansible Semaphore that:
 
-## Configuration
+* Is based on debian instead of alpine
+* Includes required dependencies for Skylab operations
 
-```shell
-SEMAPHORE_RUNNER_REGISTRATION_TOKEN=  # (required) registration token to authenticate to the server
-SEMAPHORE_RUNNER_API_URL=  # (required) URL of the Semaphore server API
-SEMAPHORE_RUNNER_CONFIG_FILE=  # runner state file
-SEMAPHORE_RUNNER_MAX_PARALLEL_TASKS=  # Maximum parallel tasks the runner can run at once
-```
+Usage of this container should be identical to the official container

configure.py

@@ -1,31 +0,0 @@
-import sys
-import os
-import json
-
-CONSTRUCTED_CONFIG_FILE = "/tmp/runner-config.json"
-
-
-def main() -> str:
-    try:
-        config = {
-            "registration_token": os.environ["SEMAPHORE_RUNNER_REGISTRATION_TOKEN"],
-            "config_file": os.getenv(
-                "SEMAPHORE_RUNNER_CONFIG_FILE", "/semaphore/runner.json"
-            ),
-            "api_url": os.environ["SEMAPHORE_RUNNER_API_URL"],
-            "max_parallel_tasks": int(
-                os.getenv("SEMAPHORE_RUNNER_MAX_PARALLEL_TASKS", "1")
-            ),
-        }
-    except KeyError as err:
-        print(f"Missing required configuration value {err}", file=sys.stderr)
-        sys.exit(1)
-
-    with open(CONSTRUCTED_CONFIG_FILE, "w") as outfile:
-        json.dump(config, outfile, indent=4)
-
-    sys.exit(0)
-
-
-if __name__ == "__main__":
-    main()

entrypoint.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-python /configure.py
-
-semaphore runner --config=/tmp/runner-config.json