[libcxx] Install runner last when building CI containers

[boomanaiden154]

This patch changes when we install the GHA runner in the CI containers. Instead
of having it in the base image, we install it last. This will enable a follow up
patch that will do some setup enabling building the full container image with an
existing base image, thus enabling updating the GHA runner without modifying the
important bits.

[boomanaiden154]

This is a prereq of #148073.

[llvmbot]

@llvm/pr-subscribers-libcxx

Author: Aiden Grossman (boomanaiden154)

Changes

This patch changes when we install the GHA runner in the CI containers. Instead
of having it in the base image, we install it last. This will enable a follow up
patch that will do some setup enabling building the full container image with an
existing base image, thus enabling updating the GHA runner without modifying the
important bits.

---

Full diff: https://github.com/llvm/llvm-project/pull/148072.diff

2 Files Affected:

• (modified) libcxx/utils/ci/Dockerfile (+15-2)
• (modified) libcxx/utils/ci/docker-compose.yml (+2-1)

diff --git a/libcxx/utils/ci/Dockerfile b/libcxx/utils/ci/Dockerfile
index 0a1985b02807b..316e9c7490991 100644
--- a/libcxx/utils/ci/Dockerfile
+++ b/libcxx/utils/ci/Dockerfile
@@ -312,5 +312,18 @@ CMD /opt/android/container-setup.sh && buildkite-agent start
 #
 FROM builder-base AS actions-builder
 
-WORKDIR /home/runner
-USER runner
+ARG GITHUB_RUNNER_VERSION
+
+RUN useradd gha -u 1001 -m -s /bin/bash
+RUN adduser gha sudo
+RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+WORKDIR /home/gha
+USER gha
+
+ENV RUNNER_MANUALLY_TRAP_SIG=1
+ENV ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT=1
+RUN mkdir actions-runner && \
+    cd actions-runner && \
+    curl -O -L https://github.com/actions/runner/releases/download/v$GITHUB_RUNNER_VERSION/actions-runner-linux-x64-$GITHUB_RUNNER_VERSION.tar.gz && \
+    tar xzf ./actions-runner-linux-x64-$GITHUB_RUNNER_VERSION.tar.gz && \
+    rm ./actions-runner-linux-x64-$GITHUB_RUNNER_VERSION.tar.gz
diff --git a/libcxx/utils/ci/docker-compose.yml b/libcxx/utils/ci/docker-compose.yml
index 2189a41555c2f..20536bc32fa65 100644
--- a/libcxx/utils/ci/docker-compose.yml
+++ b/libcxx/utils/ci/docker-compose.yml
@@ -10,7 +10,8 @@ services:
       dockerfile: Dockerfile
       target: actions-builder
       args:
-        BASE_IMAGE: ghcr.io/actions/actions-runner:2.326.0
+        BASE_IMAGE: ubuntu:jammy
+        GITHUB_RUNNER_VERSION: "2.326.0"
         <<: *compiler_versions
 
   android-buildkite-builder:

[ldionne]

Does ./libcxx/utils/ci/run-buildbot-container still work after this change? LGTM assuming it does.

Also, we'll need to test this change before we switch to this image: that can be done by building this image, associating it to the -next GH runner group inside llvm-zorg, and then creating a PR that changes our workflows to target the -next runners. Kinda complicated, but that's the simplest we have until we can specify an image directly inside the GH workflow file.

[boomanaiden154]

Does ./libcxx/utils/ci/run-buildbot-container still work after this change? LGTM assuming it does.

Yeah, this doesn't change the functionality of that script at all.

Also, we'll need to test this change before we switch to this image: that can be done by building this image, associating it to the -next GH runner group inside llvm-zorg, and then creating a PR that changes our workflows to target the -next runners.

Yep. I'll look at getting that done at least once probably once #148073 (a review there would be helpful) lands so everything is set up to upgrade the runner binary without the rest of the container.

Kinda complicated, but that's the simplest we have until we can specify an image directly inside the GH workflow file.

We're meeting with someone today to discuss kubernetes-sigs/apiserver-network-proxy#748, so we'll see what we can do.