infra,ci: arm64 runner configs and action

The commit implements:
- infra configurations for the self-hosted ARM64 GitHub runner based on
  AWS EC2 instance
- reusable GitHUb action to manage ARM64 self-hosted runner

Signed-off-by: viktor-kurchenko <[email protected]>

Author: viktor-kurchenko

.github/actions/arm64-runner/action.yaml

@@ -0,0 +1,168 @@
+name: Manage ARM64 runners
+description: Manage ARM64 runners
+inputs:
+  state-bucket:
+    required: true
+    description: "AWS S3 bucket name for the Terraform state"
+  state-region:
+    required: true
+    description: "AWS region where state bucket has been created"
+  role-arn:
+    required: true
+    description: "AWS IAM role ARN"
+  region:
+    required: true
+    description: "AWS region"
+  zone:
+    required: true
+    description: "AWS availability zone"
+  infra-dir:
+    required: true
+    description: "Directory with infra config"
+  action:
+    required: true
+    description: "Terraform action: plan, apply, destroy"
+  ec2-type:
+    required: true
+    description: "EC2 instance type"
+  ec2-ami:
+    required: true
+    description: "EC2 AMI type"
+  label:
+    required: true
+    description: "Runners label"
+  gh-org:
+    required: true
+    description: "GitHub organization"
+  gh-app-id:
+    required: true
+    description: "GitHub APP ID"
+  gh-app-install-id:
+    required: true
+    description: "GitHub APP install ID"
+  gh-app-pem:
+    required: true
+    description: "GitHub APP private key"
+  gh-runners-group:
+    required: true
+    description: "GitHub self-hosted runners group"
+  gh-runners-count:
+    required: true
+    description: "GitHub virtual runners count"
+  ssh-private-key:
+    required: true
+    description: "SSH private key for the runner access"
+  ssh-public-key:
+    required: true
+    description: "SSH public key for the runner access"
+
+runs:
+  using: composite
+  steps:
+    - name: Install Terraform
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # 3.1.2
+      with:
+        terraform_version: "1.10.3"
+
+    - name: Set up AWS CLI credentials
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      with:
+        role-to-assume: ${{ inputs.role-arn }}
+        aws-region: ${{ inputs.region }}
+
+    - name: Lookup EC2 instance FQDN
+      if: ${{ inputs.action == 'destroy' }}
+      id: ec2-destroy
+      shell: bash
+      run: |
+        fqdn="$(aws ec2 describe-instances --region ${{ inputs.region }} | \
+                jq -r '.Reservations[].Instances[] | select(.State.Name == "running") | select(.Tags != null) | select(.Tags[].Value|test("^${{ inputs.label }}$")) | .PublicDnsName')"
+        echo fqdn=$fqdn >> $GITHUB_OUTPUT
+
+    - name: Issue GH token
+      if: ${{ inputs.action == 'destroy' }}
+      id: gh
+      shell: bash
+      working-directory: ${{ inputs.infra-dir }}
+      run: |
+        export GITHUB_ORG="${{ inputs.gh-org }}"
+        export GITHUB_APP_ID="${{ inputs.gh-app-id }}"
+        export GITHUB_APP_INSTALL_ID="${{ inputs.gh-app-install-id }}"
+        export GITHUB_APP_PEM="${{ inputs.gh-app-pem }}"
+        token=$(./token.sh)
+        echo token=$token >> $GITHUB_OUTPUT
+
+    - name: Delete GH runners
+      if: ${{ inputs.action == 'destroy' }}
+      uses: appleboy/ssh-action@8faa84277b88b6cd1455986f459aa66cf72bc8a3 # v1.2.1
+      with:
+        host: ${{ steps.ec2-destroy.outputs.fqdn }}
+        username: ubuntu
+        key: ${{ inputs.ssh-private-key }}
+        script: |
+          echo "GH runners list:"
+          /multi-runners/mr.bash list
+
+          for (( i=1; i<=${{ inputs.gh-runners-count }}; i++ ))
+          do
+            echo "deleting runner-$i ..."
+            /multi-runners/mr.bash del --user runner-$i --token ${{ steps.gh.outputs.token }} || true
+          done
+
+    - name: Set up Terraform variables
+      working-directory: ${{ inputs.infra-dir }}
+      shell: bash
+      run: |
+        cat > terraform.tfvars << EOF
+        ssh_key_pair="${{ github.repository }}/${{ inputs.label }}"
+        ssh_public_key="${{ inputs.ssh-public-key }}"
+        owner="${{ github.repository }}"
+        region="${{ inputs.region }}"
+        zone="${{ inputs.zone }}"
+        gh_app_id="${{ inputs.gh-app-id }}"
+        gh_app_install_id="${{ inputs.gh-app-install-id }}"
+        gh_org="${{ inputs.gh-org }}"
+        gh_group="${{ inputs.gh-runners-group }}"
+        gh_runners_count="${{ inputs.gh-runners-count }}"
+        gh_label="${{ inputs.label }}"
+        ec2_type="${{ inputs.ec2-type }}"
+        ec2_ami="${{ inputs.ec2-ami }}"
+        gh_app_pem=<<EOT
+        ${{ inputs.gh-app-pem }}
+        EOT
+        EOF
+
+    - name: ${{ inputs.action }} runner
+      working-directory: ${{ inputs.infra-dir }}
+      shell: bash
+      run: |
+        make ${{ inputs.action }} STATE_REGION=${{ inputs.state-region }} \
+            STATE_BUCKET=${{ inputs.state-bucket }} \
+            STATE_FILE=${{ inputs.label }} \
+            AUTO_APPROVE=true
+
+    - name: Lookup EC2 instance FQDN
+      if: ${{ inputs.action == 'apply' }}
+      id: ec2-apply
+      shell: bash
+      run: |
+        for (( i=1; i<=60; i++ ))
+        do
+          sleep 10
+          id_fqdn="$(aws ec2 describe-instances --region ${{ inputs.region }} | \
+                     jq -r '.Reservations[].Instances[] | select(.Tags != null) | select(.Tags[].Value|test("^${{ inputs.label }}$")) | .InstanceId + "," + .PublicDnsName')" || true
+          id=$(echo "$id_fqdn" | cut -d "," -f 1)
+          fqdn=$(echo "$id_fqdn" | cut -d "," -f 2)
+          ready_count="$(aws ec2 describe-instance-status --no-cli-pager --instance-ids $id --region ${{ inputs.region }} | \
+                         jq '.InstanceStatuses[] | select(.InstanceStatus.Details[].Status == "passed") | .InstanceId ' | wc -l)" || true
+          if [[ $ready_count -eq 1 ]]
+          then
+            echo "EC2 instance is ready now [id: $id, fqdn: $fqdn]"
+            echo fqdn=$fqdn >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          echo "EC2 instance is not ready yet ..."
+        done
+
+        echo "EC2 instance not ready!"
+        exit 1

infra/arm64-runner/Makefile

@@ -0,0 +1,20 @@
+SHELL := /bin/bash
+
+.PHONY: plan apply destroy init
+
+init:
+	terraform init --upgrade \
+			-backend-config=region=$(STATE_REGION) \
+			-backend-config=bucket=$(STATE_BUCKET) \
+			-backend-config=key=$(STATE_FILE)
+
+plan: init
+	terraform plan
+
+apply: AUTO_APPROVE ?= false
+apply: init
+	terraform apply --auto-approve=$(AUTO_APPROVE)
+
+destroy: AUTO_APPROVE ?= false
+destroy: init
+	terraform destroy --auto-approve=$(AUTO_APPROVE)

infra/arm64-runner/main.tf

@@ -0,0 +1,97 @@
+# VPC setup
+resource "aws_vpc" "vpc" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    Name = "${var.owner}/${var.gh_label}-runner"
+  }
+}
+
+resource "aws_subnet" "subnet" {
+  vpc_id            = aws_vpc.vpc.id
+  cidr_block        = "10.0.1.0/24"
+  availability_zone = var.zone
+}
+
+resource "aws_security_group" "security_group" {
+  name = "allow-all"
+
+  vpc_id = aws_vpc.vpc.id
+
+  ingress {
+    cidr_blocks = [
+      "0.0.0.0/0"
+    ]
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_internet_gateway" "gateway" {
+  vpc_id = aws_vpc.vpc.id
+}
+
+resource "aws_route_table" "route_table" {
+  vpc_id = aws_vpc.vpc.id
+
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gateway.id
+  }
+}
+
+resource "aws_route_table_association" "route_table_association" {
+  subnet_id      = aws_subnet.subnet.id
+  route_table_id = aws_route_table.route_table.id
+}
+
+# SSH key
+resource "aws_key_pair" "key_pair" {
+  key_name   = var.ssh_key_pair
+  public_key = var.ssh_public_key
+}
+
+# EC2 instance
+resource "aws_instance" "runner" {
+  instance_type               = var.ec2_type
+  ami                         = var.ec2_ami
+  key_name                    = var.ssh_key_pair
+  associate_public_ip_address = true
+  subnet_id                   = aws_subnet.subnet.id
+  vpc_security_group_ids      = ["${aws_security_group.security_group.id}"]
+
+  root_block_device {
+    volume_size = 256
+    volume_type = "gp3"
+  }
+
+  user_data = replace(replace(replace(replace(replace(replace(replace(file("./setup.sh"),
+    "{GITHUB_APP_ID}", var.gh_app_id),
+    "{GITHUB_APP_INSTALL_ID}", var.gh_app_install_id),
+    "{GITHUB_APP_PEM}", var.gh_app_pem),
+    "{GITHUB_ORG}", var.gh_org),
+    "{GITHUB_GROUP}", var.gh_group),
+    "{GITHUB_LABELS}", var.gh_label),
+  "{GITHUB_RUNNERS_COUNT}", var.gh_runners_count)
+
+  lifecycle {
+    ignore_changes = [user_data]
+  }
+
+  tags = {
+    Name  = "${var.owner}/${var.gh_label}"
+    Label = "${var.gh_label}"
+  }
+}
+

infra/arm64-runner/providers.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.55.0"
+    }
+  }
+
+  backend "s3" {
+    encrypt = true
+  }
+}
+
+provider "aws" {
+  region = var.region
+
+  default_tags {
+    tags = {
+      owner = var.owner
+    }
+  }
+}

infra/arm64-runner/setup.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -e
+
+GITHUB_API_SERVER="api.github.com"
+# the following lines will be replaced by Terraform
+GITHUB_APP_ID="{GITHUB_APP_ID}"
+GITHUB_APP_INSTALL_ID="{GITHUB_APP_INSTALL_ID}"
+GITHUB_APP_PEM="{GITHUB_APP_PEM}"
+GITHUB_ORG="{GITHUB_ORG}"
+GITHUB_GROUP="{GITHUB_GROUP}"
+GITHUB_LABELS="{GITHUB_LABELS}"
+GITHUB_RUNNERS_COUNT="{GITHUB_RUNNERS_COUNT}"
+
+get_github_runners_token() {
+  NOW=$( date +%s )
+  IAT=$(($NOW  - 60))
+  EXP=$(($NOW + 540))
+  HEADER_RAW='{"alg":"RS256"}'
+  HEADER=$( echo -n "$HEADER_RAW" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' )
+  PAYLOAD_RAW='{"iat":'"$IAT"',"exp":'"$EXP"',"iss":'"$GITHUB_APP_ID"'}'
+  PAYLOAD=$( echo -n "$PAYLOAD_RAW" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' )
+  HEADER_PAYLOAD="$HEADER"."$PAYLOAD"
+
+  # Making a tmp directory here because /bin/sh doesn't support process redirection <()
+  tmp_dir=/tmp/github_app_tmp
+  mkdir "$tmp_dir"
+  echo -n "$GITHUB_APP_PEM" > "$tmp_dir/github.pem"
+  echo -n "$HEADER_PAYLOAD" > "$tmp_dir/header"
+  SIGNATURE=$( openssl dgst -sha256 -sign "$tmp_dir/github.pem" "$tmp_dir/header" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n' )
+  rm -rf "$tmp_dir"
+
+  JWT="$HEADER_PAYLOAD"."$SIGNATURE"
+  INSTALL_URL="https://$GITHUB_API_SERVER/app/installations/$GITHUB_APP_INSTALL_ID/access_tokens"
+  INSTALL_TOKEN_PAYLOAD=$(curl -sSfLX POST -H "Authorization: Bearer $JWT" -H "Accept: application/vnd.github.v3+json" "$INSTALL_URL")
+  INSTALL_TOKEN=$(echo $INSTALL_TOKEN_PAYLOAD | jq .token --raw-output)
+
+  token_url="https://$GITHUB_API_SERVER/orgs/$GITHUB_ORG/actions/runners/registration-token"
+  payload=$(curl -sSfLX POST -H "Authorization: token $INSTALL_TOKEN" $token_url)
+
+  RUNNER_TOKEN=$(echo $payload | jq .token --raw-output)
+  echo "$RUNNER_TOKEN"
+}
+
+# set up dependencies
+sudo apt-get update || true
+sudo apt-get update
+sudo apt-get -y upgrade
+sudo apt-get install -y qemu-kvm jq docker.io docker-buildx make \
+     clang cpp gcc zlib1g-dev libaio-dev libcap-dev libelf-dev \
+     liburing-dev net-tools netcat-traditional socat \
+     iptables software-properties-common netcat-openbsd iproute2
+
+VERSION_GO_CONTAINERREGISTRY=v0.19.1
+URL="https://github.com/google/go-containerregistry/releases/download/$VERSION_GO_CONTAINERREGISTRY/go-containerregistry_Linux_arm64.tar.gz"
+curl -fSL $URL | sudo tar -xz -C /usr/local/bin crane
+crane version
+
+# set up SSH for LVH
+sudo ufw allow OpenSSH
+sudo ufw --force enable
+sudo sed -i "s/.*PasswordAuthentication .*/PasswordAuthentication no/g" /etc/ssh/sshd_config
+sudo sed -i "s/.*PubkeyAuthentication .*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
+sudo systemctl restart ssh
+
+# prepare multi-runners
+mkdir -p multi-runners && cd multi-runners
+VERSION_MULTI_RUNNERS=v1.2.0
+curl -L -o multi-runners.tar.gz https://github.com/vbem/multi-runners/archive/refs/tags/$VERSION_MULTI_RUNNERS.tar.gz
+tar xzf ./multi-runners.tar.gz --strip-components=1
+
+# get GH token for runners provisioning
+GITHUB_RUNNERS_TOKEN=$(get_github_runners_token)
+
+# create runners
+sudo tee .env <<EOF
+MR_RELEASE_URL='https://github.com/actions/runner/releases/download/v2.321.0/actions-runner-linux-arm64-2.321.0.tar.gz'
+EOF
+for (( i=1; i<=$GITHUB_RUNNERS_COUNT; i++ ))
+do
+  ./mr.bash add --org $GITHUB_ORG --group $GITHUB_GROUP --labels $GITHUB_LABELS --user runner-$i --token $GITHUB_RUNNERS_TOKEN
+done
+
+# prepare directories for LVH
+mkdir -p /home/runners && chown :runners /home/runners && chmod 774 /home/runners
+