Use /var/cache/ci-storage (potentially persisted-mounted from the host) to speed up action runner self-updating

Author: dimikot

ci-storage

@@ -248,7 +248,7 @@ def action_load(
                 if layer:
                     print(f"{prefix} {storage} has no slots, so exiting with a no-op")
                 else:
-                    print(f"{prefix} {storage} has no slots, so cleaning f{local_dir}")
+                    print(f"{prefix} {storage} has no slots, so cleaning {local_dir}")
                     action_clean(
                         local_dir=local_dir,
                         exclude=exclude,

docker/ci-runner/README.md

@@ -70,13 +70,15 @@ services:
       - CI_STORAGE_HOST=127.0.0.1:10022
       - BTIME
     volumes:
-      # ~/.ssh/ci-storage must exist on the docker host to access ci-storage
-      # remote container at $FORWARD_HOST
+      # ~/.ssh/ci-storage private key file must exist on the docker host to
+      # access ci-storage remote container at $FORWARD_HOST.
       - ~/.ssh/ci-storage:/run/secrets/CI_STORAGE_PRIVATE_KEY
+      # This volume will survive the container restart.
+      - ~/.ci-storage-cache:/var/cache/ci-storage
     tmpfs:
       # Having work directory on tmpfs makes latency predictable, which is very
       # handy while debugging the CI perf bottlenecks.
-      - /mnt:exec
+      - /mnt:exec,size=80%
 ```
 
 Example for your custom Dockerfile mentioned above. This Dockerfile allows to

docker/ci-runner/guest/entrypoint.03-update.sh

@@ -17,12 +17,29 @@ if [[ "$(find . -name "$updated_at_file" -mtime +21)" != "" ]]; then
     aarch64|arm64) arch=linux-arm64 ;;
     *) echo >&2 "unsupported architecture: $arch"; exit 1 ;;
   esac
-  say "Fetching the latest runner version..."
+
+  say "Getting the latest runner version (previously updated at $(cat $updated_at_file))..."
   runner_version=$(curl --silent "https://api.github.com/repos/actions/runner/releases/latest" | jq -r ".tag_name[1:]")
-  say "Updating runner to \"$runner_version\" (previously updated on $(cat $updated_at_file))..."
-  curl --no-progress-meter -L "https://github.com/actions/runner/releases/download/v$runner_version/actions-runner-$arch-$runner_version.tar.gz" | tar xz
-  say "Updated runner to $runner_version (previously updated on $(cat $updated_at_file))."
-  date > $updated_at_file
+
+  file="actions-runner-$arch-$runner_version.tar.gz"
+  path="$CACHE_DIR/$file"
+  url="https://github.com/actions/runner/releases/download/v$runner_version/$file"
+
+  say "Content of $CACHE_DIR:"
+  ls -la "$CACHE_DIR"
+
+  if [[ ! -r "$path" ]]; then
+    say "Downloading $url to $CACHE_DIR..."
+    curl --no-progress-meter -L "$url" > "$path.tmp"
+    mv -f "$path.tmp" "$path"
+  else
+    say "Using previously downloaded $path"
+  fi
+
+  tar xzf "$path"
+  date > "$updated_at_file"
+
+  say "Updated runner to $runner_version from $path"
 else
-  say "Runner is new enough (last updated on $(cat $updated_at_file)), skipping the update."
+  say "Runner is new enough (previously updated at $(cat $updated_at_file)), skipping the update."
 fi

docker/ci-runner/root/entrypoint.00-helpers.sh

@@ -7,6 +7,9 @@ set -u -e
 # GitHub Runner's work directory (encouraged to be mounted on tmpfs).
 export WORK_DIR="/mnt"
 
+# Cache directory that potentially survives the container restarts.
+export CACHE_DIR="/var/cache/ci-storage"
+
 # We don't use ec2metadata CLI tool, because it does not allow to configure
 # timeout. In case the container is run outside of AWS infra (e.g. during local
 # development), the absense of timeout causes problems. Prints an empty value

docker/ci-runner/root/entrypoint.02-permissions.sh

@@ -4,5 +4,10 @@
 #
 set -u -e
 
+mkdir -p "$WORK_DIR"
 chown guest:guest "$WORK_DIR"
 chmod 700 "$WORK_DIR"
+
+mkdir -p "$CACHE_DIR"
+chown guest:guest "$CACHE_DIR"
+chmod 700 "$CACHE_DIR"

docker/compose.yml

@@ -63,12 +63,16 @@ services:
       - DEBUG_SHUTDOWN_DELAY_SEC=1
     secrets:
       - CI_STORAGE_PRIVATE_KEY
+    volumes:
+      - ci-storage-cache:/var/cache/ci-storage
     tmpfs:
       - /mnt:exec
 
 volumes:
   ci-storage-mnt:
     external: false
+  ci-storage-cache:
+    external: false
 
 secrets:
   CI_STORAGE_PUBLIC_KEY: