fix: make container.docker_host default to -

Otherwise containers will be running by default with a socket to the
docker host which is insecure. The default must be secure.
This commit is contained in:
Earl Warren 2024-10-29 07:49:55 +01:00
parent a424406b0f
commit 2b64f15543
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
2 changed files with 11 additions and 9 deletions

View file

@ -1,7 +1,9 @@
# Release Notes # Release Notes
## 3.5.2 ## 4.0.0
* Breaking change: fix the default configuration for `docker_host` is changed to [not mounting the docker server socket](https://code.forgejo.org/forgejo/runner/pulls/305).
* [Remove debug information from the setup of a workflow](https://code.forgejo.org/forgejo/runner/pulls/297).
* Fix [crash in some cases when the YAML structure is not as expected](https://code.forgejo.org/forgejo/runner/issues/267). * Fix [crash in some cases when the YAML structure is not as expected](https://code.forgejo.org/forgejo/runner/issues/267).
## 3.5.1 ## 3.5.1

View file

@ -1,7 +1,7 @@
# Example configuration file, it's safe to copy this as the default config file without any modification. # Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance, # You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file. # just run `forgejo-runner generate-config > config.yaml` to generate a config file.
log: log:
# The level of logging, can be trace, debug, info, warn, error, fatal # The level of logging, can be trace, debug, info, warn, error, fatal
@ -40,7 +40,7 @@ runner:
# The labels of a runner are used to determine which jobs the runner can run, and how to run them. # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:20-bookworm", "ubuntu-22.04:docker://node:20-bookworm"] # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:20-bookworm", "ubuntu-22.04:docker://node:20-bookworm"]
# If it's empty when registering, it will ask for inputting labels. # If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file. # If it's empty when executing the `daemon`, it will use labels in the `.runner` file.
labels: [] labels: []
cache: cache:
@ -57,8 +57,8 @@ cache:
# 0 means to use a random available port. # 0 means to use a random available port.
port: 0 port: 0
# The external cache server URL. Valid only when enable is true. # The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself. # If it's specified, it will be used to set the ACTIONS_CACHE_URL environment variable. The URL should generally end with "/".
# The URL should generally end with "/". # Otherwise it will be set to the the URL of the internal cache server.
external_server: "" external_server: ""
container: container:
@ -87,10 +87,10 @@ container:
# - '**' # - '**'
valid_volumes: [] valid_volumes: []
# overrides the docker client host with the specified one. # overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically. # If "-", an available docker host will automatically be found.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers. # If empty, an available docker host will automatically be found and mounted in the job container (e.g. /var/run/docker.sock).
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work. # Otherwise the specified docker host will be used and an error will be returned if it doesn't work.
docker_host: "" docker_host: "-"
# Pull docker image(s) even if already present # Pull docker image(s) even if already present
force_pull: false force_pull: false