From 003d09f709000577a0c90683b8820c616cc6bd81 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Tue, 26 Jul 2022 21:19:36 +0200
Subject: [PATCH] gitlab_runner: Initial the keyring in the base image for
 faster boot

"Disabling revoked keys in keyring" when running "pacman-key --populate"
is very slow (easily +20 seconds), in our case the boot is now ~27
seconds faster (tested on secure-runner1). The pacman master private key
is removed to prevent malicious actors from injecting packages, a new
key is generated by pacman-init.service on boot.
---
 roles/gitlab_runner/files/libvirt-executor           |  4 ++--
 .../files/libvirt-executor-update-base-image         | 12 +++++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/roles/gitlab_runner/files/libvirt-executor b/roles/gitlab_runner/files/libvirt-executor
index b32518fd1..eee240049 100755
--- a/roles/gitlab_runner/files/libvirt-executor
+++ b/roles/gitlab_runner/files/libvirt-executor
@@ -28,7 +28,7 @@ vm_ip() {
 }
 
 wait_for_ssh() {
-  for _ in {1..60}; do
+  for _ in {1..30}; do
     if ! ip="$(vm_ip "${1}")"; then
       echo "Waiting for network"
       sleep 1
@@ -42,7 +42,7 @@ wait_for_ssh() {
     printf "%s" "${ip}"
     return 0
   done
-  echo 'Waited 60 seconds for VM to start, exiting...'
+  echo 'Waited 30 seconds for VM to start, exiting...'
   exit "${SYSTEM_FAILURE_EXIT_CODE:-1}"
 }
 
diff --git a/roles/gitlab_runner/files/libvirt-executor-update-base-image b/roles/gitlab_runner/files/libvirt-executor-update-base-image
index f02e83906..c3d2570cd 100755
--- a/roles/gitlab_runner/files/libvirt-executor-update-base-image
+++ b/roles/gitlab_runner/files/libvirt-executor-update-base-image
@@ -26,7 +26,14 @@ qemu-img convert -f qcow2 -O raw Arch-Linux-x86_64-basic.qcow2 Arch-Linux-x86_64
 
 loopdev="$(losetup --find --partscan --show "${image}")"
 mount --mkdir "${loopdev}p2" mnt
-mount --mkdir --bind -o ro /etc/pacman.d/gnupg mnt/etc/pacman.d/gnupg
+
+arch-chroot mnt bash -e <<'EOF'
+pacman-key --init
+pacman-key --populate
+pid="$(pgrep gpg-agent)"
+gpgconf --homedir /etc/pacman.d/gnupg --kill all
+tail --pid="${pid}" -f /dev/null
+EOF
 
 # shellcheck disable=SC2016
 printf 'Server = https://geo.mirror.pkgbuild.com/$repo/os/$arch' > mnt/etc/pacman.d/mirrorlist
@@ -42,8 +49,7 @@ rm -f mnt/etc/machine-id
 
 cp -a mnt/boot/{initramfs-linux-fallback.img,initramfs-linux.img}
 
-umount mnt/etc/pacman.d/gnupg
-rmdir mnt/etc/pacman.d/gnupg
+rm -r mnt/etc/pacman.d/gnupg/{openpgp-revocs.d,private-keys-v1.d}/
 umount mnt
 losetup -d "${loopdev}"
 loopdev=""
-- 
GitLab