gitlab_runner: Initial the keyring in the base image for faster boot

"Disabling revoked keys in keyring" when running "pacman-key --populate" is very slow (easily +20 seconds), in our case the boot is now ~27 seconds faster (tested on secure-runner1). The pacman master private key is removed to prevent malicious actors from injecting packages, a new key is generated by pacman-init.service on boot.

gitlab_runner: Initial the keyring in the base image for faster boot
466230e4 · Kristian Klausen · 1f07c410 · 466230e4 · 466230e4
Verified Commit 466230e4 authored 2 years ago by Kristian Klausen
--- a/roles/gitlab_runner/files/libvirt-executor
+++ b/roles/gitlab_runner/files/libvirt-executor
@@ -28,7 +28,7 @@ vm_ip() {
 }
 wait_for_ssh() {
-  for _ in {1..60}; do
+  for _ in {1..30}; do
    if ! ip="$(vm_ip "${1}")"; then
      echo "Waiting for network"
      sleep 1
@@ -42,7 +42,7 @@ wait_for_ssh() {
    printf "%s" "${ip}"
    return 0
  done
-  echo 'Waited 60 seconds for VM to start, exiting...'
+  echo 'Waited 30 seconds for VM to start, exiting...'
  exit "${SYSTEM_FAILURE_EXIT_CODE:-1}"
 }

--- a/roles/gitlab_runner/files/libvirt-executor-update-base-image
+++ b/roles/gitlab_runner/files/libvirt-executor-update-base-image
@@ -26,7 +26,9 @@ qemu-img convert -f qcow2 -O raw Arch-Linux-x86_64-basic.qcow2 Arch-Linux-x86_64
 loopdev="$(losetup --find --partscan --show "${image}")"
 mount --mkdir "${loopdev}p2" mnt
-mount --mkdir --bind -o ro /etc/pacman.d/gnupg mnt/etc/pacman.d/gnupg
+arch-chroot mnt pacman-key --init
+arch-chroot mnt pacman-key --populate
 # shellcheck disable=SC2016
 printf 'Server = https://geo.mirror.pkgbuild.com/$repo/os/$arch' > mnt/etc/pacman.d/mirrorlist
@@ -41,8 +43,8 @@ rm -f mnt/etc/machine-id
 cp -a mnt/boot/{initramfs-linux-fallback.img,initramfs-linux.img}
-umount mnt/etc/pacman.d/gnupg
+rm -r mnt/etc/pacman.d/gnupg/{openpgp-revocs.d,private-keys-v1.d}/
-rmdir mnt/etc/pacman.d/gnupg
+arch-chroot mnt pacman-key --delete pacman@localhost
 umount mnt
 losetup -d "${loopdev}"
 loopdev=""