azure-devops-agent/entrypoint.sh at main · hypolas/azure-devops-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/bin/bash
set -e

# Function to be called on shutdown
cleanup() {
	echo "Container stopped. Running cleanup..."
	cd "$INSTALL_FOLDER/$AGENT_NUMBER"
	./config.sh remove --unattended --auth pat --token "$AZP_TOKEN"
	echo "Agent successfully unregistered."
	exit 0
}

# Trap SIGTERM and call cleanup
trap cleanup SIGTERM

# Add azureagent user to Docker group if /var/run/docker.sock exists
if [ -S /var/run/docker.sock ]; then
	DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock)
	echo "Adding azureagent user to GID $DOCKER_SOCK_GID for Docker access..."
	sudo groupadd -g "$DOCKER_SOCK_GID" -f dockerhost 2>/dev/null || true
	sudo usermod -aG "$DOCKER_SOCK_GID" azureagent 2>/dev/null || true
	# sudo groupadd -g "$DOCKER_SOCK_GID" docker|| true
fi

# Verify required environment variables
if [ -z "$AZP_URL" ]; then
	echo "Error: AZP_URL must be defined"
	exit 1
fi

# Retrieve Azure DevOps token from AWS Secrets Manager if not provided
if [ -z "$AZP_TOKEN" ]; then
	if [ -n "$AZURE_DEVOPS_TOKEN_SECRET_ARN" ] && [ -n "$AWS_REGION" ]; then
		echo "Retrieving Azure DevOps token from AWS Secrets Manager..."

		# Use official aws-ssm (hypolas/aws-ssm-lite) first
		if command -v aws-ssm >/dev/null 2>&1; then
			echo "Using aws-ssm (hypolas/aws-ssm-lite)..."
			# Syntax: aws-ssm <secret-id> [region]
			SECRET_TOKEN=$(aws-ssm "${AZURE_DEVOPS_TOKEN_SECRET_ARN}" "${AWS_REGION}" 2>/dev/null)
		elif command -v lite_ssm >/dev/null 2>&1; then
			echo "Using lite_ssm (fallback)..."
			SECRET_TOKEN=$(lite_ssm "${AZURE_DEVOPS_TOKEN_SECRET_ARN}" "${AWS_REGION}" 2>/dev/null)
		else
			echo "❌ No AWS Secrets Manager client available (aws-ssm or lite_ssm)"
			echo "Install aws-ssm from hypolas/aws-ssm-lite or enable INSTALL_AWS_SSM=true"
			exit 1
		fi

		if [[ -n ${SECRET_TOKEN} ]] && [[ ${SECRET_TOKEN} != "null" ]]; then
			AZP_TOKEN="${SECRET_TOKEN}"
			echo "✅ Token retrieved from AWS Secrets Manager"
		else
			echo "❌ Failed to retrieve token from Secrets Manager"
			exit 1
		fi
	else
		echo "❌ AZP_TOKEN not provided and AWS Secrets Manager not configured"
		echo "Provide either AZP_TOKEN, or AWS_REGION + AZURE_DEVOPS_TOKEN_SECRET_ARN"
		exit 1
	fi
else
	echo "✅ Azure DevOps token provided directly"
fi

if [[ -z ${AZP_POOL} ]]; then
	echo "Error: AZP_POOL must be defined"
	exit 1
fi

if [[ -z ${AGENT_NUMBER} ]]; then
	echo "Error: AGENT_NUMBER must be defined"
	exit 1
fi

# Set default values if necessary
INSTALL_FOLDER=${INSTALL_FOLDER:-"/opt/azagent"}
DEFAULT_CONTAINER_IMAGE=${DEFAULT_CONTAINER_IMAGE:-"ubuntu:22.04"}
DEFAULT_VOLUMES=${DEFAULT_VOLUMES:-"/var/run/docker.sock:/var/run/docker.sock,/cache:/cache,/data:/data"}

# Retrieve INSTANCE_ID from AWS metadata if not provided
if [ -z "$INSTANCE_ID" ]; then
	echo "Retrieving INSTANCE_ID from AWS using IMDSv2..."

	# Retrieve IMDSv2 token to secure metadata access
	IMDS_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
		-H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
		-s 2>/dev/null) || true

	if [ -n "$IMDS_TOKEN" ]; then
		# Use token to retrieve instance ID
		INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
			-s "http://169.254.169.254/latest/meta-data/instance-id" 2>/dev/null) || true
	fi

	echo "INSTANCE_ID from IMDSv2: $INSTANCE_ID"

	if [ -z "$INSTANCE_ID" ] || [ "$INSTANCE_ID" = "" ]; then
		echo "Warning: Unable to retrieve AWS INSTANCE_ID, using hostname"
		INSTANCE_ID=$(hostname)
	else
		echo "INSTANCE_ID retrieved from AWS: $INSTANCE_ID"
	fi
else
	echo "INSTANCE_ID provided: $INSTANCE_ID"
fi

echo "=========================================="
echo "Azure DevOps Agent Configuration"
echo "=========================================="
echo "URL: $AZP_URL"
echo "Pool: $AZP_POOL"
echo "Agent Name: $AZP_AGENT_NAME-$AGENT_NUMBER-$INSTANCE_ID"
echo "Install Folder: $INSTALL_FOLDER"
echo "Agent Number: $AGENT_NUMBER"
echo "Instance ID: $INSTANCE_ID"
echo "Default Container: $DEFAULT_CONTAINER_IMAGE"
echo "Default Volumes: $DEFAULT_VOLUMES"
echo "=========================================="

# Configure the agent
echo "Configuring Azure DevOps agent..."
/opt/setup-scripts/configure-agent.sh \
	"$INSTALL_FOLDER" \
	"$AZP_URL" \
	"$AZP_TOKEN" \
	"$AZP_POOL" \
	"$AZP_AGENT_NAME" \
	"$AGENT_NUMBER" \
	"$INSTANCE_ID"

# Add capabilities
echo "Adding capabilities..."
/opt/setup-scripts/add-capabilities.sh \
	"$DEFAULT_CONTAINER_IMAGE" \
	"$DEFAULT_VOLUMES" \
	"$AGENT_NUMBER" \
	"$INSTALL_FOLDER"

echo "Configuration complete. Starting agent..."

# Start the agent with sg to apply dockerhost group and security context
echo "Starting agent ${AZP_AGENT_NAME}-${AGENT_NUMBER}-${INSTANCE_ID}..."
cd "$INSTALL_FOLDER/$AGENT_NUMBER"
sg dockerhost -c "./run.sh" &
wait $!