nats runner

Author: khanzadimahdi

.github/workflows/nats.yaml

@@ -0,0 +1,76 @@
+name: Nats Blueprints CI and CD
+
+on:
+  push:
+    paths:
+      - 'nats/**'
+
+  pull_request:
+    paths:
+      - 'nats/**'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: code-runner
+  BUILD_ARG_VERSION_NAME: NATS_SERVER_VERSION
+concurrency:
+  group: nats-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        nats_server_version: [2.10.0]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build nats:${{ matrix.nats_server_version }} image
+        uses: ./.github/actions/docker-build
+        with:
+          context: ./nats
+          dockerfile: ./nats/Dockerfile
+          image-name: ${{ env.IMAGE_NAME }}
+          tag: nats-${{ matrix.nats_server_version }}
+          push: false
+          container-registry: ${{ env.REGISTRY }}
+          build-arg-version-name: ${{ env.BUILD_ARG_VERSION_NAME }}
+          build-arg-version-value: ${{ matrix.nats_server_version }}
+
+  cd:
+    runs-on: ubuntu-latest
+
+    if: ${{ format('refs/heads/{0}', github.event.repository.default_branch) == github.ref }}
+
+    strategy:
+      matrix:
+        nats_server_version: [2.10.0]
+
+    permissions:
+      packages: write
+      contents: read
+
+    needs:
+      - ci
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build and push nats:${{ matrix.nats_server_version }} image
+        uses: ./.github/actions/docker-build
+        with:
+          context: ./nats
+          dockerfile: ./nats/Dockerfile
+          image-name: ${{ env.IMAGE_NAME }}
+          tag: nats-${{ matrix.nats_server_version }}
+          push: true
+          container-registry: ${{ env.REGISTRY }}
+          container-registry-username: ${{ github.actor }}
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          build-arg-version-name: ${{ env.BUILD_ARG_VERSION_NAME }}
+          build-arg-version-value: ${{ matrix.nats_server_version }}

go/Dockerfile

@@ -3,11 +3,17 @@ ARG GO_VERSION=1.24
 
 FROM golang:${GO_VERSION}-alpine
 
-RUN apk add --no-cache bash coreutils
+RUN apk add --no-cache bash coreutils shadow
 
-WORKDIR /app
+WORKDIR /home/runner
 
 COPY run.sh /run.sh
-RUN chmod +x /run.sh
+
+RUN groupadd -g 10001 runner \
+    && useradd -u 10000 -g runner -m -d /home/runner runner \
+    && chown -R runner:runner /home/runner \
+    && chmod +x /run.sh
+
+USER runner:runner
 
 ENTRYPOINT ["/run.sh"]

nats/Dockerfile

@@ -0,0 +1,39 @@
+# Accept Nats server version as build argument
+ARG NATS_SERVER_VERSION=2.10.0
+
+# ------------------------------------------
+FROM nats:${NATS_SERVER_VERSION}-alpine AS base
+
+# ------------------------------------------
+FROM base AS builder
+
+COPY install.sh /tmp/install.sh
+
+RUN chmod +x /tmp/install.sh && /tmp/install.sh
+
+# ------------------------------------------
+FROM base AS runner
+
+# Install tools
+RUN apk add --no-cache bash coreutils busybox-extras shadow
+
+# Create data directory for nats server
+RUN mkdir -p /data
+
+# Copy nats binary from builder image
+COPY --from=builder /usr/local/bin/nats /usr/local/bin/nats
+
+COPY nats.conf /etc/nats/nats-server.conf
+
+WORKDIR /home/runner
+
+COPY run.sh /run.sh
+
+RUN groupadd -g 10001 runner \
+    && useradd -u 10000 -g runner -m -d /home/runner runner \
+    && chown -R runner:runner /home/runner /data \
+    && chmod +x /run.sh
+
+USER runner:runner
+
+ENTRYPOINT ["/run.sh"]

nats/install.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Step 1: Detect OS and Architecture
+OS=$(uname | tr '[:upper:]' '[:lower:]')
+ARCH=$(uname -m)
+
+# Normalize architecture name
+case "$ARCH" in
+  x86_64) ARCH="amd64" ;;
+  amd64) ARCH="amd64" ;;
+  aarch64) ARCH="arm64" ;;
+  armv7l) ARCH="arm7" ;;
+  armv6l) ARCH="arm6" ;;
+  i386 | i686) ARCH="386" ;;
+  *) echo "Unsupported arch: $ARCH"; exit 1;;
+esac
+
+# Step 2: Get Latest NATS CLI Version
+VERSION=$(wget --no-check-certificate -qO- https://api.github.com/repos/nats-io/natscli/releases/latest | grep '"tag_name":' | head -n 1 | cut -d '"' -f4)
+
+if [ -z "$VERSION" ]; then
+    echo "Failed to get latest NATS version."
+    exit 1
+fi
+
+echo "Detected OS: $OS"
+echo "Detected Architecture: $ARCH"
+echo "Latest NATS Version: $VERSION"
+
+# Step 3: Build Download URL
+VERSION_NUMBER=$(echo "$VERSION" | sed 's/^v//')
+FILE_NAME="nats-${VERSION_NUMBER}-${OS}-${ARCH}"
+ZIP_FILE="${FILE_NAME}.zip"
+URL="https://github.com/nats-io/natscli/releases/download/${VERSION}/${ZIP_FILE}"
+
+# Step 4: Download and Extract
+wget --no-check-certificate $URL -O /tmp/$ZIP_FILE
+
+if [ $? -ne 0 ]; then
+    echo "Failed to download NATS."
+    exit 1
+fi
+
+cd /tmp
+unzip $ZIP_FILE
+
+# Step 5: Move binary to /usr/local/bin
+mv $FILE_NAME/nats /usr/local/bin/
+
+# Step 6: Cleanup
+rm -rf $ZIP_FILE $FILE_NAME
+
+echo "NATS server installed successfully."

nats/nats.conf

@@ -0,0 +1,80 @@
+# Client port of 4222 on all interfaces
+port: 4222
+
+# Monitoring and metrics
+server_name: "nats-server"
+monitor_port: 8222
+
+# Enable JetStream
+jetstream {
+  store_dir: "/data/jetstream"
+  max_mem: 5MB
+  max_file: 2MB
+}
+
+# Logging configuration
+logtime: true
+log_file: "/data/nats.log"
+debug: false
+trace: false
+
+# Connection limits and timeouts
+max_connections: 5
+max_subscriptions: 0
+max_payload: 1MB
+max_pending: 2MB
+write_deadline: 5s
+max_control_line: 4096
+
+
+# Account Structure
+# --------------------------------------------------
+# 1. SYS Account (System Account)
+#   User: sys / syspass
+#   Purpose: System operations and monitoring
+#   Permissions: Can only access $SYS.> subjects
+#   Exports: System services for other accounts
+
+# 3. Authorization Section
+#   User: ruser / T0pS3cr3t
+#   Purpose: Cluster route authentication
+#   Permissions: Full access for cluster routing
+
+# Define accounts: SYS for system operations and CLUSTER for cluster communication
+accounts: {
+  SYS: {
+    users: [
+      {
+        user: sys
+        password: syspass
+        permissions: {
+          publish: {
+            allow: ["$SYS.>", "_INBOX.>"]
+          }
+          subscribe: {
+            allow: ["$SYS.>", "_INBOX.>"]
+          }
+        }
+      }
+    ]
+    exports: [
+      { service: "$SYS.>" }
+    ]
+  },
+}
+
+# System account config
+system_account: SYS
+
+authorization: {
+  users: [
+    {
+      user: "ruser"
+      password: "T0pS3cr3t"
+      permissions: {
+        publish: ">"
+        subscribe: ">"
+      }
+    }
+  ]
+}

nats/readme.md

@@ -0,0 +1,33 @@
+This Dockerfile will creates a docker image which can be used to run `nats` commands.
+
+# How to build
+
+```
+# building with nats-server 2.10.0
+docker build --build-arg NATS_SERVER_VERSION=2.10.0 -t code-runner:nats-2.10.0 .
+```
+
+The Nats version can be specified by passing the `NATS_SERVER_VERSION` argument to the `docker build` command.
+
+# How to use
+
+1. Run code with default timeout
+
+```sh
+docker run --rm code-runner:nats-2.10.0 'nats --user=mahdi account info'
+```
+
+2. Run code with custom timeout
+
+```sh
+docker run --rm code-runner:nats-2.10.0 --timeout 3 'nats --user=mahdi account info'
+```
+
+3. Multiline + custom timeout
+
+```sh
+docker run --rm -i code-runner:nats-2.10.0 --timeout 5 <<EOF
+nats account info && \
+nats stream ls
+EOF
+```