Support for podman

james2432 commented

2024-03-16 12:04:30 +00:00

I see in the code it seems to be heavily focused on Docker itself(hardcoded names vs abstraction), which would mean a massive undertaking to dynamically support other container systems

earl-warren added the

Kind/Feature

label 2024-03-17 06:53:18 +00:00

earl-warren commented

2024-03-17 06:56:17 +00:00

Owner

There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows

It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.

There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.

james2432 commented

2024-03-17 08:36:03 +00:00

Author

There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows

It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.

yeah that's running podman as a service similar to docker.

but the advantage of podman is it uses fork-exec and doesn't need to have a service running all the time. That and doesn't need to run as root all the time(unprivileged userspace)

> There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows > > It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features. > yeah that's running podman as a service similar to docker. but the advantage of podman is it uses fork-exec and doesn't need to have a service running all the time. That and doesn't need to run as root all the time(unprivileged userspace)

thefox commented

2024-03-24 23:15:34 +00:00

Member

The daemonless part I get, but I don't think socket runs as root if started as user.

Admittedly it would be a nice feature to have a podman backend. I might look at it after I'll end up with anything remotely usable with incus - so not anytime soon.

I would suggest moving this to https://code.forgejo.org/forgejo/act, as it would need to support podman before runner can.

The daemonless part I get, but I don't think socket runs as root if started as user. Admittedly it would be a nice feature to have a podman backend. I might look at it after I'll end up with anything remotely usable with incus - so not anytime soon. I would suggest moving this to https://code.forgejo.org/forgejo/act, as it would need to support podman before runner can.

👍 1

el0n commented

2024-04-03 18:46:31 +00:00

@thefox : as i primarily use podman I'm willing to help out (testing ...)

❤️ 2

el0n commented

2024-04-10 00:59:44 +00:00

For those who want to try the runner on some major podman platforms.

Here a repository with installation instructions that can be enabled on Fedora/CentOS/RHEL (x86_64, aarch64):

https://copr.fedorainfracloud.org/coprs/ne0l/forgejo/

For those who want to try the runner on some major podman platforms. Here a repository with installation instructions that can be enabled on Fedora/CentOS/RHEL (x86_64, aarch64): https://copr.fedorainfracloud.org/coprs/ne0l/forgejo/

👍 1

earl-warren commented

2024-04-10 05:04:17 +00:00

Owner

@el0n looking good and simple. It would be a nice addition to https://forgejo.org/docs/v1.21/admin/actions/#packaging if you have the time to submit a PR at https://codeberg.org/forgejo/docs/src/branch/next/docs/admin/actions.md 🙏

anri commented

2024-04-13 18:25:50 +00:00

Hi, chiming in because I was inspired by @el0n's COPR and found out that using the OCI image for the runner appears to work.
I did the following inside a new user as a test:

Enable the podman socket, for example with systemd:
systemctl --user enable --now podman.socket
Run the OCI image with rootless podman:
podman run -it --security-opt=label=disable -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock --user $(id -u) -e DOCKER_HOST=unix:///var/run/docker.sock -v forgejo-runner-data:/data code.forgejo.org/forgejo/runner:3.3.0 forgejo-runner daemon

(Obviously before running the daemon itself one should call register and do the setup.)

I'll test it throughly in the following days, but at least the registration works.

Hi, chiming in because I was inspired by @el0n's COPR and found out that using the OCI image for the runner _appears_ to work. I did the following inside a new user as a test: 1. Enable the podman socket, for example with systemd: `systemctl --user enable --now podman.socket` 1. Run the OCI image with rootless podman: `podman run -it --security-opt=label=disable -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock --user $(id -u) -e DOCKER_HOST=unix:///var/run/docker.sock -v forgejo-runner-data:/data code.forgejo.org/forgejo/runner:3.3.0 forgejo-runner daemon` (Obviously before running the daemon itself one should call `register` and do the setup.) I'll test it throughly in the following days, but at least the registration works.

❤️ 1

anri commented

2024-04-14 16:13:02 +00:00

Small update: running the OCI image from rootless podman does not seem possible due to a permission issue (?).
While registration works, running any action fails with the following:

failed to create container: 'Error response from daemon: make cli opts(): making volume mountpoint for volume /var/run/docker.sock: mkdir /var/run/docker.sock: permission denied'

The command used:

$ podman run -it \
    --security-opt label=disable \
    -v /run/user/1000/podman/podman.sock:/var/run/docker.sock:rw \
    --user 0:0 \
    -e DOCKER_HOST=unix:///var/run/docker.sock \
    -v forgejo-runner-data:/data \
    code.forgejo.org/forgejo/runner:3.4.1 \
    forgejo-runner daemon

EDIT: it appears that this was referenced in #139 and the fix is to put docker_host: '-' inside the configuration file. Also see jorn's page for using the OCI image via Podman Quadlet.

Small update: running the OCI image from rootless podman does not seem possible due to a permission issue (?). While registration works, running any action fails with the following: ``` failed to create container: 'Error response from daemon: make cli opts(): making volume mountpoint for volume /var/run/docker.sock: mkdir /var/run/docker.sock: permission denied' ``` The command used: ``` $ podman run -it \ --security-opt label=disable \ -v /run/user/1000/podman/podman.sock:/var/run/docker.sock:rw \ --user 0:0 \ -e DOCKER_HOST=unix:///var/run/docker.sock \ -v forgejo-runner-data:/data \ code.forgejo.org/forgejo/runner:3.4.1 \ forgejo-runner daemon ``` EDIT: it appears that this was referenced in #139 and the fix is to put `docker_host: '-'` inside the configuration file. Also see [jorn's page](https://jornfranke.codeberg.page/technology-tutorials/forgejo-runner-opensuse-microos-hetzner/) for using the OCI image via Podman Quadlet.

earl-warren commented

2024-04-14 17:28:09 +00:00

Owner

https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose shows how it can work. But my preference would be for the runner binary because it is so much simpler.

el0n commented

2024-04-15 02:03:46 +00:00

There are many ways to design the usage of the runner: so far I tested following scenarios successfully

runner: on host | workload: in podman container, container on host (user aka rootless)
runner: in container on host (user aka rootless) | workload: in podman container, container on host (user aka rootless)
2.1. accomplished by passing users socket only into runners container
2.2 I use here a custom image and a custom version of https://codeberg.org/forgejo/runner/src/branch/main/scripts/run.sh to facilitate the reg/daemon start in one step

NOT TESTED:

runner: in container on host (user aka rootless) | workload: in podman container, container in runners container (podman-in-podman)
3.1. This should work with --privileged and custom image

@anri - its correct that act (runner) should not bind mount the socket additionally into the workload containers. The above mentioned repository respectively the packages already includes a config that disables this behaviour.

About your issue: try following to circumvent a flaw of the official images -w=/var/lib/runner -v forgejo-runner-data:/var/lib/runner

There are many ways to design the usage of the runner: so far I tested following scenarios successfully 1. runner: on host | workload: in podman container, container on host (user aka rootless) 2. runner: in container on host (user aka rootless) | workload: in podman container, container on host (user aka rootless) 2.1. accomplished by passing users socket **only** into runners container 2.2 I use here a custom image and a custom version of https://codeberg.org/forgejo/runner/src/branch/main/scripts/run.sh to facilitate the reg/daemon start in one step NOT TESTED: 3. runner: in container on host (user aka rootless) | workload: in podman container, container in **runners container** (podman-in-podman) 3.1. This should work with `--privileged` and custom image @anri - its correct that act (runner) should not bind mount the socket additionally into the workload containers. The above mentioned repository respectively the packages already includes a config that disables this behaviour. About your issue: try following to circumvent a flaw of the official images `-w=/var/lib/runner -v forgejo-runner-data:/var/lib/runner`

Support for podman #158