Support for podman #158

Open
opened 2024-03-16 12:04:30 +00:00 by james2432 · 11 comments

I see in the code it seems to be heavily focused on Docker itself(hardcoded names vs abstraction), which would mean a massive undertaking to dynamically support other container systems

I see in the code it seems to be heavily focused on Docker itself(hardcoded names vs abstraction), which would mean a massive undertaking to dynamically support other container systems
earl-warren added the
Kind/Feature
label 2024-03-17 06:53:18 +00:00
Owner

There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows

It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.

There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.
Author

There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows

It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.

yeah that's running podman as a service similar to docker.

but the advantage of podman is it uses fork-exec and doesn't need to have a service running all the time. That and doesn't need to run as root all the time(unprivileged userspace)

> There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows > > It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features. > yeah that's running podman as a service similar to docker. but the advantage of podman is it uses fork-exec and doesn't need to have a service running all the time. That and doesn't need to run as root all the time(unprivileged userspace)
Member

The daemonless part I get, but I don't think socket runs as root if started as user.

Admittedly it would be a nice feature to have a podman backend. I might look at it after I'll end up with anything remotely usable with incus - so not anytime soon.

I would suggest moving this to https://code.forgejo.org/forgejo/act, as it would need to support podman before runner can.

The daemonless part I get, but I don't think socket runs as root if started as user. Admittedly it would be a nice feature to have a podman backend. I might look at it after I'll end up with anything remotely usable with incus - so not anytime soon. I would suggest moving this to https://code.forgejo.org/forgejo/act, as it would need to support podman before runner can.

@thefox : as i primarily use podman I'm willing to help out (testing ...)

@thefox : as i primarily use podman I'm willing to help out (testing ...)

For those who want to try the runner on some major podman platforms.

Here a repository with installation instructions that can be enabled on Fedora/CentOS/RHEL (x86_64, aarch64):

https://copr.fedorainfracloud.org/coprs/ne0l/forgejo/

For those who want to try the runner on some major podman platforms. Here a repository with installation instructions that can be enabled on Fedora/CentOS/RHEL (x86_64, aarch64): https://copr.fedorainfracloud.org/coprs/ne0l/forgejo/
Owner

@el0n looking good and simple. It would be a nice addition to https://forgejo.org/docs/v1.21/admin/actions/#packaging if you have the time to submit a PR at https://codeberg.org/forgejo/docs/src/branch/next/docs/admin/actions.md 🙏

@el0n looking good and simple. It would be a nice addition to https://forgejo.org/docs/v1.21/admin/actions/#packaging if you have the time to submit a PR at https://codeberg.org/forgejo/docs/src/branch/next/docs/admin/actions.md 🙏

Hi, chiming in because I was inspired by @el0n's COPR and found out that using the OCI image for the runner appears to work.
I did the following inside a new user as a test:

  1. Enable the podman socket, for example with systemd:
    systemctl --user enable --now podman.socket
  2. Run the OCI image with rootless podman:
    podman run -it --security-opt=label=disable -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock --user $(id -u) -e DOCKER_HOST=unix:///var/run/docker.sock -v forgejo-runner-data:/data code.forgejo.org/forgejo/runner:3.3.0 forgejo-runner daemon

(Obviously before running the daemon itself one should call register and do the setup.)

I'll test it throughly in the following days, but at least the registration works.

Hi, chiming in because I was inspired by @el0n's COPR and found out that using the OCI image for the runner _appears_ to work. I did the following inside a new user as a test: 1. Enable the podman socket, for example with systemd: `systemctl --user enable --now podman.socket` 1. Run the OCI image with rootless podman: `podman run -it --security-opt=label=disable -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock --user $(id -u) -e DOCKER_HOST=unix:///var/run/docker.sock -v forgejo-runner-data:/data code.forgejo.org/forgejo/runner:3.3.0 forgejo-runner daemon` (Obviously before running the daemon itself one should call `register` and do the setup.) I'll test it throughly in the following days, but at least the registration works.

Small update: running the OCI image from rootless podman does not seem possible due to a permission issue (?).
While registration works, running any action fails with the following:

failed to create container: 'Error response from daemon: make cli opts(): making volume mountpoint for volume /var/run/docker.sock: mkdir /var/run/docker.sock: permission denied'

The command used:

$ podman run -it \
    --security-opt label=disable \
    -v /run/user/1000/podman/podman.sock:/var/run/docker.sock:rw \
    --user 0:0 \
    -e DOCKER_HOST=unix:///var/run/docker.sock \
    -v forgejo-runner-data:/data \
    code.forgejo.org/forgejo/runner:3.4.1 \
    forgejo-runner daemon

EDIT: it appears that this was referenced in #139 and the fix is to put docker_host: '-' inside the configuration file. Also see jorn's page for using the OCI image via Podman Quadlet.

Small update: running the OCI image from rootless podman does not seem possible due to a permission issue (?). While registration works, running any action fails with the following: ``` failed to create container: 'Error response from daemon: make cli opts(): making volume mountpoint for volume /var/run/docker.sock: mkdir /var/run/docker.sock: permission denied' ``` The command used: ``` $ podman run -it \ --security-opt label=disable \ -v /run/user/1000/podman/podman.sock:/var/run/docker.sock:rw \ --user 0:0 \ -e DOCKER_HOST=unix:///var/run/docker.sock \ -v forgejo-runner-data:/data \ code.forgejo.org/forgejo/runner:3.4.1 \ forgejo-runner daemon ``` EDIT: it appears that this was referenced in #139 and the fix is to put `docker_host: '-'` inside the configuration file. Also see [jorn's page](https://jornfranke.codeberg.page/technology-tutorials/forgejo-runner-opensuse-microos-hetzner/) for using the OCI image via Podman Quadlet.
Owner

https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose shows how it can work. But my preference would be for the runner binary because it is so much simpler.

https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose shows how it can work. But my preference would be for the runner binary because it is so much simpler.

There are many ways to design the usage of the runner: so far I tested following scenarios successfully

  1. runner: on host | workload: in podman container, container on host (user aka rootless)
  2. runner: in container on host (user aka rootless) | workload: in podman container, container on host (user aka rootless)
    2.1. accomplished by passing users socket only into runners container
    2.2 I use here a custom image and a custom version of https://codeberg.org/forgejo/runner/src/branch/main/scripts/run.sh to facilitate the reg/daemon start in one step

NOT TESTED:

  1. runner: in container on host (user aka rootless) | workload: in podman container, container in runners container (podman-in-podman)
    3.1. This should work with --privileged and custom image

@anri - its correct that act (runner) should not bind mount the socket additionally into the workload containers. The above mentioned repository respectively the packages already includes a config that disables this behaviour.

About your issue: try following to circumvent a flaw of the official images -w=/var/lib/runner -v forgejo-runner-data:/var/lib/runner

There are many ways to design the usage of the runner: so far I tested following scenarios successfully 1. runner: on host | workload: in podman container, container on host (user aka rootless) 2. runner: in container on host (user aka rootless) | workload: in podman container, container on host (user aka rootless) 2.1. accomplished by passing users socket **only** into runners container 2.2 I use here a custom image and a custom version of https://codeberg.org/forgejo/runner/src/branch/main/scripts/run.sh to facilitate the reg/daemon start in one step NOT TESTED: 3. runner: in container on host (user aka rootless) | workload: in podman container, container in **runners container** (podman-in-podman) 3.1. This should work with `--privileged` and custom image @anri - its correct that act (runner) should not bind mount the socket additionally into the workload containers. The above mentioned repository respectively the packages already includes a config that disables this behaviour. About your issue: try following to circumvent a flaw of the official images `-w=/var/lib/runner -v forgejo-runner-data:/var/lib/runner`

JFI: The above repo ( #158 (comment) ) provides a new build, that incorporates a patch of the main branch. The runner repects the labels coming from the config file now (takes labels found in config.yml into account (5e51d8ed42))

JFI: The above repo ( https://code.forgejo.org/forgejo/runner/issues/158#issuecomment-7110 ) provides a new build, that incorporates a patch of the main branch. The runner repects the labels coming from the config file now (takes labels found in config.yml into account (5e51d8ed42))
Sign in to join this conversation.
No milestone
No project
No assignees
5 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo/runner#158
No description provided.