Support for podman #158
Labels
No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
No milestone
No project
No assignees
5 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo/runner#158
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I see in the code it seems to be heavily focused on Docker itself(hardcoded names vs abstraction), which would mean a massive undertaking to dynamically support other container systems
There are instructions on how to use podman instead of docker https://forgejo.org/docs/v1.21/admin/actions/#execution-of-the-workflows
It could be improved runner side to not rely on command aliases and probably take advantage of more podman specific features.
yeah that's running podman as a service similar to docker.
but the advantage of podman is it uses fork-exec and doesn't need to have a service running all the time. That and doesn't need to run as root all the time(unprivileged userspace)
The daemonless part I get, but I don't think socket runs as root if started as user.
Admittedly it would be a nice feature to have a podman backend. I might look at it after I'll end up with anything remotely usable with incus - so not anytime soon.
I would suggest moving this to https://code.forgejo.org/forgejo/act, as it would need to support podman before runner can.
@thefox : as i primarily use podman I'm willing to help out (testing ...)
For those who want to try the runner on some major podman platforms.
Here a repository with installation instructions that can be enabled on Fedora/CentOS/RHEL (x86_64, aarch64):
https://copr.fedorainfracloud.org/coprs/ne0l/forgejo/
@el0n looking good and simple. It would be a nice addition to https://forgejo.org/docs/v1.21/admin/actions/#packaging if you have the time to submit a PR at https://codeberg.org/forgejo/docs/src/branch/next/docs/admin/actions.md 🙏
Hi, chiming in because I was inspired by @el0n's COPR and found out that using the OCI image for the runner appears to work.
I did the following inside a new user as a test:
systemctl --user enable --now podman.socket
podman run -it --security-opt=label=disable -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock --user $(id -u) -e DOCKER_HOST=unix:///var/run/docker.sock -v forgejo-runner-data:/data code.forgejo.org/forgejo/runner:3.3.0 forgejo-runner daemon
(Obviously before running the daemon itself one should call
register
and do the setup.)I'll test it throughly in the following days, but at least the registration works.
Small update: running the OCI image from rootless podman does not seem possible due to a permission issue (?).
While registration works, running any action fails with the following:
The command used:
EDIT: it appears that this was referenced in #139 and the fix is to put
docker_host: '-'
inside the configuration file. Also see jorn's page for using the OCI image via Podman Quadlet.https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose shows how it can work. But my preference would be for the runner binary because it is so much simpler.
There are many ways to design the usage of the runner: so far I tested following scenarios successfully
2.1. accomplished by passing users socket only into runners container
2.2 I use here a custom image and a custom version of https://codeberg.org/forgejo/runner/src/branch/main/scripts/run.sh to facilitate the reg/daemon start in one step
NOT TESTED:
3.1. This should work with
--privileged
and custom image@anri - its correct that act (runner) should not bind mount the socket additionally into the workload containers. The above mentioned repository respectively the packages already includes a config that disables this behaviour.
About your issue: try following to circumvent a flaw of the official images
-w=/var/lib/runner -v forgejo-runner-data:/var/lib/runner