Run build as non-root user

docs/hosting-runners-rootless.md

@@ -1,17 +1,15 @@
 # Creating a new ForgeJo Runner Host
 
-
+> ⚠️ Notice on IPv6-only hosts:
-### IMPORTANT
+> Ubuntu 24.04 installs an _outdated version of podman that is not properly capable of basic IPv6 in rootless mode_.  
-### !! THIS SETUP DOES NOT WORK WITH IPv6-only HOSTS!!
+> Somewhere in the networking stack, somebody messes up the routing causing all IPv6 networks to be unreachable from
-
+> inside the container.
-Ubuntu 24.04 hosts running IPv6-only setup currently cannot use podman-rootless containers.
+> Podman maintainers/triagers seem to be keen on saying "this won't be an issue in Podman 5 with pasta anymore",
-Somewhere in the networking stack, somebody messes up the routing causing all IPv6 networks to be unreachable from inside the container.  
+> however, that build is NOT available for Ubuntu 24.04 in its packet sources.
-Podman maintainers/triagers seem to be keen on saying "this won't be an issue in Podman 5 with pasta anymore", however, that build is NOT available for Ubuntu 24.04 in its packet sources.
+>
-Building from source __might__ work, however GitHub seems to be unable to provide their service on IPv6 for some unknown *** reason.
+> Building from source does work, however GitHub seems to be unable to provide their service on IPv6 for some
-
+> unknown *** reason.
-Note for myself:
+> The setup therefore requires IPv4 support (which can be provided by an HTTP(S)_PROXY).
-- Try to build and package podman 5 from another (ipv4-capable) machine and transfer the package over to the hetzner cloud.
-- Try installing podman 5 from a third party API repository, if one exists.
 
 ## Machine Setup
 
@@ -19,27 +17,35 @@ Note for myself:
 
 For example on the Hetzner cloud.
 
+```bash
+# As root, install updates.
+apt-get update && apt-get upgrade -y
+apt install -y systemd-container
+```
+
 ### 2. Install podman (rootless) FROM SOURCE
-(Hint: You can run all of the build stuff without root privileges, however ``apt install`` and ``make install`` will require sudo. 🙂)
+
+(Hint: You can run all of the build stuff without root privileges, however ``apt install`` and ``make install`` will
+require sudo. 🙂)
 
 ```bash
 # As root
-# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its hundreds of tools.
+# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its tools.
 echo "kernel.apparmor_restrict_unprivileged_userns = 0" > "/etc/sysctl.d/99-rootless-podman.conf"
 echo "kernel.unprivileged_userns_clone = 1" >> "/etc/sysctl.d/99-rootless-podman.conf"
+
+# Create a non-root user to run all the build steps
+# This is technically optional, but build scripts should not run with root privileges.
+useradd -m -s /bin/bash podman-build
+adduser podman-build sudo
+passwd podman-build
+machinectl shell podman-build@ # Switches shell to this user (including systemd container)
+# You can use "sudo -k" to remove cached credentials after installing build dependencies
 ```
 
 The podman binaries in the Ubuntu repositories for 24.04 are too outdated (4.X.X) for proper IPv6 support.  
-(According to the Podman devs, all of it is better with Pasta - which is the preferred rootless networking backend for Podman 5+)
+(According to the Podman devs, all of it is better with Pasta - which is the preferred rootless networking backend for
-
+Podman 5+)
-__See [their docs](https://podman.io/docs/installation#building-from-source) on how to do that.__  
-(You can skip the 99-userns.conf command because we already did that above ⬆️)
-
-> ⚠️ Please note the following ⚠️
-> * After cloning the podman repository, checkout the latest release tag (the docs forget to mention that!)
-> * Make sure to install ``libapparmor-dev libsystemd-dev`` before compiling so that the compatibility can be included in the installation.  
->   We recommend running make with ``BUILDTAGS="selinux seccomp apparmor exclude_graphdriver_devicemapper systemd"``  
-> * Run ``make vendor`` before running ``make install`` because for whatever reason it can be left out sometimes??
 
 #### 2.1 Install crun from source
 
@@ -56,10 +62,24 @@ make
 sudo make install # We need to change the prefix to overwrite what Ubuntu ships
 ```
 
+#### 2.2 Build podman from source
+
+__See [their docs](https://podman.io/docs/installation#building-from-source) on how to do that.__  
+(You can skip the 99-userns.conf command because we already did that above ⬆️)
+
+> ⚠️ Please note the following ⚠️
+> * After cloning the podman repository, checkout the latest release tag (the docs forget to mention that!)
+> * Make sure to install ``libapparmor-dev libsystemd-dev`` before compiling so that the compatibility can be included
+    in the installation.  
+    We recommend running make with ``BUILDTAGS="selinux seccomp apparmor exclude_graphdriver_devicemapper systemd"``
+> * Run ``make vendor`` before running ``make install`` because for whatever reason it can be left out sometimes??
+
 #### 2.2 Containers configuration file
 
-While the podman package installs the default configuration file below /usr/share/..., the make install command does not.  
+While the podman package installs the default configuration file below /usr/share/..., the make install command does
-To make configuration easier for you later, please download the default configuration to ``/etc/containers/containers.conf``.
+not.  
+To make configuration easier for you later, please download the default configuration to
+``/etc/containers/containers.conf``.
 
 ```bash
 # As root
@@ -75,6 +95,7 @@ podman info | grep crun
 ### 3. Create a new user for the runner
 
 Since we don't want to the new forgejo runner to be ``root`` on out machine, we create a new user for it:
+
 ```bash
 # As root
 useradd -s /bin/bash --create-home forgejo-runner
@@ -85,14 +106,12 @@ loginctl enable-linger forgejo-runner
 
 ```bash
 # As root
-apt install -y systemd-container
+machinectl shell forgejo-runner@ # <-- This is basically "sudo -Hi XXX" but makes sure the systemd container is switched too.
-machinectl shell --uid forgejo-runner # <-- This is basically "sudo -Hi XXX" but makes sure the systemd container is switched too.
 ```
 
 ```bash
 systemctl --user enable --now podman.socket podman
 echo 'export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock' >> ~/.profile
-source .profile # Refreshes shell vars, because .profile was modified.
 ```
 
 ### 4. Install the forgejo-runner
@@ -113,12 +132,15 @@ gpg --verify forgejo-runner.asc forgejo-runner
 mkdir -p ~/.local/bin
 mv ./forgejo-runner ~/.local/bin/forgejo-runner
 chmod 750 ~/.local/bin/forgejo-runner
+source .profile # Refreshes shell vars, because .profile was modified.
 ```
 
 ### 5. Configure and register the forgejo-runner
 
-__The official runner registration is__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration)
+__The official runner registration is
-Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration information. :)
+__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration)
+Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration
+information. :)
 
 ```bash
 # As forgejo-runner (recreate shell to update PATH)