forsaken-ashbirds/git.forsaken-ashbirds.net
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity Actions

Run build as non-root user

Browse source 
(cherry picked from commit 6faef187fa)
This commit is contained in:
Magnus Leßmann (@MarkL4YG) 2025-01-09 12:12:45 +01:00
parent 08b9ee1f7d
commit c42b432311
Signed by: Mark.TwoFive
GPG key ID: 5B5EBCBE331F1E6F
1 changed files with 54 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
docs/hosting-runners-rootless.md
View file

@ -1,17 +1,15 @@
# Creating a new ForgeJo Runner Host
### IMPORTANT
### !! THIS SETUP DOES NOT WORK WITH IPv6-only HOSTS!!
Ubuntu 24.04 hosts running IPv6-only setup currently cannot use podman-rootless containers.
Somewhere in the networking stack, somebody messes up the routing causing all IPv6 networks to be unreachable from inside the container.
Podman maintainers/triagers seem to be keen on saying "this won't be an issue in Podman 5 with pasta anymore", however, that build is NOT available for Ubuntu 24.04 in its packet sources.
Building from source __might__ work, however GitHub seems to be unable to provide their service on IPv6 for some unknown *** reason.
Note for myself:
- Try to build and package podman 5 from another (ipv4-capable) machine and transfer the package over to the hetzner cloud.
- Try installing podman 5 from a third party API repository, if one exists.
> ⚠️ Notice on IPv6-only hosts:
> Ubuntu 24.04 installs an _outdated version of podman that is not properly capable of basic IPv6 in rootless mode_.
> Somewhere in the networking stack, somebody messes up the routing causing all IPv6 networks to be unreachable from
> inside the container.
> Podman maintainers/triagers seem to be keen on saying "this won't be an issue in Podman 5 with pasta anymore",
> however, that build is NOT available for Ubuntu 24.04 in its packet sources.
>
> Building from source does work, however GitHub seems to be unable to provide their service on IPv6 for some
> unknown *** reason.
> The setup therefore requires IPv4 support (which can be provided by an HTTP(S)_PROXY).
## Machine Setup
@ -19,27 +17,35 @@ Note for myself:
For example on the Hetzner cloud.
```bash
# As root, install updates.
apt-get update && apt-get upgrade -y
apt install -y systemd-container
```
### 2. Install podman (rootless) FROM SOURCE
(Hint: You can run all of the build stuff without root privileges, however ``apt install`` and ``make install`` will require sudo. 🙂)
(Hint: You can run all of the build stuff without root privileges, however ``apt install`` and ``make install`` will
require sudo. 🙂)
```bash
# As root
# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its hundreds of tools.
# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its tools.
echo "kernel.apparmor_restrict_unprivileged_userns = 0" > "/etc/sysctl.d/99-rootless-podman.conf"
echo "kernel.unprivileged_userns_clone = 1" >> "/etc/sysctl.d/99-rootless-podman.conf"
# Create a non-root user to run all the build steps
# This is technically optional, but build scripts should not run with root privileges.
useradd -m -s /bin/bash podman-build
adduser podman-build sudo
passwd podman-build
machinectl shell podman-build@ # Switches shell to this user (including systemd container)
# You can use "sudo -k" to remove cached credentials after installing build dependencies
```
The podman binaries in the Ubuntu repositories for 24.04 are too outdated (4.X.X) for proper IPv6 support.
(According to the Podman devs, all of it is better with Pasta - which is the preferred rootless networking backend for Podman 5+)
__See [their docs](https://podman.io/docs/installation#building-from-source) on how to do that.__
(You can skip the 99-userns.conf command because we already did that above ⬆️)
> ⚠️ Please note the following ⚠️
> * After cloning the podman repository, checkout the latest release tag (the docs forget to mention that!)
> * Make sure to install ``libapparmor-dev libsystemd-dev`` before compiling so that the compatibility can be included in the installation.
> We recommend running make with ``BUILDTAGS="selinux seccomp apparmor exclude_graphdriver_devicemapper systemd"``
> * Run ``make vendor`` before running ``make install`` because for whatever reason it can be left out sometimes??
(According to the Podman devs, all of it is better with Pasta - which is the preferred rootless networking backend for
Podman 5+)
#### 2.1 Install crun from source
@ -56,10 +62,24 @@ make
sudo make install # We need to change the prefix to overwrite what Ubuntu ships
```
#### 2.2 Build podman from source
__See [their docs](https://podman.io/docs/installation#building-from-source) on how to do that.__
(You can skip the 99-userns.conf command because we already did that above ⬆️)
> ⚠️ Please note the following ⚠️
> * After cloning the podman repository, checkout the latest release tag (the docs forget to mention that!)
> * Make sure to install ``libapparmor-dev libsystemd-dev`` before compiling so that the compatibility can be included
in the installation.
We recommend running make with ``BUILDTAGS="selinux seccomp apparmor exclude_graphdriver_devicemapper systemd"``
> * Run ``make vendor`` before running ``make install`` because for whatever reason it can be left out sometimes??
#### 2.2 Containers configuration file
While the podman package installs the default configuration file below /usr/share/..., the make install command does not.
To make configuration easier for you later, please download the default configuration to ``/etc/containers/containers.conf``.
While the podman package installs the default configuration file below /usr/share/..., the make install command does
not.
To make configuration easier for you later, please download the default configuration to
``/etc/containers/containers.conf``.
```bash
# As root
@ -75,6 +95,7 @@ podman info | grep crun
### 3. Create a new user for the runner
Since we don't want to the new forgejo runner to be ``root`` on out machine, we create a new user for it:
```bash
# As root
useradd -s /bin/bash --create-home forgejo-runner
@ -85,14 +106,12 @@ loginctl enable-linger forgejo-runner
```bash
# As root
apt install -y systemd-container
machinectl shell --uid forgejo-runner # <-- This is basically "sudo -Hi XXX" but makes sure the systemd container is switched too.
machinectl shell forgejo-runner@ # <-- This is basically "sudo -Hi XXX" but makes sure the systemd container is switched too.
```
```bash
systemctl --user enable --now podman.socket podman
echo 'export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock' >> ~/.profile
source .profile # Refreshes shell vars, because .profile was modified.
```
### 4. Install the forgejo-runner
@ -113,12 +132,15 @@ gpg --verify forgejo-runner.asc forgejo-runner
mkdir -p ~/.local/bin
mv ./forgejo-runner ~/.local/bin/forgejo-runner
chmod 750 ~/.local/bin/forgejo-runner
source .profile # Refreshes shell vars, because .profile was modified.
```
### 5. Configure and register the forgejo-runner
__The official runner registration is__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration)
Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration information. :)
__The official runner registration is
__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration)
Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration
information. :)
```bash
# As forgejo-runner (recreate shell to update PATH)