From fc90ad57aaadde01e00b2435dc826137655130b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Magnus=20Le=C3=9Fmann=20=28=40MarkL4YG=29?= Date: Thu, 9 Jan 2025 11:13:23 +0100 Subject: [PATCH] Update docs for rootless hosting --- docs/forgejo-runner.service | 2 +- docs/hosting-runners-rootless.md | 68 ++++++++++++++++++++++++++------ 2 files changed, 56 insertions(+), 14 deletions(-) diff --git a/docs/forgejo-runner.service b/docs/forgejo-runner.service index 7a4c3ff..c57f064 100644 --- a/docs/forgejo-runner.service +++ b/docs/forgejo-runner.service @@ -4,7 +4,7 @@ Documentation=https://forgejo.org/docs/latest/admin/actions/ After=podman-socket.service [Service] -ExecStart=/home/forgejo-runner/.local/bin/forgejo-runner daemon +ExecStart=/home/forgejo-runner/.local/bin/forgejo-runner daemon -c /home/forgejo-runner/config.yml ExecReload=/bin/kill -s HUP $MAINPID WorkingDirectory=/home/forgejo-runner EnvironmentFile=/home/forgejo-runner/.runner-env diff --git a/docs/hosting-runners-rootless.md b/docs/hosting-runners-rootless.md index d6d2340..391d5c7 100644 --- a/docs/hosting-runners-rootless.md +++ b/docs/hosting-runners-rootless.md @@ -19,7 +19,60 @@ Note for myself: For example on the Hetzner cloud. -### 2. Create a new user for the runner +### 2. Install podman (rootless) FROM SOURCE +(Hint: You can run all of the build stuff without root privileges, however ``apt install`` and ``make install`` will require sudo. 🙂) + +```bash +# As root +# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its hundreds of tools. +echo "kernel.apparmor_restrict_unprivileged_userns = 0" > "/etc/sysctl.d/99-rootless-podman.conf" +echo "kernel.unprivileged_userns_clone = 1" >> "/etc/sysctl.d/99-rootless-podman.conf" +``` + +The podman binaries in the Ubuntu repositories for 24.04 are too outdated (4.X.X) for proper IPv6 support. +(According to the Podman devs, all of it is better with Pasta - which is the preferred rootless networking backend for Podman 5+) + +__See [their docs](https://podman.io/docs/installation#building-from-source) on how to do that.__ +(You can skip the 99-userns.conf command because we already did that above ⬆️) + +> ⚠️ Please note the following ⚠️ +> * After cloning the podman repository, checkout the latest release tag (the docs forget to mention that!) +> * Make sure to install ``libapparmor-dev libsystemd-dev`` before compiling so that the compatibility can be included in the installation. +> We recommend running make with ``BUILDTAGS="selinux seccomp apparmor exclude_graphdriver_devicemapper systemd"`` +> * Run ``make vendor`` before running ``make install`` because for whatever reason it can be left out sometimes?? + +#### 2.1 Install crun from source + +The crun version shipped by Ubuntu 24.04 is too old for Podman 5+. So we need to build it from source too... + +```bash +git clone https://github.com/containers/crun +cd crun +git checkout "" +# +./autogen.sh +./configure +make +sudo make install # We need to change the prefix to overwrite what Ubuntu ships +``` + +#### 2.2 Containers configuration file + +While the podman package installs the default configuration file below /usr/share/..., the make install command does not. +To make configuration easier for you later, please download the default configuration to ``/etc/containers/containers.conf``. + +```bash +# As root +wget -O /etc/containers/containers.conf https://raw.githubusercontent.com/containers/common/refs/heads/main/pkg/config/containers.conf +sed -i 's/.*#runtime =.*/runtime = "\/usr\/local\/bin\/crun"/' /etc/containers/containers.conf # This updates the crun version used by podman - it really tries to use the outdated one otherwise. + +# Note - This should yield "pasta", even on Ubuntu 24.04, if things worked so far. +podman info | grep rootlessNetworkCmd +# Note - This should show a crun version ABOVE 1.17 +podman info | grep crun +``` + +### 3. Create a new user for the runner Since we don't want to the new forgejo runner to be ``root`` on out machine, we create a new user for it: ```bash @@ -28,16 +81,6 @@ useradd -s /bin/bash --create-home forgejo-runner loginctl enable-linger forgejo-runner ``` -### 3. Install podman (rootless) - -```bash -# As root -apt install -y podman podman-docker - -# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its hundreds of tools. -echo "kernel.apparmor_restrict_unprivileged_userns = 0" > "/etc/sysctl.d/99-rootless-podman.conf" -``` - #### Enable Podman docker-socket on user ```bash @@ -49,6 +92,7 @@ machinectl shell --uid forgejo-runner # <-- This is basically "sudo -Hi XXX" but ```bash systemctl --user enable --now podman.socket podman echo 'export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock' >> ~/.profile +source .profile # Refreshes shell vars, because .profile was modified. ``` ### 4. Install the forgejo-runner @@ -76,8 +120,6 @@ chmod 750 ~/.local/bin/forgejo-runner __The official runner registration is__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration) Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration information. :) -czzHPHIWdsjroPohucX6WeLRo5V6Y9Y1L7CHlna6 - ```bash # As forgejo-runner (recreate shell to update PATH) forgejo-runner generate-config > config.yml