diff --git a/docs/forgejo-runner.service b/docs/forgejo-runner.service index c57f064..7a4c3ff 100644 --- a/docs/forgejo-runner.service +++ b/docs/forgejo-runner.service @@ -4,7 +4,7 @@ Documentation=https://forgejo.org/docs/latest/admin/actions/ After=podman-socket.service [Service] -ExecStart=/home/forgejo-runner/.local/bin/forgejo-runner daemon -c /home/forgejo-runner/config.yml +ExecStart=/home/forgejo-runner/.local/bin/forgejo-runner daemon ExecReload=/bin/kill -s HUP $MAINPID WorkingDirectory=/home/forgejo-runner EnvironmentFile=/home/forgejo-runner/.runner-env diff --git a/docs/hosting-runners-rootless.md b/docs/hosting-runners-rootless.md index 43217cd..d6d2340 100644 --- a/docs/hosting-runners-rootless.md +++ b/docs/hosting-runners-rootless.md @@ -1,15 +1,17 @@ # Creating a new ForgeJo Runner Host -> ⚠️ Notice on IPv6-only hosts: -> Ubuntu 24.04 installs an _outdated version of podman that is not properly capable of basic IPv6 in rootless mode_. -> Somewhere in the networking stack, somebody messes up the routing causing all IPv6 networks to be unreachable from -> inside the container. -> Podman maintainers/triagers seem to be keen on saying "this won't be an issue in Podman 5 with pasta anymore", -> however, that build is NOT available for Ubuntu 24.04 in its packet sources. -> -> Building from source does work, however GitHub seems to be unable to provide their service on IPv6 for some -> unknown *** reason. -> The setup therefore requires IPv4 support (which can be provided by an HTTP(S)_PROXY). + +### IMPORTANT +### !! THIS SETUP DOES NOT WORK WITH IPv6-only HOSTS!! + +Ubuntu 24.04 hosts running IPv6-only setup currently cannot use podman-rootless containers. +Somewhere in the networking stack, somebody messes up the routing causing all IPv6 networks to be unreachable from inside the container. +Podman maintainers/triagers seem to be keen on saying "this won't be an issue in Podman 5 with pasta anymore", however, that build is NOT available for Ubuntu 24.04 in its packet sources. +Building from source __might__ work, however GitHub seems to be unable to provide their service on IPv6 for some unknown *** reason. + +Note for myself: +- Try to build and package podman 5 from another (ipv4-capable) machine and transfer the package over to the hetzner cloud. +- Try installing podman 5 from a third party API repository, if one exists. ## Machine Setup @@ -17,96 +19,31 @@ For example on the Hetzner cloud. -```bash -# As root, install updates. -apt-get update && apt-get upgrade -y -apt install -y systemd-container -``` - -### 2. Install podman (rootless) FROM SOURCE - -(Hint: You can run all of the build stuff without root privileges, however ``apt install`` and ``make install`` will -require sudo. 🙂) - -```bash -# As root -# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its tools. -echo "kernel.apparmor_restrict_unprivileged_userns = 0" > "/etc/sysctl.d/99-rootless-podman.conf" -echo "kernel.unprivileged_userns_clone = 1" >> "/etc/sysctl.d/99-rootless-podman.conf" - -# Create a non-root user to run all the build steps -# This is technically optional, but build scripts should not run with root privileges. -useradd -m -s /bin/bash podman-build -adduser podman-build sudo -passwd podman-build -machinectl shell podman-build@ # Switches shell to this user (including systemd container) -# You can use "sudo -k" to remove cached credentials after installing build dependencies -``` - -The podman binaries in the Ubuntu repositories for 24.04 are too outdated (4.X.X) for proper IPv6 support. -(According to the Podman devs, all of it is better with Pasta - which is the preferred rootless networking backend for -Podman 5+) - -#### 2.1 Install crun from source - -The crun version shipped by Ubuntu 24.04 is too old for Podman 5+. So we need to build it from source too... - -```bash -git clone https://github.com/containers/crun -cd crun -git checkout "" -# -./autogen.sh -./configure -make -sudo make install # We need to change the prefix to overwrite what Ubuntu ships -``` - -#### 2.2 Build podman from source - -__See [their docs](https://podman.io/docs/installation#building-from-source) on how to do that.__ -(You can skip the 99-userns.conf command because we already did that above ⬆️) - -> ⚠️ Please note the following ⚠️ -> * After cloning the podman repository, checkout the latest release tag (the docs forget to mention that!) -> * Make sure to install ``libapparmor-dev libsystemd-dev`` before compiling so that the compatibility can be included - in the installation. - We recommend running make with ``BUILDTAGS="selinux seccomp apparmor exclude_graphdriver_devicemapper systemd"`` -> * Run ``make vendor`` before running ``make install`` because for whatever reason it can be left out sometimes?? - -#### 2.2 Containers configuration file - -While the podman package installs the default configuration file below /usr/share/..., the make install command does -not. -To make configuration easier for you later, please download the default configuration to -``/etc/containers/containers.conf``. - -```bash -# As root -wget -O /etc/containers/containers.conf https://raw.githubusercontent.com/containers/common/refs/heads/main/pkg/config/containers.conf -sed -i 's/.*#runtime =.*/runtime = "\/usr\/local\/bin\/crun"/' /etc/containers/containers.conf # This updates the crun version used by podman - it really tries to use the outdated one otherwise. - -# Note - This should yield "pasta", even on Ubuntu 24.04, if things worked so far. -podman info | grep rootlessNetworkCmd -# Note - This should show a crun version ABOVE 1.17 -podman info | grep crun -``` - -### 3. Create a new user for the runner +### 2. Create a new user for the runner Since we don't want to the new forgejo runner to be ``root`` on out machine, we create a new user for it: - ```bash # As root useradd -s /bin/bash --create-home forgejo-runner loginctl enable-linger forgejo-runner ``` +### 3. Install podman (rootless) + +```bash +# As root +apt install -y podman podman-docker + +# Ubuntu (>=23) thinks it is a good idea to disallow user namespaces for non-privileged users forcing us all to either use root or create apparmor profiles tailored for podman and its hundreds of tools. +echo "kernel.apparmor_restrict_unprivileged_userns = 0" > "/etc/sysctl.d/99-rootless-podman.conf" +``` + #### Enable Podman docker-socket on user ```bash # As root -machinectl shell forgejo-runner@ # <-- This is basically "sudo -Hi XXX" but makes sure the systemd container is switched too. +apt install -y systemd-container +machinectl shell --uid forgejo-runner # <-- This is basically "sudo -Hi XXX" but makes sure the systemd container is switched too. ``` ```bash @@ -132,15 +69,14 @@ gpg --verify forgejo-runner.asc forgejo-runner mkdir -p ~/.local/bin mv ./forgejo-runner ~/.local/bin/forgejo-runner chmod 750 ~/.local/bin/forgejo-runner -source .profile # Refreshes shell vars, because .profile was modified. ``` ### 5. Configure and register the forgejo-runner -__The official runner registration is -__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration) -Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration -information. :) +__The official runner registration is__ [here](https://forgejo.org/docs/v8.0/admin/runner-installation/#standard-registration) +Or, if you're volunteering another runner for our instance, please contact us to receive the necessary registration information. :) + +czzHPHIWdsjroPohucX6WeLRo5V6Y9Y1L7CHlna6 ```bash # As forgejo-runner (recreate shell to update PATH)