48 lines
1.2 KiB
Markdown
48 lines
1.2 KiB
Markdown
|
# Forgejo Actions environment for launching nested OCI containers
|
||
|
|
|
||
|
|
This image contains everything we need for executing tests
|
||
|
|
which spawn nested containers:
|
||
|
|
|
||
|
|
- Go toolchain
|
||
|
|
- Docker wrapper (for abstracting Podman away from users)
|
||
|
|
- Podman configuration files
|
||
|
|
|
||
|
|
## Usage
|
||
|
|
|
||
|
|
Referencing this container from `.forgejo/workflows/workflow.yml`:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
jobs:
|
||
|
|
oci-image:
|
||
|
|
runs-on: oci-runner
|
||
|
|
```
|
||
|
|
|
||
|
|
## Privileges
|
||
|
|
|
||
|
|
Managing network connectivity between nested containers requires extra
|
||
|
|
privileges on the outer container:
|
||
|
|
|
||
|
|
- CAP_NET_ADMIN (fixes `netavark: Netlink error: Operation not permitted`)
|
||
|
|
- CAP_SYS_ADMIN (fixes `slirp4netns failed: "open(/dev/net/tun): No such file or directory`)
|
||
|
|
|
||
|
|
These privileges are not required for running a single container inside
|
||
|
|
rootless Podman.
|
||
|
|
Use `--net=host --uts=host --pid=host --cgroups=enabled` to launch inner containers then.
|
||
|
|
|
||
|
|
Example of privileged outer container:
|
||
|
|
|
||
|
|
```
|
||
|
|
podman run \
|
||
|
|
--cap-add CAP_NET_ADMIN --cap-add CAP_SYS_ADMIN \
|
||
|
|
--rm -it git.frostfs.info/truecloudlab/env:oci-runner \
|
||
|
|
podman run --name hi hello-world
|
||
|
|
```
|
||
|
|
|
||
|
|
Unprivileged outer container:
|
||
|
|
|
||
|
|
```
|
||
|
|
podman run \
|
||
|
|
--rm -it git.frostfs.info/truecloudlab/env:oci-runner \
|
||
|
|
podman run --net=host --uts=host --pid=host --cgroups=enabled hello-world
|
||
|
|
```
|