From e7b0d88917f51ec472983d5cfb8170af3ed5b8a5 Mon Sep 17 00:00:00 2001 From: Vitaliy Potyarkin Date: Thu, 26 Dec 2024 14:59:22 +0300 Subject: [PATCH] [#6] oci-runner: Environment for launching nested containers https://git.frostfs.info/TrueCloudLab/frostfs-infra/issues/177 Signed-off-by: Vitaliy Potyarkin --- oci-runner/Dockerfile | 19 +++++++++++++++ oci-runner/README.md | 47 ++++++++++++++++++++++++++++++++++++++ oci-runner/containers.conf | 21 +++++++++++++++++ oci-runner/registries.conf | 11 +++++++++ oci-runner/storage.conf | 5 ++++ 5 files changed, 103 insertions(+) create mode 100644 oci-runner/Dockerfile create mode 100644 oci-runner/README.md create mode 100644 oci-runner/containers.conf create mode 100644 oci-runner/registries.conf create mode 100644 oci-runner/storage.conf diff --git a/oci-runner/Dockerfile b/oci-runner/Dockerfile new file mode 100644 index 000000000..874896688 --- /dev/null +++ b/oci-runner/Dockerfile @@ -0,0 +1,19 @@ +FROM docker.io/node:20-bookworm-slim as node +FROM docker.io/golang:1.23-bookworm +COPY --from=node /usr/local /usr/local +COPY --from=node /opt /opt + +RUN apt-get update && \ + apt-get install -y podman && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && \ + ln -s /usr/bin/podman /usr/local/bin/docker && \ + echo root:10000:1000 > /etc/subuid && \ + echo root:10000:1000 > /etc/subgid && \ + echo -e '#!/bin/bash\npodman system service -t 0 unix:///var/run/docker.sock &\ndisown' > /usr/local/bin/podman-service.sh && \ + chmod +x /usr/local/bin/podman-service.sh + +# Configuration for podman inside rootless podman +COPY containers.conf /etc/containers/containers.conf +COPY registries.conf /etc/containers/registries.conf +COPY storage.conf /etc/containers/storage.conf diff --git a/oci-runner/README.md b/oci-runner/README.md new file mode 100644 index 000000000..0d6b087e9 --- /dev/null +++ b/oci-runner/README.md @@ -0,0 +1,47 @@ +# Forgejo Actions environment for launching nested OCI containers + +This image contains everything we need for executing tests +which spawn nested containers: + +- Go toolchain +- Docker wrapper (for abstracting Podman away from users) +- Podman configuration files + +## Usage + +Referencing this container from `.forgejo/workflows/workflow.yml`: + +```yaml +jobs: + oci-image: + runs-on: oci-runner +``` + +## Privileges + +Managing network connectivity between nested containers requires extra +privileges on the outer container: + +- CAP_NET_ADMIN (fixes `netavark: Netlink error: Operation not permitted`) +- CAP_SYS_ADMIN (fixes `slirp4netns failed: "open(/dev/net/tun): No such file or directory`) + +These privileges are not required for running a single container inside +rootless Podman. +Use `--net=host --uts=host --pid=host --cgroups=enabled` to launch inner containers then. + +Example of privileged outer container: + +``` +podman run \ + --cap-add CAP_NET_ADMIN --cap-add CAP_SYS_ADMIN \ + --rm -it git.frostfs.info/truecloudlab/env:oci-runner \ + podman run --name hi hello-world +``` + +Unprivileged outer container: + +``` +podman run \ + --rm -it git.frostfs.info/truecloudlab/env:oci-runner \ + podman run --net=host --uts=host --pid=host --cgroups=enabled hello-world +``` diff --git a/oci-runner/containers.conf b/oci-runner/containers.conf new file mode 100644 index 000000000..c7b93710e --- /dev/null +++ b/oci-runner/containers.conf @@ -0,0 +1,21 @@ +[containers] + +# Basic podman-in-podman config from quay.io/podman/stable +cgroupns="host" +cgroups="disabled" +ipcns="host" +pidns="private" +userns="host" + +# Allow network connectivity between second order containers +netns="private" +utsns="private" + +# Workaround for ping_group_range error: https://github.com/containers/podman/issues/13194 +default_sysctls = [] + + +[engine] + +# Basic podman-in-podman config from quay.io/podman/stable +cgroup_manager="cgroupfs" diff --git a/oci-runner/registries.conf b/oci-runner/registries.conf new file mode 100644 index 000000000..d15dbcc0f --- /dev/null +++ b/oci-runner/registries.conf @@ -0,0 +1,11 @@ +unqualified-search-registries = ["docker.io"] + +[[registry]] +prefix = "docker.io" +location = "docker.io" + +[[registry.mirror]] +location = "quay.io" + +[[registry.mirror]] +location = "docker.io" diff --git a/oci-runner/storage.conf b/oci-runner/storage.conf new file mode 100644 index 000000000..5bde8c7cf --- /dev/null +++ b/oci-runner/storage.conf @@ -0,0 +1,5 @@ +# STORAGE_DRIVER variable is ignored if /etc/containers/storage.conf does not exist +[storage] +driver = "vfs" +runroot = "/run/containers/storage" +graphroot = "/var/lib/containers/storage"