[#6] oci-runner: Environment for launching nested containers

TrueCloudLab/frostfs-infra#177 Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
2024-12-26 14:59:22 +03:00 · 2024-12-26 14:59:22 +03:00 · e7b0d88917
commit e7b0d88917
parent fce7570885
5 changed files with 103 additions and 0 deletions
--- a/oci-runner/Dockerfile
+++ b/oci-runner/Dockerfile
@ -0,0 +1,19 @@
+FROM docker.io/node:20-bookworm-slim as node
+FROM docker.io/golang:1.23-bookworm
+COPY --from=node /usr/local /usr/local
+COPY --from=node /opt /opt
+
+RUN apt-get update && \
+    apt-get install -y podman && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    ln -s /usr/bin/podman /usr/local/bin/docker && \
+    echo root:10000:1000 > /etc/subuid && \
+    echo root:10000:1000 > /etc/subgid && \
+    echo -e '#!/bin/bash\npodman system service -t 0 unix:///var/run/docker.sock &\ndisown' > /usr/local/bin/podman-service.sh && \
+    chmod +x /usr/local/bin/podman-service.sh
+
+# Configuration for podman inside rootless podman
+COPY containers.conf /etc/containers/containers.conf
+COPY registries.conf /etc/containers/registries.conf
+COPY storage.conf /etc/containers/storage.conf
--- a/oci-runner/README.md
+++ b/oci-runner/README.md
@ -0,0 +1,47 @@
+# Forgejo Actions environment for launching nested OCI containers
+
+This image contains everything we need for executing tests
+which spawn nested containers:
+
+- Go toolchain
+- Docker wrapper (for abstracting Podman away from users)
+- Podman configuration files
+
+## Usage
+
+Referencing this container from `.forgejo/workflows/workflow.yml`:
+
+```yaml
+jobs:
+  oci-image:
+    runs-on: oci-runner
+```
+
+## Privileges
+
+Managing network connectivity between nested containers requires extra
+privileges on the outer container:
+
+- CAP_NET_ADMIN (fixes `netavark: Netlink error: Operation not permitted`)
+- CAP_SYS_ADMIN (fixes `slirp4netns failed: "open(/dev/net/tun): No such file or directory`)
+
+These privileges are not required for running a single container inside
+rootless Podman.
+Use `--net=host --uts=host --pid=host --cgroups=enabled` to launch inner containers then.
+
+Example of privileged outer container:
+
+```
+podman run \
+    --cap-add CAP_NET_ADMIN --cap-add CAP_SYS_ADMIN \
+    --rm -it git.frostfs.info/truecloudlab/env:oci-runner \
+    podman run --name hi hello-world
+```
+
+Unprivileged outer container:
+
+```
+podman run \
+    --rm -it git.frostfs.info/truecloudlab/env:oci-runner \
+    podman run --net=host --uts=host --pid=host --cgroups=enabled hello-world
+```
--- a/oci-runner/containers.conf
+++ b/oci-runner/containers.conf
@ -0,0 +1,21 @@
+[containers]
+
+# Basic podman-in-podman config from quay.io/podman/stable
+cgroupns="host"
+cgroups="disabled"
+ipcns="host"
+pidns="private"
+userns="host"
+
+# Allow network connectivity between second order containers
+netns="private"
+utsns="private"
+
+# Workaround for ping_group_range error: https://github.com/containers/podman/issues/13194
+default_sysctls = []
+
+
+[engine]
+
+# Basic podman-in-podman config from quay.io/podman/stable
+cgroup_manager="cgroupfs"
--- a/oci-runner/registries.conf
+++ b/oci-runner/registries.conf
@ -0,0 +1,11 @@
+unqualified-search-registries = ["docker.io"]
+
+[[registry]]
+prefix = "docker.io"
+location = "docker.io"
+
+[[registry.mirror]]
+location = "quay.io"
+
+[[registry.mirror]]
+location = "docker.io"
--- a/oci-runner/storage.conf
+++ b/oci-runner/storage.conf
@ -0,0 +1,5 @@
+# STORAGE_DRIVER variable is ignored if /etc/containers/storage.conf does not exist
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"