action-env/oci-runner/README.md

# Forgejo Actions environment for launching nested OCI containers

This image contains everything we need for executing tests
which spawn nested containers:

- Go toolchain
- Docker wrapper (for abstracting Podman away from users)
- Podman configuration files

## Usage

Referencing this container from `.forgejo/workflows/workflow.yml`:

```yaml
jobs:
  oci-image:
    runs-on: oci-runner
```

## Privileges

Managing network connectivity between nested containers requires extra
privileges on the outer container:

- CAP_NET_ADMIN (fixes `netavark: Netlink error: Operation not permitted`)
- CAP_SYS_ADMIN (fixes `slirp4netns failed: "open(/dev/net/tun): No such file or directory`)

These privileges are not required for running a single container inside
rootless Podman.
Use `--net=host --uts=host --pid=host --cgroups=enabled` to launch inner containers then.

Example of privileged outer container:

```
podman run \
    --cap-add CAP_NET_ADMIN --cap-add CAP_SYS_ADMIN \
    --rm -it git.frostfs.info/truecloudlab/env:oci-runner \
    podman run --name hi hello-world
```

Unprivileged outer container:

```
podman run \
    --rm -it git.frostfs.info/truecloudlab/env:oci-runner \
    podman run --net=host --uts=host --pid=host --cgroups=enabled hello-world
```