Vitaliy Potyarkin
bc7e4fecbd
All checks were successful
/ build-dotnet-8.0 (push) Successful in 3m13s
/ build-oci-image-builder-bookworm (push) Successful in 3m36s
/ build-oci-runner (push) Successful in 5m17s
/ build-openjdk-11-maven-3.8.6 (push) Successful in 3m10s
/ build-python-3.11 (push) Successful in 3m18s
/ build-python-3.13 (push) Successful in 2m52s
Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com> |
||
|---|---|---|
| .. | ||
| containers.conf | ||
| Dockerfile | ||
| README.md | ||
| registries.conf | ||
| storage.conf | ||
Forgejo Actions environment for launching nested OCI containers
This image contains everything we need for executing tests which spawn nested containers:
- Go toolchain
- Docker wrapper (for abstracting Podman away from users)
- Podman configuration files
Usage
Referencing this container from .forgejo/workflows/workflow.yml:
jobs:
oci-image:
runs-on: oci-runner
Privileges
Managing network connectivity between nested containers requires extra privileges on the outer container:
- CAP_NET_ADMIN (fixes
netavark: Netlink error: Operation not permitted) - CAP_SYS_ADMIN (fixes
slirp4netns failed: "open(/dev/net/tun): No such file or directory)
These privileges are not required for running a single container inside
rootless Podman.
Use --net=host --uts=host --pid=host --cgroups=enabled to launch inner containers then.
Example of privileged outer container:
podman run \
--cap-add CAP_NET_ADMIN --cap-add CAP_SYS_ADMIN \
--rm -it git.frostfs.info/truecloudlab/env:oci-runner \
podman run --name hi hello-world
Unprivileged outer container:
podman run \
--rm -it git.frostfs.info/truecloudlab/env:oci-runner \
podman run --net=host --uts=host --pid=host --cgroups=enabled hello-world