diff --git a/src/routes/blogs/2-gitea-runner-on-podman-in-lxc/+page.svx b/src/routes/blogs/2-gitea-runner-on-podman-in-lxc/+page.svx index 18cfd75..30d13d1 100644 --- a/src/routes/blogs/2-gitea-runner-on-podman-in-lxc/+page.svx +++ b/src/routes/blogs/2-gitea-runner-on-podman-in-lxc/+page.svx @@ -4,57 +4,78 @@ desc: "For some time now I already host a gitea instace and now with this blog I date: 2025-09-17 --- -## Setup Enviorement +# Setup PVE + Setup Proxmox, so podman can run in unpreviliged container. Podman uses high user ids for it's containers, so we need to extend the range that is usable by LXCs. -``` -PVE> vi /etc/subuid -root:100000:200000 # :: -PVE> vi /etc/subgid -root:100000:200000 -``` It is also required to change the limit explictly in the containers config, and we need to add a kernel module. +Those ranges are defined in `/etc/subuid` for user ids and `/etc/subgid` for group ids, +in the from of `::`. +You could change them manually or change them with + +(the first number defines the start and the secound the end of ids) + +```bash +usermod --add-subuids 100000-300000 --add-subgids 100000-300000 root ``` -PVE> vi /etc/pve/lxc/.conf + +So `/etc/subuid` should contains `root:100000:200000`. + +We also need to edit the LXC config `/etc/pve/lxc/.conf`. + +```yaml # lxc.idmap: u 0 100000 165536 # uids 0..165536 (container) -> 100000..265536 (host) lxc.idmap: g 0 100000 165536 # gids lxc.cgroup2.devices.allow: c 10:200 rwm # cgroup2 for PVE >= 7.0 lxc.mount.entry: /dev/net dev/net none bind,create=dir ``` + +I got the information from [here](https://forum.proxmox.com/threads/podman-in-rootless-mode-on-lxc-container.141790/) +together with infos from the [official docu](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration). + + +# Setup LXC + +As we want to run podman as an unpreviliged user, lets create on: +```bash +useradd -U ``` -LXC> vi /etc/subuid -username:100000:65536 -LXC> vi /etc/subgid -username:100000:65536 -``` -I got the information from [here](https://forum.proxmox.com/threads/podman-in-rootless-mode-on-lxc-container.141790/). - - -## Setup Podman ```bash apt install podman systemctl --user -M act@ enable podman.socket ``` -## Setup Act Runner - First, since we wanna run this rootless, we need a new unpreviliged user. The binary is [here available](https://dl.gitea.com/act_runner/). I placed it there `/usr/local/bin/act_runner` and made it executable by the new created user. - +```bash +cd /usr/local/bin +curl https://dl.gitea.com/act_runner/0.2.13/act_runner-0.2.13-linux-amd64 > act_runner +chmod +x act_runner +chown act:act act_runner +``` A config that references the regrister file and the podman socket is needed, I placed it in `/etc/act_runner/config.yaml` +``` bash +mkdir /etc/act_runner +chown -R act:act /etc/act_runner +``` + + ```yaml +# config.yaml runner: file: /etc/act_runner/.runner + envs: + XDG_RUNTIME_DIR directory: "/run/user/1000" container: docker_host: "unix:///run/user//podman/docker.sock" @@ -69,8 +90,10 @@ cache: And last but not least, we need to regristrate the runner, wich will create the runner file: The token is accsasible through `Settings -> Actions -> Runners -> Create new Runner`. + +(I'd recommend running the regristration as the unpreviliged user.) ```bash -sudo -u act /usr/local/bin/act_runner register -c /etc/act_runner/config.yaml \ +/usr/local/bin/act_runner register -c /etc/act_runner/config.yaml \ --instance --token --no-interactive ```