ci: set up container to build containers within podman

2024-11-06 21:16:02 -05:00 · 2024-11-06 21:16:02 -05:00 · f0e5a4f260
commit f0e5a4f260
parent 0578333f9d
3 changed files with 77 additions and 10 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -16,12 +16,9 @@ jobs:
          webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}}
          status: "Started"
          init: true
-  build-images:
+  build-runner:
    needs: [pre-run]
    runs-on: imagefactory-latest
-    strategy:
-      matrix:
-        image-name: ['debian-12.6-slim']
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
@ -33,21 +30,21 @@ jobs:
        id: image-metadata
        run: |
          echo "image-tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-          echo "full-image-name=${{ matrix.image-name }}:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+          echo "full-image-name=debian-12.6-slim:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Build image
-        run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/${{ matrix.image-name }}/Dockerfile
+        run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/debian-12.6-slim/Dockerfile
      - name: Tag image as latest
-        run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} ${{ matrix.image-name }}:latest
+        run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} debian-12.6-slim:latest
      - name: List images
        run: podman image ls
      - name: Push tagged image to registry
-        if: ${{ github.event_name == "push" }}
+        if: ${{ github.event_name == 'push' }}
        run: |
          podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }}
-          podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ matrix.image-name }}:latest
+          podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/debian-12.6-slim:latest
  post-run:
    runs-on: imagefactory-latest
-    needs: [build-images]
+    needs: [build-runner]
    steps:
      - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
        if: ${{success()}}
--- a/images/debian-12.6-slim/Dockerfile
+++ b/images/debian-12.6-slim/Dockerfile
@ -18,11 +18,13 @@ RUN apt update && \
            python3 \
            python3-pip \
            pipx \
+            fuse-overlayfs \
            --no-install-recommends \
            --autoremove && \
            apt-get clean

 COPY ./files/registries.conf /etc/containers/registries.conf
+COPY ./files/storage.conf /etc/containers/storage.conf

 FROM skeleton as runner

--- a/images/debian-12.6-slim/files/storage.conf
+++ b/images/debian-12.6-slim/files/storage.conf
@ -0,0 +1,68 @@
+[storage]
+driver = "overlay"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+
+[storage.options.overlay]
+# ignore_chown_errors can be set to allow a non privileged user running with
+# a single UID within a user namespace to run containers. The user can pull
+# and use any image even those with multiple uids.  Note multiple UIDs will be
+# squashed down to the default uid in the container.  These images will have no
+# separation between the users in the container. Only supported for the overlay
+# and vfs drivers.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
+#ignore_chown_errors = "false"
+
+# Inodes is used to set a maximum inodes of the container image.
+# inodes = ""
+
+# Path to an helper program to use for mounting the file system instead of mounting it
+# directly.
+mount_program = "/usr/bin/fuse-overlayfs"
+
+# mountopt specifies comma separated list of extra mount options
+mountopt = "nodev"
+
+# Set to skip a PRIVATE bind mount on the storage home directory.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
+# skip_mount_home = "false"
+
+# Set to use composefs to mount data layers with overlay.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
+# use_composefs = "false"
+
+# Size is used to set a maximum size of the container image.
+# size = ""
+
+# ForceMask specifies the permissions mask that is used for new files and
+# directories.
+#
+# The values "shared" and "private" are accepted.
+# Octal permission masks are also accepted.
+#
+#  "": No value specified.
+#     All files/directories, get set with the permissions identified within the
+#     image.
+#  "private": it is equivalent to 0700.
+#     All files/directories get set with 0700 permissions.  The owner has rwx
+#     access to the files. No other users on the system can access the files.
+#     This setting could be used with networked based homedirs.
+#  "shared": it is equivalent to 0755.
+#     The owner has rwx access to the files and everyone else can read, access
+#     and execute them. This setting is useful for sharing containers storage
+#     with other users.  For instance have a storage owned by root but shared
+#     to rootless users as an additional store.
+#     NOTE:  All files within the image are made readable and executable by any
+#     user on the system. Even /etc/shadow within your image is now readable by
+#     any user.
+#
+#   OCTAL: Users can experiment with other OCTAL Permissions.
+#
+#  Note: The force_mask Flag is an experimental feature, it could change in the
+#  future.  When "force_mask" is set the original permission mask is stored in
+#  the "user.containers.override_stat" xattr and the "mount_program" option must
+#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
+#  extended attribute permissions to processes within containers rather than the
+#  "force_mask"  permissions.
+#
+# force_mask = ""