[Tails-dev] Running GitLab CI locally in unprivileged podman containers

Tue, 02 Nov 2021 04:02:35 -0700 

Hi,

Here's how I run GitLab CI jobs locally in unprivileged podman
containers (I really would prefer not to run a Docker daemon on my
laptop). In a nutshell:

1. Install necessary packages:

   sudo apt install gitlab-runner podman-docker mmdebstrap

2. Create a suitable gitlab-runner-helper container

   I used the attached script, heavily based on
   /usr/lib/gitlab-runner/mk-prebuilt-images.sh

   Run it as your normal user, not as root.

3. Profit!

   For example:

   gitlab-runner exec docker --docker-host "unix:///run/user/$(id 
-u)/podman/podman.sock" check-po-meta-date

Disclaimers
===========

- I had to pin the docker.io package to -1, because it's recommended
  by docker-compose, which is itself recommended by podman-docker.
  Otherwise you end up with a Docker daemon.

- This is from memory and there might be missing steps. It could be
  nice if someone reproduced this, fixed whatever needs to be fixed,
  and migrated it into /contribute/ on our website.

- Some stuff is hardcoded in the attached script (GitLab runner
  version, HTTP proxy), which is not ideal.

- If it's not running yet, you might need to explicitly enable the
  podman.socket user unit:

      systemctl --user --now enable podman.socket

Cheers!


#!/bin/bash

set -eu
set -o pipefail

REVISION=13.3.1

export http_proxy="http://127.0.0.1:3142";

rm -rf ~/.cache/gitlab-runner/*

## Spinner:
## http://mebsd.com/coding-snipits/bash-spinner-example-freebsd-loading-spinner.html
i=1;
sp="/-\|";
tee_spinner() {
    local L
    while read -r L; do
        printf "%s\b" "${sp:i++%${#sp}:1}"       # spinner/bash
        printf "%s\n" "$L" >>"$1"
    done
    printf "\b\n"
}

cd ~/.cache/gitlab-runner

BLOG="$HOME/.cache/gitlab-runner/cdebootstrap.log"
rm -f "${BLOG}"

printf "I: Generating GitLab Runner Docker image. This may take a while...\n"
printf "I: mmdebstrap; saving build log to %s " "${BLOG}"
mmdebstrap -v \
    --variant=apt \
    --include="bash,ca-certificates,git,git-lfs,netcat-traditional,dumb-init" \
    --aptopt='Acquire::http { Proxy "http://127.0.0.1:3142";; }' \
    bullseye ./stable.tar.xz \
2>&1 | tee_spinner "${BLOG}"

printf "I: Building Docker image "
cp -v  /usr/bin/gitlab-runner-helper .
cp -vr /usr/lib/gitlab-runner/* .
docker build --no-cache --rm --force-rm \
    -t gitlab-runner-helper:${REVISION} -f ./Dockerfile .

printf "I: docker create "
docker create --name=gitlab-runner-helper-${REVISION} gitlab-runner-helper:${REVISION} /bin/sh

_______________________________________________
Tails-dev mailing list
[email protected]
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
[email protected].

Reply via email to