furtka

daniel/furtka

Fork 0

History

Daniel Maksymilian Syrnicki 0f0308bf68 Some checks failed Build ISO / build-iso (push) Failing after 46s Details CI / lint (push) Successful in 25s Details CI / test (push) Successful in 32s Details CI / validate-json (push) Successful in 24s Details CI / markdown-links (push) Successful in 14s Details ci: switch build-iso to docker-outside-of-docker The DinD setup was the wrong tool here: forgejo-runner runs on host docker, but it spawned jobs via the DinD sidecar — meaning jobs were isolated inside DinD's own docker namespace and couldn't reach `docker-in-docker` by hostname, and couldn't see the `forgejo-runner_default` network (which only exists on host docker). Switched the runner (compose.yml + data/config.yml) to talk directly to host docker via `/var/run/docker.sock` and added it to the host `docker` group (GID 988) so the non-root runner user can use the socket. `valid_volumes` now whitelists the socket so job containers can mount it too. Workflow now mounts /var/run/docker.sock into the job container and points DOCKER_HOST at that unix socket. `./iso/build.sh` then runs its inner `docker run --privileged archlinux:latest` against the host daemon — no nested docker. Tradeoff: this is less isolated than DinD (jobs have full host docker access — they could spawn arbitrary containers), but on a dedicated single-user build VM the DooD simplification is worth it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 18:45:32 +02:00
..
workflows	ci: switch build-iso to docker-outside-of-docker	2026-04-14 18:45:32 +02:00

Daniel Maksymilian Syrnicki 0f0308bf68

Build ISO / build-iso (push) Failing after 46s

Details

CI / lint (push) Successful in 25s

Details

CI / test (push) Successful in 32s

Details

CI / validate-json (push) Successful in 24s

Details

CI / markdown-links (push) Successful in 14s

Details

ci: switch build-iso to docker-outside-of-docker

The DinD setup was the wrong tool here: forgejo-runner runs on host
docker, but it spawned jobs via the DinD sidecar — meaning jobs
were isolated inside DinD's own docker namespace and couldn't reach
`docker-in-docker` by hostname, and couldn't see the
`forgejo-runner_default` network (which only exists on host docker).

Switched the runner (compose.yml + data/config.yml) to talk directly
to host docker via `/var/run/docker.sock` and added it to the host
`docker` group (GID 988) so the non-root runner user can use the
socket. `valid_volumes` now whitelists the socket so job containers
can mount it too.

Workflow now mounts /var/run/docker.sock into the job container and
points DOCKER_HOST at that unix socket. `./iso/build.sh` then runs
its inner `docker run --privileged archlinux:latest` against the
host daemon — no nested docker.

Tradeoff: this is less isolated than DinD (jobs have full host docker
access — they could spawn arbitrary containers), but on a dedicated
single-user build VM the DooD simplification is worth it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 18:45:32 +02:00

workflows

ci: switch build-iso to docker-outside-of-docker

2026-04-14 18:45:32 +02:00