Forgejo Runner in rootless Podman on Debian
I wanted to experiment with Forgejo’s Actions as a DIY alternative to GitHub Actions, using a nearby Raspberry Pi as a build server. I also wanted to deviate slightly from their Runner installation process by executing the Runner and rootless Podman as a regular, non-privileged user and without using the system-level systemctl. It was pretty easy once I wrapped my head around it.
- Set up the runner user. Since I was using Podman, not Docker, I didn’t have to add it to the
dockergroup. As root:
root# useradd --create-home forgejo-runner
This created user number 1001 on my system. Remember that number later when it’s time to configure systemd.
- Allow that user to run commands via
systemctlwithout logging in and launching them manually:
root# loginctl enable-linger forgejo-runner
- Use
machinectlinstead ofsuto become theforgejo-runneruser. Without this, mostsystemdcommands will fail with theFailed to connect to bus: No medium foundmessage. I’m certain there’s a way to getsuorsudoto play nicely withdbusbut I had more interesting problems to solve today than this.
root# apt install systemd-container
root# machinectl shell forgejo-runner@
- Run
podman-system-serviceas theforgejo-runneruser:
$ systemctl --user enable podman.socket
$ systemctl --user start podman.socket
- Run the
forgejo-runnerprogram as theforgejo-runneruser. I lightly modified the standard forgejo-runner.service file:
$ cat > .config/systemd/user/forgejo-runner.service <<EOHD
[Unit]
Description=Forgejo Runner
Documentation=https://forgejo.org/docs/latest/admin/actions/
After=podman.socket
[Service]
ExecStart=/usr/local/bin/forgejo-runner daemon
ExecReload=/bin/kill -s HUP $MAINPID
# 1001 is the forgejo-runner user's UID
Environment="DOCKER_HOST=unix:///run/user/1001/podman/podman.sock"
# This user and working directory must already exist
WorkingDirectory=/home/forgejo-runner
Restart=on-failure
TimeoutSec=0
RestartSec=10
[Install]
WantedBy=default.target
EOHD
$ systemctl --user daemon-reload
$ systemctl --user enable forgejo-runner.service
$ systemctl --user start forgejo-runner.service
I rebooted my RPi to make sure it would start on its own and it did. Yay! Now I can run Forgejo Actions on my little server and everything works as documented.