Frederic
I've been wrangling with #fedora #coreos since yesterday to setup a minimal forgejo runner instance running in #podman. Although I've been working with Flacar Linux (the successor to the original CoreOS) before, it seems to behave a little bit different here and there (e.g. SELinux).
Feb 21 at 1:49pmWeb
Show threadFredericFeb 21

Well, I've been fighting #selinux and rootless #podman the whole day.

My plan was to run a #forgejo runner container in a minimal, secure and self-updating environment. And the thing is, I'm probably 95% there, but I can't get this stupid permission fixed for the podman socket. 🤷‍♂️

Show threadPatrick Laimbock 🇳🇱 🇪🇺Feb 21
@frederic Maybe this example config helps (they are not mine)? https://codeberg.org/stefanfrede/quadlets/src/branch/main/.config/containers/systemd/forgejo
quadlets

This is a repository of the Podman quadlets that I use.

Codeberg.org
Show threadFredericFeb 21
@plaimbock Thanks, but I don't have issues setting up Forgejo as quadlet, but giving its CI runner access to the Podman socket on a quite locked down SELinux environment in CoreOS.
Show threadPatrick Laimbock 🇳🇱 🇪🇺Feb 21
@frederic Got it. Had one more link in my bookmarks which mentions "Note that for volume mappings, additional configuration is required according to SELinux policies. Add :Z if only a single container needs access, or :z if multiple containers need access. The path must also have the container_t permission." From https://page.teahaven.kr/programming/selinux-podman-quadlet/
Running Podman Quadlet on SELinux

Set up rootless Podman on SELinux with Quadlet systemd files for container management, replacing Docker with improved security and native integration.

Drunkard's Path Finding
Show threadFredericFeb 21

@plaimbock I already got most if it working, but mounting the Podman socket into the container is still a problem. I have to familiarize myself more with SELinux first. 🤔

This started as a typical "shouldn't be hard to get it up and running" thing, but already consumed way more time than I expected. 😅