✧✦Catherine✦✧the expectation of being able to run docker whenever in CI jobs is probably the single worst outcome of free GitHub Actions minutes because reproducing it in a bring-your-own-compute environment is borderline impossible unless you make every machine single-tenant
even if you make every machine single-tenant, most configurations of Forgejo Actions runners would enable malware to escape the build container, persist itself and infect all future releases
it's possible that LXC or firecracker-containerd would solve my problem here
Matthias Riße@whitequark I've tried a bunch of options to get the Forgejo Actions runner to spawn microVMs lately: crun-krun, crun-vm, kata-containers, runcvm. Some obstacles: the runner parses container-opts and only passes those along that it knows about. This excludes e.g. annotations. It also hardcodes an alternative entrypoint which can interfere with those of the runtime (e.g. for crun-vm). One of them does not support exec, so is a non-starter (I think it was crun-krun). kata does not work with podman
@whitequark to be most compatible with GitHub Actions the VM also needs to run systemd as init. Some of them bring their own init though.
In the end runcvm seemed most promising, it starts a "standard" qemu VM and can do systemd, but startup was super slow.
@matrss have you tried firecracker-containerd?
@whitequark No, for some reason your post is the first time I've heard of it. I will check it out when I find some time.
@matrss please let me know how it goes, I think it's the most promising option so far
@whitequark I tried it out but didn't get it to work. I followed both their "quickstart guide" and their "getting started guide" independently once. Building everything went fine, but for some reason the "devmapper snapshotter" setup produced an error on its first invocation (the second invocation didn't) and in the end trying to start a container with firecracker-ctr simply times out after a minute.
@whitequark I don't think I will spend more time with it, as I have no idea about containerd and firecracker and feel like I would just waste time with it.
To be fair, they explicitly say that the project is in a very early state.
@whitequark Instead I have hacked a bit on a crun wrapper that spawns an incus VM and executes inside of that (similar in concept to crun-vm and runcvm). I got it to launch a VM with podman run and run programs inside with podman exec. Next hurdle to get it to work for the Forgejo runner are mounts. I think I will explore that direction a bit more.