add containerfile

.gitignore

@@ -0,0 +1 @@
+.idea/

Containerfile

@@ -0,0 +1,103 @@
+# podman/Containerfile
+#
+# Build a Podman container image from the latest
+# stable version of Podman on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=podman
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+# FLAVOR defaults to stable if unset
+#
+# FLAVOR=stable    acquires a stable version of Podman
+#                   from the Fedoras Updates System.
+# FLAVOR=testing   acquires a testing version of Podman
+#                   from the Fedoras Updates System.
+# FLAVOR=upstream  acquires a testing version of Podman
+#                   from the Fedora Copr Buildsystem.
+#                   https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/
+#
+# https://bodhi.fedoraproject.org/updates/?search=podman
+
+FROM registry.fedoraproject.org/fedora:latest
+ARG FLAVOR=stable
+
+# When building for multiple-architectures in parallel using emulation
+# it's really easy for one/more dnf processes to timeout or mis-count
+# the minimum download rates.  Bump both to be extremely forgiving of
+# an overworked host.
+RUN echo -e "\n\n# Added during image build" >> /etc/dnf/dnf.conf && \
+    echo -e "minrate=100\ntimeout=60\n" >> /etc/dnf/dnf.conf
+
+ARG INSTALL_RPMS="podman fuse-overlayfs openssh-clients ucpp git nodejs"
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y makecache && \
+    dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    case "${FLAVOR}" in \
+      stable) \
+        dnf -y install $INSTALL_RPMS --exclude container-selinux \
+      ;; \
+      testing) \
+        dnf -y install $INSTALL_RPMS --exclude container-selinux \
+            --enablerepo updates-testing \
+      ;; \
+      upstream) \
+        dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \
+        dnf -y copr enable rhcontainerbot/podman-next && \
+        dnf -y install $INSTALL_RPMS \
+            --exclude container-selinux \
+            --enablerepo=updates-testing \
+      ;; \
+      *) \
+        printf "\\nFLAVOR argument must be set and valid, currently: '${FLAVOR}'\\n\\n" 1>&2 && \
+        exit 1 \
+      ;; \
+    esac && \
+    ln -s /usr/bin/ucpp /usr/local/bin/cpp && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd podman && \
+    echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid && \
+    echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid
+
+ADD /containers.conf /etc/containers/containers.conf
+ADD /podman-containers.conf /home/podman/.config/containers/containers.conf
+
+RUN mkdir -p /home/podman/.local/share/containers && \
+    chown podman:podman -R /home/podman && \
+    chmod 644 /etc/containers/containers.conf
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+           -e '/additionalimage.*/a "/var/lib/shared",' \
+           -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+           /usr/share/containers/storage.conf \
+           > /etc/containers/storage.conf
+
+# Setup internal Podman to pass subscriptions down from host to internal container
+RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf
+
+# Note VOLUME options must always happen after the chown call above
+# RUN commands can not modify existing volumes
+VOLUME /var/lib/containers
+VOLUME /home/podman/.local/share/containers
+
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers \
+             /var/lib/shared/vfs-images \
+             /var/lib/shared/vfs-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock && \
+    touch /var/lib/shared/vfs-images/images.lock && \
+    touch /var/lib/shared/vfs-layers/layers.lock
+
+ENV _CONTAINERS_USERNS_CONFIGURED="" \
+    BUILDAH_ISOLATION=chroot

README.md

@@ -0,0 +1 @@
+Contains the Containerfile of the image used in our actions runner so that podman in podman works

buildandpush.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Variables
+REGISTRY="git.hannover.ccc.de/c3h/leitstelle-forgejo-actions/runner"
+PLATTARCH="linux/amd64,linux/arm64"
+
+# Build and push the first image
+echo "Building and pushing PHP Podman image..."
+
+if ! podman manifest exists ${REGISTRY}; then podman manifest create ${REGISTRY}; fi
+podman build --platform ${PLATTARCH} --manifest ${REGISTRY} -f Containerfile .
+podman manifest push ${REGISTRY}

containers.conf

@@ -0,0 +1,12 @@
+[containers]
+netns="host"
+userns="host"
+ipcns="host"
+utsns="host"
+cgroupns="host"
+cgroups="disabled"
+log_driver = "k8s-file"
+[engine]
+cgroup_manager = "cgroupfs"
+events_logger="file"
+runtime="crun"

podman-containers.conf

@@ -0,0 +1,5 @@
+[containers]
+volumes = [
+	"/proc:/proc",
+]
+default_sysctls = []