ink/act_runner
1
1
Fork 0
mirror of https://gitea.com/gitea/act_runner.git synced 2026-05-08 00:03:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
861d35184526b215c53eeaae758db85001b9480b
act_runner/examples/docker-compose/README.md
Schallbert 861d351845 add apparmor=rootlesskit in security_opt (#937) 
paste depends_on chain from socket-runner-setup  to runner-dind-setup
add apparmor=rootlesscit in security_opt
add explanations for elevated privileges

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <2021+silverwind@noreply.gitea.com>
Reviewed-on: https://gitea.com/gitea/runner/pulls/937
Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com>
Co-authored-by: Schallbert <schallbert@mailbox.org>
Co-committed-by: Schallbert <schallbert@mailbox.org>
2026-05-07 21:20:33 +00:00

2.7 KiB
Raw Blame History

Running gitea-runner using docker-compose

...
  gitea:
    image: gitea/gitea
    ...
    healthcheck:
      # checks availability of Gitea's front-end with curl
      test: ["CMD", "curl", "-f", "<instance_url>"]
      interval: 10s
      retries: 3
      start_period: 30s
      timeout: 10s
    environment:
      # GITEA_RUNNER_REGISTRATION_TOKEN can be used to set a global runner registration token.
      # The Gitea version must be v1.23 or higher.
      # It's also possible to use GITEA_RUNNER_REGISTRATION_TOKEN_FILE to pass the location.
      # - GITEA_RUNNER_REGISTRATION_TOKEN=<user-defined registration token>

  runner:
    image: gitea/runner
    restart: always
    depends_on:
      gitea:
        # required so runner can attach to gitea, see "healthcheck"
        condition: service_healthy
        restart: true
    volumes:
      - ./data/runner:/data
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - GITEA_INSTANCE_URL=<instance url>
      # When using Docker Secrets, it's also possible to use
      # GITEA_RUNNER_REGISTRATION_TOKEN_FILE to pass the location.
      # The env var takes precedence.
      # Needed only for the first start.
      - GITEA_RUNNER_REGISTRATION_TOKEN=<registration token>

Running gitea-runner using Docker-in-Docker (DIND)

  • privileged has to be set to true because in-container Docker daemon requires a lot of kernel capabilities and file system mounts like procfs and sysfs
  • security_opt sets the apparmor profile to rootlesskit for hosts running AppArmor (e.g. Ubuntu, Debian), where the kernel might otherwise block user namespace changes that Docker daemon requires for startup. The rootlesskit profile is provided by the docker-ce-rootless-extras package and is present on hosts where Docker was installed via the official installer or distro packages
...
  runner:
    image: gitea/runner:latest-dind-rootless
    restart: always
    privileged: true
    security_opt:
      - apparmor=rootlesskit
    depends_on:
      gitea:
        condition: service_healthy
        restart: true
    volumes:
      - ./data/runner:/data
    environment:
      - GITEA_INSTANCE_URL=<instance url>
      - DOCKER_HOST=unix:///var/run/user/1000/docker.sock
      # Use slirp4netns instead of vpnkit for significantly better network throughput.
      - DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
      - DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=65520
      # When using Docker Secrets, it's also possible to use
      # GITEA_RUNNER_REGISTRATION_TOKEN_FILE to pass the location.
      # The env var takes precedence.
      # Needed only for the first start.
      - GITEA_RUNNER_REGISTRATION_TOKEN=<registration token>
Reference in New Issue View Git Blame Copy Permalink