From 5eae9ef2840fe4c359ff391564528ec68350e261 Mon Sep 17 00:00:00 2001 From: continuist Date: Tue, 2 Sep 2025 23:43:41 -0400 Subject: [PATCH] Update PiP procedure --- CI_CD_PIPELINE_SETUP_GUIDE.md | 45 +++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 13 deletions(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 7e5da94..417702c 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -419,9 +419,9 @@ sudo sshd -t **Step 7: Restart SSH Service** -For Ubuntu 22.10+ (socket-based activation): +For Ubuntu 24.04 LTS (socket-based activation): ```bash -sudo systemctl enable --now ssh.service +sudo systemctl restart ssh ``` For other distributions: @@ -623,10 +623,6 @@ podman --version # Configure Podman for rootless operation (optional but recommended) echo 'kernel.unprivileged_userns_clone=1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p - -# Configure subuid/subgid for CI_SERVICE_USER -sudo usermod --add-subuids 100000-165535 CI_SERVICE_USER -sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER ``` **What this does**: Installs Podman and configures it for rootless operation, which is needed for the CI pipeline and Forgejo Container Registry operations. @@ -644,7 +640,19 @@ sudo useradd -r -g CI_SERVICE_USER -s /bin/bash -m -d /home/CI_SERVICE_USER CI_S echo "CI_SERVICE_USER:$(openssl rand -base64 32)" | sudo chpasswd ``` -#### 2.2 Verify Users +#### 2.2 Configure Rootless Podman for CI_SERVICE_USER + +```bash +# Configure subuid/subgid for CI_SERVICE_USER (required for rootless Podman) +sudo usermod --add-subuids 100000-165535 CI_SERVICE_USER +sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER + +# Verify the configuration +grep CI_SERVICE_USER /etc/subuid +grep CI_SERVICE_USER /etc/subgid +``` + +#### 2.3 Verify Users ```bash sudo su - CI_SERVICE_USER @@ -994,15 +1002,23 @@ sudo su - CI_SERVICE_USER # Navigate to the application directory cd /opt/APP_NAME +# First clean up any existing socket and containers +podman rm -f ci-pip 2>/dev/null || true +rm -f /tmp/podman-host.sock + +# Create and test the host Podman socket (different path to avoid conflicts) +podman system service --time=0 unix:///tmp/podman-host.sock & +sleep 2 + +# Verify host socket was created +ls -la /tmp/podman-host.sock + # Create secure PiP container with NO network exposure podman run -d \ --name ci-pip \ --security-opt=no-new-privileges \ --cap-drop=ALL \ - --cap-add=SETGID \ - --cap-add=SETUID \ - --cap-add=CHOWN \ - -v /var/run/podman.sock:/var/run/podman.sock \ + -v /tmp/podman-host.sock:/var/run/podman.sock \ quay.io/podman/stable:latest \ podman system service --time=0 unix:///var/run/podman.sock @@ -1021,6 +1037,9 @@ podman inspect ci-pip | grep -A 10 "Ports" # Test image pulling capability (uses host's network stack securely) podman exec ci-pip podman pull alpine:latest + +# Clean up the background host socket service (PiP container is now handling requests) +pkill -f "podman system service.*podman-host.sock" 2>/dev/null || true ``` **How This Works Securely**: @@ -1416,9 +1435,9 @@ sudo sshd -t **Step 7: Restart SSH Service** -For Ubuntu 22.10+ (socket-based activation): +For Ubuntu 24.04 LTS (socket-based activation): ```bash -sudo systemctl enable --now ssh.service +sudo systemctl restart ssh ``` For other distributions: