Update PiP procedure
Some checks failed
CI/CD Pipeline (Forgejo Container Registry) / Run Tests (DinD) (push) Failing after 0s
CI/CD Pipeline (Forgejo Container Registry) / Build and Push Docker Images (DinD) (push) Failing after 0s
CI/CD Pipeline (Forgejo Container Registry) / Deploy to Production (push) Has been skipped
Some checks failed
CI/CD Pipeline (Forgejo Container Registry) / Run Tests (DinD) (push) Failing after 0s
CI/CD Pipeline (Forgejo Container Registry) / Build and Push Docker Images (DinD) (push) Failing after 0s
CI/CD Pipeline (Forgejo Container Registry) / Deploy to Production (push) Has been skipped
This commit is contained in:
parent
416f8b8714
commit
5eae9ef284
1 changed files with 32 additions and 13 deletions
|
|
@ -419,9 +419,9 @@ sudo sshd -t
|
||||||
|
|
||||||
**Step 7: Restart SSH Service**
|
**Step 7: Restart SSH Service**
|
||||||
|
|
||||||
For Ubuntu 22.10+ (socket-based activation):
|
For Ubuntu 24.04 LTS (socket-based activation):
|
||||||
```bash
|
```bash
|
||||||
sudo systemctl enable --now ssh.service
|
sudo systemctl restart ssh
|
||||||
```
|
```
|
||||||
|
|
||||||
For other distributions:
|
For other distributions:
|
||||||
|
|
@ -623,10 +623,6 @@ podman --version
|
||||||
# Configure Podman for rootless operation (optional but recommended)
|
# Configure Podman for rootless operation (optional but recommended)
|
||||||
echo 'kernel.unprivileged_userns_clone=1' | sudo tee -a /etc/sysctl.conf
|
echo 'kernel.unprivileged_userns_clone=1' | sudo tee -a /etc/sysctl.conf
|
||||||
sudo sysctl -p
|
sudo sysctl -p
|
||||||
|
|
||||||
# Configure subuid/subgid for CI_SERVICE_USER
|
|
||||||
sudo usermod --add-subuids 100000-165535 CI_SERVICE_USER
|
|
||||||
sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER
|
|
||||||
```
|
```
|
||||||
|
|
||||||
**What this does**: Installs Podman and configures it for rootless operation, which is needed for the CI pipeline and Forgejo Container Registry operations.
|
**What this does**: Installs Podman and configures it for rootless operation, which is needed for the CI pipeline and Forgejo Container Registry operations.
|
||||||
|
|
@ -644,7 +640,19 @@ sudo useradd -r -g CI_SERVICE_USER -s /bin/bash -m -d /home/CI_SERVICE_USER CI_S
|
||||||
echo "CI_SERVICE_USER:$(openssl rand -base64 32)" | sudo chpasswd
|
echo "CI_SERVICE_USER:$(openssl rand -base64 32)" | sudo chpasswd
|
||||||
```
|
```
|
||||||
|
|
||||||
#### 2.2 Verify Users
|
#### 2.2 Configure Rootless Podman for CI_SERVICE_USER
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Configure subuid/subgid for CI_SERVICE_USER (required for rootless Podman)
|
||||||
|
sudo usermod --add-subuids 100000-165535 CI_SERVICE_USER
|
||||||
|
sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER
|
||||||
|
|
||||||
|
# Verify the configuration
|
||||||
|
grep CI_SERVICE_USER /etc/subuid
|
||||||
|
grep CI_SERVICE_USER /etc/subgid
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 2.3 Verify Users
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo su - CI_SERVICE_USER
|
sudo su - CI_SERVICE_USER
|
||||||
|
|
@ -994,15 +1002,23 @@ sudo su - CI_SERVICE_USER
|
||||||
# Navigate to the application directory
|
# Navigate to the application directory
|
||||||
cd /opt/APP_NAME
|
cd /opt/APP_NAME
|
||||||
|
|
||||||
|
# First clean up any existing socket and containers
|
||||||
|
podman rm -f ci-pip 2>/dev/null || true
|
||||||
|
rm -f /tmp/podman-host.sock
|
||||||
|
|
||||||
|
# Create and test the host Podman socket (different path to avoid conflicts)
|
||||||
|
podman system service --time=0 unix:///tmp/podman-host.sock &
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# Verify host socket was created
|
||||||
|
ls -la /tmp/podman-host.sock
|
||||||
|
|
||||||
# Create secure PiP container with NO network exposure
|
# Create secure PiP container with NO network exposure
|
||||||
podman run -d \
|
podman run -d \
|
||||||
--name ci-pip \
|
--name ci-pip \
|
||||||
--security-opt=no-new-privileges \
|
--security-opt=no-new-privileges \
|
||||||
--cap-drop=ALL \
|
--cap-drop=ALL \
|
||||||
--cap-add=SETGID \
|
-v /tmp/podman-host.sock:/var/run/podman.sock \
|
||||||
--cap-add=SETUID \
|
|
||||||
--cap-add=CHOWN \
|
|
||||||
-v /var/run/podman.sock:/var/run/podman.sock \
|
|
||||||
quay.io/podman/stable:latest \
|
quay.io/podman/stable:latest \
|
||||||
podman system service --time=0 unix:///var/run/podman.sock
|
podman system service --time=0 unix:///var/run/podman.sock
|
||||||
|
|
||||||
|
|
@ -1021,6 +1037,9 @@ podman inspect ci-pip | grep -A 10 "Ports"
|
||||||
|
|
||||||
# Test image pulling capability (uses host's network stack securely)
|
# Test image pulling capability (uses host's network stack securely)
|
||||||
podman exec ci-pip podman pull alpine:latest
|
podman exec ci-pip podman pull alpine:latest
|
||||||
|
|
||||||
|
# Clean up the background host socket service (PiP container is now handling requests)
|
||||||
|
pkill -f "podman system service.*podman-host.sock" 2>/dev/null || true
|
||||||
```
|
```
|
||||||
|
|
||||||
**How This Works Securely**:
|
**How This Works Securely**:
|
||||||
|
|
@ -1416,9 +1435,9 @@ sudo sshd -t
|
||||||
|
|
||||||
**Step 7: Restart SSH Service**
|
**Step 7: Restart SSH Service**
|
||||||
|
|
||||||
For Ubuntu 22.10+ (socket-based activation):
|
For Ubuntu 24.04 LTS (socket-based activation):
|
||||||
```bash
|
```bash
|
||||||
sudo systemctl enable --now ssh.service
|
sudo systemctl restart ssh
|
||||||
```
|
```
|
||||||
|
|
||||||
For other distributions:
|
For other distributions:
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue