devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update PiP procedure
Some checks failed
CI/CD Pipeline (Forgejo Container Registry) / Run Tests (DinD) (push) Failing after 0s
Details
CI/CD Pipeline (Forgejo Container Registry) / Build and Push Docker Images (DinD) (push) Failing after 0s
Details
CI/CD Pipeline (Forgejo Container Registry) / Deploy to Production (push) Has been skipped
Details

Browse source
This commit is contained in:
continuist 2025-09-02 23:43:41 -04:00
parent 416f8b8714
commit 5eae9ef284
1 changed files with 32 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -419,9 +419,9 @@ sudo sshd -t
**Step 7: Restart SSH Service**
For Ubuntu 22.10+ (socket-based activation):
For Ubuntu 24.04 LTS (socket-based activation):
```bash
sudo systemctl enable --now ssh.service
sudo systemctl restart ssh
```
For other distributions:
@ -623,10 +623,6 @@ podman --version
# Configure Podman for rootless operation (optional but recommended)
echo 'kernel.unprivileged_userns_clone=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Configure subuid/subgid for CI_SERVICE_USER
sudo usermod --add-subuids 100000-165535 CI_SERVICE_USER
sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER
```
**What this does**: Installs Podman and configures it for rootless operation, which is needed for the CI pipeline and Forgejo Container Registry operations.
@ -644,7 +640,19 @@ sudo useradd -r -g CI_SERVICE_USER -s /bin/bash -m -d /home/CI_SERVICE_USER CI_S
echo "CI_SERVICE_USER:$(openssl rand -base64 32)" | sudo chpasswd
```
#### 2.2 Verify Users
#### 2.2 Configure Rootless Podman for CI_SERVICE_USER
```bash
# Configure subuid/subgid for CI_SERVICE_USER (required for rootless Podman)
sudo usermod --add-subuids 100000-165535 CI_SERVICE_USER
sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER
# Verify the configuration
grep CI_SERVICE_USER /etc/subuid
grep CI_SERVICE_USER /etc/subgid
```
#### 2.3 Verify Users
```bash
sudo su - CI_SERVICE_USER
@ -994,15 +1002,23 @@ sudo su - CI_SERVICE_USER
# Navigate to the application directory
cd /opt/APP_NAME
# First clean up any existing socket and containers
podman rm -f ci-pip 2>/dev/null || true
rm -f /tmp/podman-host.sock
# Create and test the host Podman socket (different path to avoid conflicts)
podman system service --time=0 unix:///tmp/podman-host.sock &
sleep 2
# Verify host socket was created
ls -la /tmp/podman-host.sock
# Create secure PiP container with NO network exposure
podman run -d \
--name ci-pip \
--security-opt=no-new-privileges \
--cap-drop=ALL \
--cap-add=SETGID \
--cap-add=SETUID \
--cap-add=CHOWN \
-v /var/run/podman.sock:/var/run/podman.sock \
-v /tmp/podman-host.sock:/var/run/podman.sock \
quay.io/podman/stable:latest \
podman system service --time=0 unix:///var/run/podman.sock
@ -1021,6 +1037,9 @@ podman inspect ci-pip | grep -A 10 "Ports"
# Test image pulling capability (uses host's network stack securely)
podman exec ci-pip podman pull alpine:latest
# Clean up the background host socket service (PiP container is now handling requests)
pkill -f "podman system service.*podman-host.sock" 2>/dev/null || true
```
**How This Works Securely**:
@ -1416,9 +1435,9 @@ sudo sshd -t
**Step 7: Restart SSH Service**
For Ubuntu 22.10+ (socket-based activation):
For Ubuntu 24.04 LTS (socket-based activation):
```bash
sudo systemctl enable --now ssh.service
sudo systemctl restart ssh
```
For other distributions: