pleroma/woodpecker
0
0
Fork 1
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2026-05-13 02:04:38 +00:00
Code Issues 9 Projects Releases Packages Wiki Activity

Document and support rootless Podman agents #8

New issue
Open
opened 2026-05-03 06:21:59 +00:00 by lambadalambda · 0 comments
lambadalambda commented 2026-05-03 06:21:59 +00:00
Owner
Copy link

Problem

A Fedora Asahi M1 runner used rootless Podman. It worked with Woodpecker's Docker backend, but required non-obvious setup.

Important details:

  • user lingering had to be enabled for the service to survive logout/reboot
  • podman.socket had to be enabled as a user service
  • the agent used WOODPECKER_BACKEND_DOCKER_HOST=unix:///run/podman/podman.sock
  • directly bind-mounting the socket file did not work in this setup
  • bind-mounting the socket directory worked instead: %t/podman:/run/podman
  • SELinux required disabling labels for the agent container in this setup: --security-opt label=disable
  • a user systemd service and cleanup timer had to be built manually

Desired behavior

Add first-class documentation or support for rootless Podman agents:

  • official rootless Podman systemd user service example
  • recommended socket mount pattern
  • SELinux notes for Fedora
  • cleanup/prune recommendation
  • explanation of supported/unsupported Docker API behavior
  • optional native Podman backend if Docker API compatibility is not enough

Why this matters

Podman is common on Fedora and other Linux distributions. Rootless agents are attractive for security, but the current setup is easy to get subtly wrong.

## Problem A Fedora Asahi M1 runner used rootless Podman. It worked with Woodpecker's Docker backend, but required non-obvious setup. Important details: - user lingering had to be enabled for the service to survive logout/reboot - podman.socket had to be enabled as a user service - the agent used WOODPECKER_BACKEND_DOCKER_HOST=unix:///run/podman/podman.sock - directly bind-mounting the socket file did not work in this setup - bind-mounting the socket directory worked instead: %t/podman:/run/podman - SELinux required disabling labels for the agent container in this setup: --security-opt label=disable - a user systemd service and cleanup timer had to be built manually ## Desired behavior Add first-class documentation or support for rootless Podman agents: - official rootless Podman systemd user service example - recommended socket mount pattern - SELinux notes for Fedora - cleanup/prune recommendation - explanation of supported/unsupported Docker API behavior - optional native Podman backend if Docker API compatibility is not enough ## Why this matters Podman is common on Fedora and other Linux distributions. Rootless agents are attractive for security, but the current setup is easy to get subtly wrong.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/pnpm-11.x
next-release/main
release/v3.14
renovate/typescript-6.x
integration-tests
chown-repo
refresh-concurrency
pr/4861
agent-routes
step-builder
start-services
admin-docs-v3
use-forge-id
release/v2.8
feat/descriptive-pod-name
fix/pipeline-status-indicator
pr/6543/4099
docs/bun-for-docs
refactor/cli-docs
revert-4097-next-release/main
fix/ci-commit-branch-var
pat-s-patch-1
fix/ci-commit-branch
repo-list-2
relax-netrc-injection
release/v2.7
fix/gitlab-commit-status
feat/update-pod-name
release/v2.6
bun
tmpfs
release/v2.0
release/v1.0
release/v0.15
release/v0.14
v3.14.1
v3.14.0
v3.14.0-rc.2
v3.14.0-rc.1
v3.14.0-rc.0
v3.13.0
v3.12.0
v3.11.0
v3.11.0-rc.0
v3.10.0
v3.9.0
v3.8.0
v3.7.0
v3.6.0
v3.5.2
v3.5.1
v3.5.0
v3.4.0
v3.3.0
v3.2.0
v3.1.0
v3.0.1
v3.0.0
v2.8.3
v2.8.2
v2.8.1
v3.0.0-rc.0
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.6.1
v2.7.0
v2.6.0
v2.5.0
v2.4.1
v2.4.0
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.1
v2.1.0
v2.0.0
v2.0.0-rc.0
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v1.0.0-rc1
v0.15.11
v0.15.10
v0.15.9
v0.15.8
v0.15.7
v0.15.6
v0.15.5
v0.15.4
v0.15.3
v0.15.2
v0.15.1
v0.15.0
v0.15.0-rc2
v0.14.4
v0.15.0-rc1
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.14.0-rc.2
v0.14.0-rc.1
v0.13.0
v0.13.0-rc.3
v0.13.0-rc.2
v0.13.0-rc.1
v0.12.0
v0.11.0
v0.10.0
v0.9.2
v0.9.1
v0.9.0
v0.8.106
v0.8.105
v0.8.104
v0.8.103-login-form
v0.8.103
v0.8.102
v0.8.101
v0.8.100-kube
v0.8.100
v0.8.99
v0.8.98
v0.8.97
v0.8.96
v0.8.95-bitbucket
v0.8.95
v0.8.94
v0.8.93
v0.8.92
v0.8.91
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pleroma/woodpecker#8
No description provided.