I had already set up a Forgejo instance on Fedora CoreOS but I wanted to add a Runner for Actions. I didn’t really have a spare system on which to run Forgejo’s Runner so I opted to run it on the same CoreOS system. This did create one complication in that accessing another service on localhost on Fedora CoreOS doesn’t work by default so I needed an extra option to allow the Runner to register with the forge.

There are other sources on the internet that document setting up a Forgejo Runner, even running it in Podman and set up to run jobs in Podman, so this page will skip all of that and focus on the particularities of a Fedora CoreOS host.

Accessing Service on Localhost

There are several ways to do this such as --map-gw to map the gateway or port forwarding with --tcp-ns but I opted for --map-host-loopback. If running directly with podman, it’s the --network=pasta:--map-host-loopback=169.254.1.1 option. That translates to Network=pasta:--map-host-loopback=169.254.1.1 in the Podman Quadlet config. The only catch is use that IP to connect to the Forgejo instance.

This is enough to register with Forgejo but the Runner will complain about not being able to access the Docker socket.

Podman in Podman

Enable and start the podman.socket service. This creates the /run/user/UID/podman/podman.sock UNIX socket that will need to be mapped into the Forgejo Runner container. First, add Volume=/run/user/1000/podman/podman.sock:/run/podman.sock (update the UID to match the user running this) to have Podman mount the socket in the container. Second, add Environment=DOCKER_HOST=unix:///run/podman.sock to set DOCKER_HOST for Forgejo Runner to use the socket.

The socket will have permissions root:root so include User=0 and Group=0 in the config to make that match. Finally, there’s SELinux running so the container needs to be labeled with container_runtime_t to connect to the UNIX socket. The podman option for this is --security-opt label:type:container_runtime_t. There are several SecurityLabel-prefixed options for the various --security-opt options and the one wanted here is SecurityLabelType.

Full Podman Quadlet Configuration

[Unit]
Description=Run Forgejo Runner
After=network-online.target
Wants=network-online.target

[Container]
AutoUpdate=registry
ContainerName=forgejo-runner
Exec=forgejo-runner --config /data/config/runner.yaml daemon
Environment=DOCKER_HOST=unix:///run/podman.sock
Image=code.forgejo.org/forgejo/runner:12
User=0
Group=0
Network=pasta:--map-host-loopback=169.254.1.1
SecurityLabelType=container_runtime_t
Volume=runner-data:/data
Volume=/var/home/forgejo-runner/config:/data/config
Volume=/run/user/1000/podman/podman.sock:/run/podman.sock

[Install]
WantedBy=default.target