brooktrails/forgejo-runner-operator
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add a runner type without DinD for buildah-based build pipelines #29

New issue
Open
opened 2026-05-01 06:01:27 +00:00 by rcsheets · 0 comments
rcsheets commented 2026-05-01 06:01:27 +00:00
Owner
Copy link

Now that brooktrails/pr-reviewer's build-push.yaml has migrated from docker build to buildah bud (with podman for the smoke test), it no longer needs a Docker-in-Docker sidecar. The current runs-on: [dind, trusted] selector still routes the job to a runner pool that brings up DinD as an unused dependency — extra pod startup time, extra memory, an extra privileged container that isn't doing anything.

Once a couple more workflows make the same migration (notably brooktrails/brooktrails-web's build-push.yaml), it would be worth defining a new lightweight runner type that:

  • Includes whatever [trusted] already implies for elevated capabilities (cgroup access, etc.).
  • Does NOT spin up a DinD sidecar.
  • Carries a distinct label (suggested: buildah or oci-build) so workflows can opt in deliberately rather than landing on it implicitly.

After that's available, pr-reviewer's runs-on becomes [buildah, trusted] (or whatever the chosen tag is) and the unused DinD sidecar drops away.

Open questions:

  • Naming.
  • Whether to phase out the dind runner type entirely once nothing references it, or keep both around for now.
  • Capability set — does the buildah runner need anything beyond what [trusted] already grants? (We currently force vfs storage and chroot isolation specifically because the runner doesn't have privileges to use overlay or runc-with-namespaces. A more privileged runner could lift those.)
Now that `brooktrails/pr-reviewer`'s `build-push.yaml` has migrated from `docker build` to `buildah bud` (with `podman` for the smoke test), it no longer needs a Docker-in-Docker sidecar. The current `runs-on: [dind, trusted]` selector still routes the job to a runner pool that brings up DinD as an unused dependency — extra pod startup time, extra memory, an extra privileged container that isn't doing anything. Once a couple more workflows make the same migration (notably `brooktrails/brooktrails-web`'s `build-push.yaml`), it would be worth defining a new lightweight runner type that: - Includes whatever `[trusted]` already implies for elevated capabilities (cgroup access, etc.). - Does NOT spin up a DinD sidecar. - Carries a distinct label (suggested: `buildah` or `oci-build`) so workflows can opt in deliberately rather than landing on it implicitly. After that's available, `pr-reviewer`'s `runs-on` becomes `[buildah, trusted]` (or whatever the chosen tag is) and the unused DinD sidecar drops away. Open questions: - Naming. - Whether to phase out the `dind` runner type entirely once nothing references it, or keep both around for now. - Capability set — does the buildah runner need anything beyond what `[trusted]` already grants? (We currently force `vfs` storage and `chroot` isolation specifically because the runner doesn't have privileges to use overlay or runc-with-namespaces. A more privileged runner could lift those.)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v0.3.0
v0.2.1
v0.2.0
v0.1.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
brooktrails/forgejo-runner-operator#29
No description provided.