Help from #podman or #docker users welcome!
We have started to offer open alpha access to a hosted Forgejo Actions CI runner. Unfortunately, there are many jobs that can crash the runner for every user reliably, and many users execute them inadvertently.
To save cost and disk wear, we want to keep temporary writes inside the CI builds in RAM and only store the images persistently.
However, the setup is apparently incorrect and we need help figuring it out.
See https://codeberg.org/actions/meta/issues/11
=> More informations about this toot | More toots from Codeberg@social.anoxinon.de
@Codeberg I'd recommend to create an issue to podman github. I have received good help from there when I was in trouble. They have matrix channel too.
=> More informations about this toot | More toots from ikkeT@mementomori.social
@Codeberg I’d be very nervous using that for tenant isolation. Is there a reason not to use ephemeral VMs (which have a much smaller attack surface than a Linux kernel) for CI as other providers do? I’m not sure what your host infrastructure looks like, but creating ZFS clones of base VM images should be as fast as creating a container filesystem and a modern OS can boot in under a second (FreeBSD on Firecracher can boot in under 25ms, I think Linux is a bit slower but a similar ballpark, so there’s no noticeable latency for users).
=> More informations about this toot | More toots from david_chisnall@infosec.exchange
@david_chisnall Yes, someone has to do that setup. That's the reason it is not used.
Containerization via docker / podman exists out of the box.
=> More informations about this toot | More toots from Codeberg@social.anoxinon.de This content has been proxied by September (ba2dc).Proxy Information
text/gemini