Switch to Buildah for container builds (no Docker socket needed)

- Replace docker-cli with buildah/podman in runner image - Configure buildah for overlay storage with fuse-overlayfs - Add registry config for insecure local registry - Remove Docker socket mount and root security context from deployment - Update composite action to use buildah bud/push instead of docker Buildah is daemonless - no Docker socket required, cleaner security model. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-23 20:14:03 -08:00 · 2026-01-23 20:14:03 -08:00 · 9f5dae5707
commit 9f5dae5707
parent 4c249ff116
3 changed files with 31 additions and 27 deletions
--- a/.forgejo/actions/build-push-image/action.yaml
+++ b/.forgejo/actions/build-push-image/action.yaml
@ -1,5 +1,5 @@
 name: 'Build and Push Image'
-description: 'Build a container image and push to zot registry'
+description: 'Build a container image with Buildah and push to registry'

 inputs:
  context:
@ -24,20 +24,20 @@ inputs:
 runs:
  using: 'composite'
  steps:
-    - name: Build image
+    - name: Build image with Buildah
      shell: bash
      run: |
-        docker build \
-          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
-          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
-          -f ${{ inputs.context }}/${{ inputs.dockerfile }} \
+        buildah bud \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
+          --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
          ${{ inputs.context }}

    - name: Push to registry
      shell: bash
      run: |
-        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
-        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}

    - name: Verify push
      shell: bash
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@ -18,12 +18,31 @@ RUN apk add --no-cache \
    gcc \
    g++ \
    musl-dev \
-    # For container builds
-    ca-certificates \
-    docker-cli
+    # For container builds (daemonless, no Docker socket needed)
+    buildah \
+    podman \
+    fuse-overlayfs \
+    shadow \
+    ca-certificates
+
+# Configure buildah for rootless operation
+RUN mkdir -p /etc/containers && \
+    echo '[storage]' > /etc/containers/storage.conf && \
+    echo 'driver = "overlay"' >> /etc/containers/storage.conf && \
+    echo 'runroot = "/tmp/containers-run"' >> /etc/containers/storage.conf && \
+    echo 'graphroot = "/tmp/containers-storage"' >> /etc/containers/storage.conf && \
+    echo '[storage.options.overlay]' >> /etc/containers/storage.conf && \
+    echo 'mount_program = "/usr/bin/fuse-overlayfs"' >> /etc/containers/storage.conf
+
+# Configure registries (allow insecure for local registry)
+RUN mkdir -p /etc/containers && \
+    echo 'unqualified-search-registries = ["docker.io"]' > /etc/containers/registries.conf && \
+    echo '[[registry]]' >> /etc/containers/registries.conf && \
+    echo 'location = "registry.tail8d86e.ts.net"' >> /etc/containers/registries.conf && \
+    echo 'insecure = true' >> /etc/containers/registries.conf

 # Verify tools are available
-RUN node --version && npm --version && docker --version
+RUN node --version && npm --version && buildah --version

 # Switch back to non-root user
 USER 1000
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@ -48,8 +48,6 @@ spec:
              mountPath: /data
            - name: runner-config
              mountPath: /config
-            - name: docker-sock
-              mountPath: /var/run/docker.sock
          resources:
            requests:
              memory: "256Mi"
@ -57,22 +55,9 @@ spec:
            limits:
              memory: "1Gi"
              cpu: "1000m"
-          securityContext:
-            # Run as root with docker group to access Docker socket
-            runAsUser: 0
-            runAsGroup: 0
-      securityContext:
-        # Add docker group (GID 999 in minikube) for socket access
-        fsGroup: 999
-        supplementalGroups:
-          - 999
      volumes:
        - name: runner-data
          emptyDir: {}
        - name: runner-config
          configMap:
            name: forgejo-runner-config
-        - name: docker-sock
-          hostPath:
-            path: /var/run/docker.sock
-            type: Socket