From 942d58d41c4f6f4e2238bf7b8793ee2c3993abdb Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Fri, 16 Feb 2024 13:17:39 -0500
Subject: [PATCH] Setup for quadlet/systemd runtime management

Rather than setting up volumes and starting the pipglr container
manually, utilize quadlet + systemd.  Retain the old setup and execution
method, but move them into separate documentation.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 README.md                     | 34 +++++++++++++++-------------------
 manual_setup.md               | 32 ++++++++++++++++++++++++++++++++
 quadlet/pipglr-cache.volume   | 13 +++++++++++++
 quadlet/pipglr-storage.volume | 13 +++++++++++++
 quadlet/pipglr.container      | 33 +++++++++++++++++++++++++++++++++
 quadlet/pipglr.network        | 11 +++++++++++
 6 files changed, 117 insertions(+), 19 deletions(-)
 create mode 100644 manual_setup.md
 create mode 100644 quadlet/pipglr-cache.volume
 create mode 100644 quadlet/pipglr-storage.volume
 create mode 100644 quadlet/pipglr.container
 create mode 100644 quadlet/pipglr.network

diff --git a/README.md b/README.md
index 839eb09..9225c2b 100644
--- a/README.md
+++ b/README.md
@@ -159,34 +159,30 @@ to reflect the number of registered runners.  If you need to edit this file
 after committing it as a secret, there's
 [ a `dumpconfig`  *runlabel* for that](README.md#configuration-editing).
 
-#### Volume setup (step 5)
+#### Quadlet setup and container start (step 5)
 
-Since several users are utilized inside the container volumes must be
-specifically configured to permit access.  This is done using several
-*runlabels* as follows:
+**Note**: If your system is missing or does not support the use of quadlet
+(`man 5 podman-systemd.unit`), you'll find [manual volume setup steps
+here](manual_setup.md).
+
+Create and copy the quadlet configuration files:
 
 ```bash
-$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
-$ podman container runlabel setupstorage $IMAGE
-$ podman container runlabel setupcache $IMAGE
+$ mkdir -p ~/.config/containers/systemd
+$ cp quadlet/* ~/.config/containers/systemd/
 ```
 
-Note: These volumes generally do not contain any critical operational data,
-they may be re-created anytime to quickly free up host disk-space if
-it's running low.  Simply remove them with the command
- `podman volume rm pipglr-storage pipglr-cache`.  Then reuse the `setupstorage`
-and `setupcache` *runlabels* as in the above example.
-
-#### Runner Startup (step 6)
-
-With the runner configuration saved as a Podman secret, and the runner volumes
-created, the GitLab runner container may be launched with the following commands:
+Finally, reload the local systemd user-slice to generate the unit files,
+and fire up pipglr!
 
 ```bash
-$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
-$ podman container runlabel run $IMAGE
+$ systemd --user daemon-reload
+$ systemd start pipglr
 ```
 
+If you want the service to start automatically on boot, you may run
+`systemctl --user enable podman-restart.service`
+
 ### Configuration Editing
 
 The gitlab-runner configuration contains some sensitive values which
diff --git a/manual_setup.md b/manual_setup.md
new file mode 100644
index 0000000..64b29ae
--- /dev/null
+++ b/manual_setup.md
@@ -0,0 +1,32 @@
+### Additional Manual steps
+
+On systems without Quadlet, some additional steps are required
+to get the pipglr container up and running.
+
+### Manual Volume setup
+
+Since several users are utilized inside the container volumes must be
+specifically configured to permit access.  This is done using several
+*runlabels* as follows:
+
+```bash
+$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
+$ podman container runlabel setupstorage $IMAGE
+$ podman container runlabel setupcache $IMAGE
+```
+
+Note: These volumes generally do not contain any critical operational data,
+they may be re-created anytime to quickly free up host disk-space if
+it's running low.  Simply remove them with the command
+ `podman volume rm pipglr-storage pipglr-cache`.  Then reuse the `setupstorage`
+and `setupcache` *runlabels* as in the above example.
+
+#### Manual Runner Startup
+
+With the runner configuration saved as a Podman secret, and the runner volumes
+created, the GitLab runner container may be launched with the following commands:
+
+```bash
+$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
+$ podman container runlabel run $IMAGE
+```
diff --git a/quadlet/pipglr-cache.volume b/quadlet/pipglr-cache.volume
new file mode 100644
index 0000000..90c734a
--- /dev/null
+++ b/quadlet/pipglr-cache.volume
@@ -0,0 +1,13 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner job cache storage volume
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=local-fs.target
+Requires=podman.socket
+
+[Volume]
+VolumeName=pipglr-cache
+Copy=false
+# The `podman` user inside the container should own everything
+Options=o=uid=1000,gid=1000
+# Support podman...prune --filters=persistent!=true
+Label=persistent=true
diff --git a/quadlet/pipglr-storage.volume b/quadlet/pipglr-storage.volume
new file mode 100644
index 0000000..106028c
--- /dev/null
+++ b/quadlet/pipglr-storage.volume
@@ -0,0 +1,13 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner nested-container storage volume
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=local-fs.target
+Requires=podman.socket
+
+[Volume]
+VolumeName=pipglr-storage
+Copy=false
+# The `podman` user inside the container should own everything
+Options=o=uid=1000,gid=1000
+# Support podman...prune --filters=persistent!=true
+Label=persistent=true
diff --git a/quadlet/pipglr.container b/quadlet/pipglr.container
new file mode 100644
index 0000000..8bcf9a3
--- /dev/null
+++ b/quadlet/pipglr.container
@@ -0,0 +1,33 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=pipglr-storage-volume.service pipglr-cache-volume.service
+Requires=podman.socket pipglr-storage-volume.service pipglr-cache-volume.service
+
+[Container]
+ContainerName=pipglr
+Image=registry.gitlab.com/qontainers/pipglr
+
+# Required to run containers inside a container and ensure
+# container can be managed with podman-restart.service
+# Note: See https://github.com/containers/podman/issues/20418
+PodmanArgs=--privileged --restart=always
+
+# A nested systemd is used to manage nested podman & gitlab runner services
+Systemd=true
+
+# Allow jobs access to utilize fuse-overlayfs, for example to build container images.
+Device=/dev/fuse
+
+# Must be owned by the gitlab-runner user
+Secret config.toml,uid=1001,gid=1001
+
+# Add network isolation from other containers
+Network=pipglr.network
+
+# Storage for nested container images and job cache
+Volume=pipglr-storage:/home/podman/.local/share/containers
+Volume=pipglr-cache:/cache
+
+# No need to preserve this between runs
+VolatileTmp=true
diff --git a/quadlet/pipglr.network b/quadlet/pipglr.network
new file mode 100644
index 0000000..4ad7aec
--- /dev/null
+++ b/quadlet/pipglr.network
@@ -0,0 +1,11 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner dedicated network
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=network-online.target
+Requires=podman.socket network.target
+
+[Network]
+Driver=bridge
+# The pipglr container never accesses other containers on/or the host
+Options=isolate
+DisableDNS=true