Setup for quadlet/systemd runtime management

Rather than setting up volumes and starting the pipglr container
manually, utilize quadlet + systemd.  Retain the old setup and execution
method, but move them into separate documentation.

Signed-off-by: Chris Evich <cevich@redhat.com>

Containerfile

@@ -45,6 +45,8 @@ ENTRYPOINT /lib/systemd/systemd
 # Gitlab-runner configuration options, may be freely overridden at
 # container image build time.
 ARG DEFAULT_JOB_IMAGE=registry.fedoraproject.org/fedora-minimal:latest
+# Allow image-builders to override the Gitlab URL
+ARG GITLAB_URL=https://gitlab.com/
 # Run nested containers in --privileged mode - required to allow building
 # container images using podman or buildah.  Otherwise may be set 'false'.
 ARG NESTED_PRIVILEGED=true
@@ -59,11 +61,10 @@ LABEL register="podman run -it --rm \
  --secret=REGISTRATION_TOKEN,type=env \
  -v ./config.toml:/etc/gitlab-runner/config.toml:Z \
  -e REGISTER_NON_INTERACTIVE=true \
- -e CI_SERVER_URL=https://gitlab.com/ \
+ -e CI_SERVER_URL=${GITLAB_URL} \
  -e RUNNER_NAME=pipglr \
  -e RUNNER_EXECUTOR=docker \
  -e RUNNER_SHELL=bash \
- -e REGISTER_MAINTENANCE_NOTE=Podman-In-Podman-GitLab-Runner \
  -e DOCKER_HOST=unix:///home/runner/podman.sock \
  -e DOCKER_IMAGE=${DEFAULT_JOB_IMAGE} \
  -e DOCKER_CACHE_DIR=/cache \

README.md

@@ -96,7 +96,12 @@ called `johndoe`, the contents of these files should be edited to allocate
 `jogndoe:<some number>:65539`
 
 Where `<some number>` was set by your OS when the `johndoe` user was created
-(you can ignore this).  Only the last number needs to be increased.
+(you can ignore this).  Only the last number needs to be increased.  This
+change will be effective on next login, or immediately by running:
+
+`podman system migrate`
+
+*Note:* This will stop any currently running containers.
 
 #### Runner registration (step 3)
 
@@ -154,34 +159,30 @@ to reflect the number of registered runners.  If you need to edit this file
 after committing it as a secret, there's
 [ a `dumpconfig`  *runlabel* for that](README.md#configuration-editing).
 
-#### Volume setup (step 5)
+#### Quadlet setup and container start (step 5)
 
-Since several users are utilized inside the container volumes must be
+**Note**: If your system is missing or does not support the use of quadlet
-specifically configured to permit access.  This is done using several
+(`man 5 podman-systemd.unit`), you'll find [manual volume setup steps
-*runlabels* as follows:
+here](manual_setup.md).
+
+Create and copy the quadlet configuration files:
 
 ```bash
-$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
+$ mkdir -p ~/.config/containers/systemd
-$ podman container runlabel setupstorage $IMAGE
+$ cp quadlet/* ~/.config/containers/systemd/
-$ podman container runlabel setupcache $IMAGE
 ```
 
-Note: These volumes generally do not contain any critical operational data,
+Finally, reload the local systemd user-slice to generate the unit files,
-they may be re-created anytime to quickly free up host disk-space if
+and fire up pipglr!
-it's running low.  Simply remove them with the command
- `podman volume rm pipglr-storage pipglr-cache`.  Then reuse the `setupstorage`
-and `setupcache` *runlabels* as in the above example.
-
-#### Runner Startup (step 6)
-
-With the runner configuration saved as a Podman secret, and the runner volumes
-created, the GitLab runner container may be launched with the following commands:
 
 ```bash
-$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
+$ systemd --user daemon-reload
-$ podman container runlabel run $IMAGE
+$ systemd start pipglr
 ```
 
+If you want the service to start automatically on boot, you may run
+`systemctl --user enable podman-restart.service`
+
 ### Configuration Editing
 
 The gitlab-runner configuration contains some sensitive values which
@@ -242,6 +243,8 @@ Several build arguments are available to control the output image:
   `--platform` build argument, it will be set automatically.  Note:
   as of this writing, only `amd64` and `arm64` builds of the gitlab-runner
   are available.
+* `GITLAB_URL` - Defaults to 'https://gitlab.com/' but can be set to point
+  to a self hosted instance of Gitlab.
 * `NESTED_PRIVILEGED` - Defaults to 'true', may be set 'false' to prevent
   nested containers running in `--privileged` mode.  This will affect
   the ability to build container images in CI jobs using tools like

manual_setup.md

@@ -0,0 +1,32 @@
+### Additional Manual steps
+
+On systems without Quadlet, some additional steps are required
+to get the pipglr container up and running.
+
+### Manual Volume setup
+
+Since several users are utilized inside the container volumes must be
+specifically configured to permit access.  This is done using several
+*runlabels* as follows:
+
+```bash
+$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
+$ podman container runlabel setupstorage $IMAGE
+$ podman container runlabel setupcache $IMAGE
+```
+
+Note: These volumes generally do not contain any critical operational data,
+they may be re-created anytime to quickly free up host disk-space if
+it's running low.  Simply remove them with the command
+ `podman volume rm pipglr-storage pipglr-cache`.  Then reuse the `setupstorage`
+and `setupcache` *runlabels* as in the above example.
+
+#### Manual Runner Startup
+
+With the runner configuration saved as a Podman secret, and the runner volumes
+created, the GitLab runner container may be launched with the following commands:
+
+```bash
+$ IMAGE="registry.gitlab.com/qontainers/pipglr:latest"
+$ podman container runlabel run $IMAGE
+```

quadlet/pipglr-cache.volume

@@ -0,0 +1,13 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner job cache storage volume
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=local-fs.target
+Requires=podman.socket
+
+[Volume]
+VolumeName=pipglr-cache
+Copy=false
+# The `podman` user inside the container should own everything
+Options=o=uid=1000,gid=1000
+# Support podman...prune --filters=persistent!=true
+Label=persistent=true

quadlet/pipglr-storage.volume

@@ -0,0 +1,13 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner nested-container storage volume
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=local-fs.target
+Requires=podman.socket
+
+[Volume]
+VolumeName=pipglr-storage
+Copy=false
+# The `podman` user inside the container should own everything
+Options=o=uid=1000,gid=1000
+# Support podman...prune --filters=persistent!=true
+Label=persistent=true

quadlet/pipglr.container

@@ -0,0 +1,33 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=pipglr-storage-volume.service pipglr-cache-volume.service
+Requires=podman.socket pipglr-storage-volume.service pipglr-cache-volume.service
+
+[Container]
+ContainerName=pipglr
+Image=registry.gitlab.com/qontainers/pipglr
+
+# Required to run containers inside a container and ensure
+# container can be managed with podman-restart.service
+# Note: See https://github.com/containers/podman/issues/20418
+PodmanArgs=--privileged --restart=always
+
+# A nested systemd is used to manage nested podman & gitlab runner services
+Systemd=true
+
+# Allow jobs access to utilize fuse-overlayfs, for example to build container images.
+Device=/dev/fuse
+
+# Must be owned by the gitlab-runner user
+Secret config.toml,uid=1001,gid=1001
+
+# Add network isolation from other containers
+Network=pipglr.network
+
+# Storage for nested container images and job cache
+Volume=pipglr-storage:/home/podman/.local/share/containers
+Volume=pipglr-cache:/cache
+
+# No need to preserve this between runs
+VolatileTmp=true

quadlet/pipglr.network

@@ -0,0 +1,11 @@
+[Unit]
+Description=Podman-in-podman GitLab Runner dedicated network
+Documentation=https://gitlab.com/qontainers/pipglr/-/blob/main/README.md
+After=network-online.target
+Requires=podman.socket network.target
+
+[Network]
+Driver=bridge
+# The pipglr container never accesses other containers on/or the host
+Options=isolate
+DisableDNS=true

root/setup.sh

@@ -38,15 +38,6 @@ set -x  # show what's happening to make debugging easier
 # DNF itself or a dependence may need upgrading, take care of it first.
 $DNF upgrade
 
-# WORKAROUND: crun: write to `/proc/self/oom_score_adj`: Permission denied
-# Ref: https://github.com/containers/podman/pull/19843
-if [[ $(date +%Y%m%d) -gt 20231115 ]]; then
-  echo "FIXME: Please check if crun 1.9.3+ is available in CentOS Stream-9."
-  echo "If so, this crun-1.8.7 workaround may be removed."
-  exit 1
-fi
-dnf $x install -y crun-1.8.7
-
 $DNF $x install \
   podman \
   systemd