From 6cfab7432a1d5fa98b722ad1869feae4ca7504e2 Mon Sep 17 00:00:00 2001 From: Michal Date: Mon, 9 Mar 2026 10:19:44 +0000 Subject: [PATCH] ci: use buildah with chroot isolation for container builds Podman fails with "cannot re-exec process" inside runner containers (no user namespace support). Buildah with --isolation chroot and --storage-driver vfs can build OCI images without a daemon, without namespaces, and without privileged mode. Co-Authored-By: Claude Opus 4.6 --- .gitea/workflows/ci.yml | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 4401b08..b051e4e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -150,39 +150,43 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Install podman and skopeo - run: sudo apt-get update && sudo apt-get install -y podman skopeo + - name: Install buildah and skopeo + run: sudo apt-get update && sudo apt-get install -y buildah skopeo - name: Build & push mcpd run: | - sudo -E podman build -t mcpd:latest -f deploy/Dockerfile.mcpd . - sudo -E skopeo copy --dest-tls-verify=false \ + buildah build --isolation chroot --storage-driver vfs \ + -t mcpd:latest -f deploy/Dockerfile.mcpd . + skopeo copy --src-tls-verify=false --dest-tls-verify=false \ --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \ - containers-storage:mcpd:latest \ + containers-storage:[vfs@/var/lib/containers/storage]mcpd:latest \ docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpd:latest - name: Build & push node-runner run: | - sudo -E podman build -t node-runner:latest -f deploy/Dockerfile.node-runner . - sudo -E skopeo copy --dest-tls-verify=false \ + buildah build --isolation chroot --storage-driver vfs \ + -t node-runner:latest -f deploy/Dockerfile.node-runner . + skopeo copy --src-tls-verify=false --dest-tls-verify=false \ --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \ - containers-storage:node-runner:latest \ + containers-storage:[vfs@/var/lib/containers/storage]node-runner:latest \ docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-node-runner:latest - name: Build & push python-runner run: | - sudo -E podman build -t python-runner:latest -f deploy/Dockerfile.python-runner . - sudo -E skopeo copy --dest-tls-verify=false \ + buildah build --isolation chroot --storage-driver vfs \ + -t python-runner:latest -f deploy/Dockerfile.python-runner . + skopeo copy --src-tls-verify=false --dest-tls-verify=false \ --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \ - containers-storage:python-runner:latest \ + containers-storage:[vfs@/var/lib/containers/storage]python-runner:latest \ docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-python-runner:latest - name: Build & push docmost-mcp run: | - sudo -E podman build -t docmost-mcp:latest -f deploy/Dockerfile.docmost-mcp . - sudo -E skopeo copy --dest-tls-verify=false \ + buildah build --isolation chroot --storage-driver vfs \ + -t docmost-mcp:latest -f deploy/Dockerfile.docmost-mcp . + skopeo copy --src-tls-verify=false --dest-tls-verify=false \ --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \ - containers-storage:docmost-mcp:latest \ + containers-storage:[vfs@/var/lib/containers/storage]docmost-mcp:latest \ docker://${{ env.REGISTRY }}/${{ env.OWNER }}/docmost-mcp:latest - name: Link packages to repository