docker(role): document gVisor issue with user-def. br. and provide help

Document issue with containers on user-defined bridges and using the gVisor runsc runtime. Also provide a helper resolv.conf as a workaround.
docker(role): provide option to set up gVisor (runsc runtime)
2026-06-23 21:00:33 +02:00 · 2026-06-23 21:00:33 +02:00 · 2026-06-23 21:00:33 +02:00
7 changed files with 5 additions and 63 deletions
--- a/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
@ -1,8 +1,8 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:fEly3EIovZ4n5xMnD5Aqtbn1+DUszR0MvBHcM383G40qfHxrbF/lqc8iftshInoHSU77Vugignyb0dTSCTS1cWmEg8I/+ZFjgwc=,iv:Y1XunCfdIUC5nTu+vkr0Q0LUBWeIwP/bGNkbnDb1cpA=,tag:6UrkMx6yEGB46VVvtAkDMQ==,type:str]
-secret__forgejo_runner_ccchh_git_token: ENC[AES256_GCM,data:GuUA5vAPCYFmEWU3nJ3YFyE1O0FxwrWG2RCDGuOot9pg2e+jYVn4jg==,iv:ApV/fOOhIMl4I4/uVyxzPzBrx9wHkuOuc0M9S4ej/3s=,tag:9mBCgljYm6hFg73eQpp4bg==,type:str]
 sops:
  age:
-    - enc: |
+    - recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
+      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcFhwNmRXTnptOUMrN0dZ
        UnN0bFdCVjJQamNvTzZmMkxRdk0zL0E4bm4wCmRIVmVrVW1Jb3BKOVNnNnM5MXJm
@ -10,9 +10,8 @@ sops:
        VVI1TnN3UkcxUzdOWjJQTzZLOHNlaDQKx/HqW9sEYmNYIMYvLVF/9eJfcgRH/cJv
        YqcDNZc8L9Rap2TfwsiJZourqDTe/8sWgQ0yHC4mcKS1HJOTUMNwqQ==
        -----END AGE ENCRYPTED FILE-----
-      recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
-  lastmodified: "2026-06-23T19:19:06Z"
-  mac: ENC[AES256_GCM,data:f5YzwSyH+1aJKc5X6zVTVVQa2tuYJPJSALM8H5Tc61GidGZJfv8nYs7ocy1spEVGDse28St/Z3+jD7yZwDQWIw3Nco8dxdrMZC+Ay10O8OJbmTjq4q1SG6GGGyQYCY/pInBrPB+ADSyn1N+uyvRupHC6B3jH2QiCHGEiz1y3ec0=,iv:xZ8wSma3LwQagQVxRK1h3+8wCfzNdQ22X2E6Kuv0FI0=,tag:S6c/QEqDgl2lH9vj+SFb1Q==,type:str]
+  lastmodified: "2026-05-20T02:12:09Z"
+  mac: ENC[AES256_GCM,data:QgL5PSrG3yVeJQgDJ3/VQhGwF7WpDb0+w7oxeF0KeNt3m2YqUsS1qKwK4gJAbmyt/RPdRErTiPs6NdAouowjZg6zcd+Trags/GIBKcaIyJqQa4lw3J3Jod9GTkol70c0H/X76kQx+bWzuXnJy64Dm3t2h+/ytD45+yZJ/959FKI=,iv:JnR8ZRgCfsr7T7L0NLCncH/6q1EGErOCzYjZWrazDh8=,tag:HHH6MrP1bFU0j/Hb6crEZA==,type:str]
  pgp:
    - created_at: "2026-05-20T02:11:43Z"
      enc: |-
@ -185,4 +184,4 @@ sops:
        -----END PGP MESSAGE-----
      fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
  unencrypted_suffix: _unencrypted
-  version: 3.13.1
+  version: 3.12.1
--- a/inventories/chaosknoten/host_vars/forgejo-runner.yaml
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.yaml
@ -1 +0,0 @@
-forgejo_runner__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2') }}"
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -282,5 +282,3 @@ renovate_hosts:
    renovate:
 secrets_hosts:
  hosts:
-forgejo_runner_hosts:
-  hosts:
--- a/inventories/external/hosts.yaml
+++ b/inventories/external/hosts.yaml
@ -24,5 +24,3 @@ ansible_pull_hosts:
    status:
 secrets_hosts:
  hosts:
-forgejo_runner_hosts:
-  hosts:
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -60,5 +60,3 @@ ansible_pull_hosts:
    yate:
 secrets_hosts:
  hosts:
-forgejo_runner_hosts:
-  hosts:
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@ -150,13 +150,6 @@
  tags:
    - eh22_styleguide_dir

- name: Ensure forgejo-runner is setup on forgejo_runner_hosts
-  hosts: forgejo_runner_hosts
-  roles:
-    - forgejo_runner
-  tags:
-    - forgejo_runner
-
 - name: Setup authoritative dns servers
  hosts: auth-dns
  roles:
--- a/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
+++ b/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
@ -1,43 +0,0 @@
-log:
-  level: info
-  job_level: info
-
-runner:
-  file: .runner
-  capacity: 4
-  timeout: 1h
-  shutdown_timeout: 30m
-  insecure: false
-  fetch_timeout: 30s
-  fetch_interval: 2s
-  report_interval: 1s
-  labels:
-    # https://forgejo.org/docs/latest/admin/actions/configuration/#choosing-labels
-    - docker:docker://docker.io/library/node:lts
-
-cache:
-  enabled: false
-
-container:
-  # Leave emtpy to create a network automatically.
-  network: ""
-  enable_ipv6: true
-  privileged: false
-  ## Something like this once gVisor can be used.
-  ## options: "--runtime=runsc --mount type=bind,src=/etc/gvisor-helper-resolv.conf,dst=/etc/resolv.conf,ro=true"
-  # Leave empty for default /workspace to be used.
-  workdir_parent:
-  ## Something like this once gVisor can be used.
-  ## Add /etc/gvisor-helper-resolv.conf to valid_volumes to make the bind-mount in options work.
-  ## valid_volumes: ["/etc/gvisor-helper-resolv.conf:ro"]
-  # Leave "-", so no docker host will be mounted in the job container.
-  docker_host: "-"
-  force_pull: true
-  force_rebuild: false
-
-server:
-  connections:
-    ccchh-git:
-      url: https://git.hamburg.ccc.de/
-      uuid: c672834d-3d63-4471-894e-80f6888eb4de
-      token: {{ secret__forgejo_runner_ccchh_git_token }}
Author	SHA1	Message	Date
June	fdd9eadad1	docker(role): document gVisor issue with user-def. br. and provide help Some checks failed / Ansible Lint (push) Successful in 3m53s Details / build (pull_request) Failing after 2m40s Details / Ansible Lint (pull_request) Successful in 2m41s Details Document issue with containers on user-defined bridges and using the gVisor runsc runtime. Also provide a helper resolv.conf as a workaround.	2026-06-23 21:00:33 +02:00
June	f956ed6f35	docker(role): provide option to set up gVisor (runsc runtime)	2026-06-23 21:00:33 +02:00
June	d4a1dee108	forgejo_runner(role): create role for setting up Forgejo Runner install	2026-06-23 21:00:33 +02:00
				`@ -1 +0,0 @@`
				`forgejo_runner__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2') }}"`