Skip to content
This repository has been archived by the owner on Jun 23, 2022. It is now read-only.

Latest commit

 

History

History
 
 

buildah

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Buildah/Podman Actions Runner

Quay org

The Buildah/Podman Actions Runner extends the base runner to include Buildah, Podman, and the dependencies they need to run in a rootless, containerized environment.

In order for OpenShift containers to run Buildah and Podman, the user or ServiceAccount that deploys the pod must have permission to deploy using the anyuid SecurityContextConstraint (SCC).

Buildah has a very good tutorial detailing how to run buildah in OpenShift.

You can also refer to the OpenShift documentation Managing Security Context Constraints, and this blog post.

Deploying the buildah pod

It is recommended to deploy the pod using a ServiceAccount specifically configured to have the required permissions. An administrator must run:

# Create the ServiceAccount (if needed)
$ oc create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: buildah-sa
EOF

serviceaccount/buildah-sa created

# Give the ServiceAccount permission to deploy with the anyuid scc.
$ oc adm policy add-scc-to-user anyuid -z buildah-sa

Then, when using the Helm chart to install buildah runners, you can pass --set serviceAccountName=buildah-sa

Or, an adminstrator can give a specific user permission:

oc adm policy add-scc-to-user anyuid <user>

Podman run

podman run doesn't work unless the pod is created with the privileged SCC.

If you need to use podman run, run the oc adm policy commands as above, but substitute privileged for anyuid.