commit 37a00b51b8b306f1f6d43854b53ca1edf86e1162 parent a0a774536c5b97f7a378bb8c00ed584495e36858 Author: Andreas Gruhler <agruhl@gmx.ch> Date: Sun, 14 Sep 2025 00:15:26 +0200 feat(lxc): add pkgs for lxc unprivileged containers Diffstat:
| M | bootstrap.sh | | | 6 | ++++-- |
| M | nomad.sh | | | 15 | +++++++++++++++ |
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/bootstrap.sh b/bootstrap.sh @@ -25,10 +25,12 @@ wget -O- https://apt.releases.hashicorp.com/gpg \ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \ | tee /etc/apt/sources.list.d/hashicorp.list -# Install packages +# Install packages for podman and lxc unprivileged containers +# https://wiki.debian.org/LXC apt-get update DEBIAN_FRONTEND=noninteractive apt-get install -y jq podman cloud-init curl \ - "nomad=${NOMAD_VERSION}-1" + "nomad=${NOMAD_VERSION}-1" \ + lxc libvirt0 bridge-utils uidmap curl -L -o openbao.deb "https://github.com/openbao/openbao/releases/download/v${BAO_VERSION}/bao_${BAO_VERSION}_linux_${ARCHITECTURE}.deb" apt install ./openbao.deb diff --git a/nomad.sh b/nomad.sh @@ -219,6 +219,21 @@ systemctl --user -M jenkins@ enable podman.socket # create the mountpoint for the workspaces, podman does not create it for us sudo -u jenkins mkdir /home/jenkins/workspace +# Prepare LXC network: +# * https://linuxcontainers.org/lxc/getting-started/#create-unprivileged-containers-as-a-user +# This means that "jenkins" is allowed to create up to 10 veth devices +# connected to the lxcbr0 bridge. +echo jenkins veth lxcbr0 10 >> /etc/lxc/lxc-usernet + +# Prepare LXC uid mapping +# https://wiki.debian.org/LXC +mkdir -p /home/jenkins/.config/lxc +cat << EOF > /home/jenkins/.config/lxc/default.conf +lxc.include = /etc/lxc/default.conf +lxc.idmap = u 0 165536 65536 +lxc.idmap = g 0 165536 65536 +EOF + # move Nomad server truststore sudo mv $TLS_DIR/nomad-agent-ca.p12 /home/jenkins/ sudo chown jenkins: /home/jenkins/nomad-agent-ca.p12