nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive
commit 3bfb2349da1c17ff1937a40b4879e6b33905ff5f
parent 5470d77e1a9817c55a44ef73881bc54b95803e83
Author: Andreas Gruhler <agruhl@gmx.ch>
Date:   Sun, 10 Aug 2025 16:25:30 +0200

feat(jenkins-agent): replace docker with podman

Diffstat:

Mdocker/docker-jenkins-inbound-agent/Dockerfile | 36++++++++++++++++--------------------


Mdocker/docker-jenkins-inbound-agent/README | 6++++++


Mhcl/default/jenkins/templates/jenkins.yaml.tmpl | 2+-


3 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/docker/docker-jenkins-inbound-agent/Dockerfile b/docker/docker-jenkins-inbound-agent/Dockerfile
@@ -67,37 +67,33 @@ FROM agent AS inbound-agent
 
 USER root
 
-# Install Docker client
-ARG DOCKER_VERSION=28.3.3
-ARG DOCKER_COMPOSE_VERSION=v2.39.1
-RUN curl -fsSL https://download.docker.com/linux/static/stable/armhf/docker-$DOCKER_VERSION.tgz | tar --strip-components=1 -xz -C /usr/local/bin docker/docker
-RUN curl -fsSL https://github.com/docker/compose/releases/download/$DOCKER_COMPOSE_VERSION/docker-compose-linux-armv7 > /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose
-
-# Install Podman and Buildah, configure fuse-overlayfs as mount_program
-#
-# In rootless mode, without the CAP_SYS_ADMIN capability, many kernels prevent
-# mounting of overlay file systems, requiring you to specify a mount_program. The
-# mount_program option is also required on systems where the underlying storage
-# is btrfs, aufs, zfs, overlay, or ecryptfs based file systems. mount_program =
-# "/usr/bin/fuse-overlayfs"
-# - https://github.com/containers/buildah/issues/3666#issuecomment-1349687679
-# - https://github.com/containers/storage/blob/main/docs/containers-storage.conf.5.md
-#
-# netavark is a required dependency to run `buildah bud`.
-RUN apk add --no-cache buildah netavark fuse-overlayfs fuse
+# We emulate docker command for docker-workflow Jenkins plugin
+# and install buildah to build and push containers.
+# Install configure fuse-overlayfs as mount_program
+RUN apk add --no-cache podman-docker buildah fuse-overlayfs fuse
 
 # Set up environment variables to note that this is not starting with user
 # namespace and default to isolate the filesystem with chroot.
 # https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container
 ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
 
+# 'overlay' is not supported over overlayfs without fuse-overlayfs
+# VFS would be the alternative
+# - https://docs.gitlab.com/ci/docker/using_docker_build/#buildah-example
+# - https://wiki.alpinelinux.org/wiki/Podman
+# - https://github.com/containers/storage/blob/main/docs/containers-storage.conf.5.md
+# - https://docs.podman.io/en/latest/markdown/podman.1.html#environment-variables
+ENV STORAGE_DRIVER=overlay
+
+# Configure fuse-overlayfs
 # https://docs.podman.io/en/latest/markdown/podman.1.html#note-unsupported-file-systems-in-rootless-mode
 RUN sed -i 's/#mount_program/mount_program/' /etc/containers/storage.conf
 
-# fuse: device not found, try 'modprobe fuse' first
-# https://github.com/containers/podman/blob/main/troubleshooting.md#24-podman-container-images-fail-with-fuse-device-not-found-when-run
+# Configure fuse and tun modules at boot
+# https://wiki.alpinelinux.org/wiki/Podman
 RUN mkdir -p /etc/modules.load.d
 RUN echo fuse > /etc/modules.load.d/fuse.conf
+RUN echo tun > /etc/modules.load.d/tun.conf
 
 # Configure missing subuid/subgids for rootless podman builds
 # https://docs.podman.io/en/latest/markdown/podman.1.html#rootless-mode
diff --git a/docker/docker-jenkins-inbound-agent/README b/docker/docker-jenkins-inbound-agent/README
@@ -79,6 +79,12 @@ the downstream container where we run our app logic will always see an empty
 directory, because in the end all containers are run (in a flat structure, as
 you so will) on the Nomad agent.
 
+NOTE: THIS IS NOT DOCKER-IN-DOCKER
+* https://github.com/jenkinsci/docker-workflow-plugin/tree/docker-workflow-1.12/demo
+
+> the container only runs the CLI and connects back to the host to start sister
+> containers
+
 This is also why UID/GID needs to match between the user that runs the Podman
 socket on the Nomad node and the user that spawns the Jenkins agent (the Nomad
 job).
diff --git a/hcl/default/jenkins/templates/jenkins.yaml.tmpl b/hcl/default/jenkins/templates/jenkins.yaml.tmpl
@@ -106,7 +106,7 @@ jenkins:
                           "/dev/fuse"
                         ],
                         "force_pull": true,
-                        "image": "127.0.0.1:5000/jenkins-inbound-agent:3327.v868139a_d00e0"
+                        "image": "127.0.0.1:5000/jenkins-inbound-agent:3327.v868139a_d00e0-v2"
                       },
                       "Env": {
                         "REMOTING_OPTS": "-url http://{{ env "NOMAD_ADDR_jenkins" }} -name %WORKER_NAME% -secret %WORKER_SECRET% -tunnel {{ env "NOMAD_ADDR_jnlp" }}",