How to get Gitlab Runner working in a rootless Podman, for a headless service account.

Set SElinux to permissive

Unfortunately I’ve had to do this to allow the container to connect to the podman socket file. Of course it can be resolved with a custom policy but that’s outside the scope of this short post. I run my runners on their own VMs to mitigate this issue.

On any other RHEL-based OS you can resolve this with a very simple module, but not on CoreOS.

Edit /etc/selinux/config and change SELINUX=permissive, reboot.

Enable podman socket

Docker is controlled through a socket, so this emulates Docker by enabling a similar socket file.

systemctl --user start podman.socket
ls $XDG_RUNTIME_DIR/podman/podman.sock
/run/user/1000/podman/podman.sock

Configure gitlab runner to use the podman socket

[[runners]]
  name = "my-runner01"
  url = "https://gitlab.com"
  token = "token"
  executor = "docker"

  [runners.docker]
    host = "unix:///run/user/1000/podman/podman.sock"

Run gitlab-runner container

This is a quadlet example of how to run the container.

[Unit]
Description=Gitlab runner
Wants=network-online.target podman.socket
After=network-online.target podman.socket

[Container]
ContainerName=gitlab-runner
Image=docker.io/gitlab/gitlab-runner
Volume=/home/gitlab/config.toml:/etc/gitlab-runner/config.toml:Z
Volume=/run/user/1000/podman/podman.sock:/run/user/1000/podman/podman.sock:Z

[Service]
Restart=always

[Install]
WantedBy=multi-user.target default.target

Headless quadlet

So far is enough if you’re logged in with the account, but if you’re deploying a runner using Ansible or Terraform you might do it on an account that you don’t login with. So you must enable linger to ensure the account can use systemd.

touch /var/lib/systemd/linger/gitlab

See also

• CoreOS Serviceuser Ignition module
• Gitlab Runner Ignition module
• Podman socket activation