Update gitlab docker runner config

ansible/runner/README.md

-# MAIN VMs ansible
+# Runner Ansible config with podman
 
 First run:  
-`ansible-playbook -i inventory.yaml install.yaml --user root`
+`ansible-playbook -i inventory.yaml install.yaml --user ubuntu --become`
 
-After first run:  
+After first run: (And update ssh port to 10022)  
 `ansible-playbook -i inventory.yaml install.yaml --become --user rlacko`
+
+## Config
+Update the variables in `vars` folder.
+
+## Run 
+
+`sudo -s`  
+`cd /home/ubuntu`
+`podman-compose up -d`

ansible/runner/install.yaml

@@ -9,6 +9,8 @@
     - name: Setup Runner VM
       import_tasks: tasks/main.yaml
   
+  vars_files:
+    - vars/vars.yaml
   vars:
     users: 
       - name: rlacko
@@ -20,3 +22,6 @@
       permitRootLogin: 'no'
       pubkeyAuthentication: 'yes'
       passwordAuthentication: 'no'
+      allow:
+        users: 'rlacko'
+    

ansible/runner/inventory.yaml

 all:
   hosts:
-    152.66.211.122:
+    152.66.211.9:
+      ansible_port: 10022

ansible/runner/tasks/packages.yaml

 ---
-- name: Install basic packages
+- name: Install packages
   package:
     state: present
     name:

ansible/runner/tasks/runner.yaml

@@ -20,13 +20,12 @@
 
 - name: Copy config toml
   template:
-    src: home/ubuntu/gitlab-runner/config.toml
+    src: home/ubuntu/gitlab-runner/config.toml.j2
     dest: /home/ubuntu/gitlab-runner/config.toml
     owner: ubuntu
     group: ubuntu
     mode: 0700
-    # backing up in case the need to recover
-    backup: false
+    backup: true
   become: true
 
 - name: Copy compose file
@@ -39,3 +38,27 @@
     # backing up in case the need to recover
     backup: false
   become: true
+
+- name: Copy registries config
+  template:
+    src: etc/containers/registries.conf
+    dest: /etc/containers/registries.conf
+    owner: root
+    group: root
+    mode: 0644
+    # backing up in case the need to recover
+    backup: true
+  become: true
+
+- name: Enable podman socket service
+  systemd:
+    name: podman.socket
+    state: started
+    enabled: yes
+
+- name: Add read write permission to podman socket
+  file:
+    path: /var/run/podman/podman.sock
+    owner: root
+    group: root
+    mode: '0664'

ansible/runner/templates/etc/containers/registries.conf

+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure.  If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# # An array of host[:port] registries to try when pulling an unqualified image, in order.
+unqualified-search-registries = ["docker.io"]
+#
+# [[registry]]
+# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
+# # (only) the TOML table with the longest match for the input image name
+# # (taking into account namespace/repo/tag/digest separators) is used.
+# #
+# # If the prefix field is missing, it defaults to be the same as the "location" field.
+# prefix = "example.com/foo"
+#
+# # If true, unencrypted HTTP as well as TLS connections with untrusted
+# # certificates are allowed.
+# insecure = false
+#
+# # If true, pulling images with matching names is forbidden.
+# blocked = false
+#
+# # The physical location of the "prefix"-rooted namespace.
+# #
+# # By default, this equal to "prefix" (in which case "prefix" can be omitted
+# # and the [[registry]] TOML table can only specify "location").
+# #
+# # Example: Given
+# #   prefix = "example.com/foo"
+# #   location = "internal-registry-for-example.net/bar"
+# # requests for the image example.com/foo/myimage:latest will actually work with the
+# # internal-registry-for-example.net/bar/myimage:latest image.
+# location = internal-registry-for-example.com/bar"
+#
+# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
+# #
+# # The mirrors are attempted in the specified order; the first one that can be
+# # contacted and contains the image will be used (and if none of the mirrors contains the image,
+# # the primary location specified by the "registry.location" field, or using the unmodified
+# # user-specified reference, is tried last).
+# #
+# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
+# # as if specified in the [[registry]] TOML table directly:
+# # - location
+# # - insecure
+# [[registry.mirror]]
+# location = "example-mirror-0.local/mirror-for-foo"
+# [[registry.mirror]]
+# location = "example-mirror-1.local/mirrors/foo"
+# insecure = true
+# # Given the above, a pull of example.com/foo/image:latest will try:
+# # 1. example-mirror-0.local/mirror-for-foo/image:latest
+# # 2. example-mirror-1.local/mirrors/foo/image:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
+# # in order, and use the first one that exists.
\ No newline at end of file

ansible/runner/templates/home/ubuntu/gitlab-runner/config.toml

-listen_address = ":9252"
-concurrent = 10
-check_interval = 1
-
-[session_server]
-  session_timeout = 1800

ansible/runner/templates/home/ubuntu/gitlab-runner/config.toml.j2

+listen_address = ":9252"
+concurrent = 10
+check_interval = 1
+
+[session_server]
+  session_timeout = 1800
+
+[[runners]]
+  name = {{ runner.name}}
+  url = {{ runner.url }}
+  token = {{ runner.token }}
+  executor = "docker"
+  [runners.custom_build_dir]
+  {% if runner.s3cache is defined %}
+  [runners.cache]
+    Type = "s3"
+    Path = "runner"
+    Shared = true
+    [runners.cache.s3]
+      ServerAddress = {{ runner.s3cache.server_address }}
+      BucketName = {{ runner.s3cache.bucket_name }}
+      Insecure = false
+      AccessKey = {{ runner.s3cache.access_key }}
+      SecretKey = {{ runner.s3cache.secret_key }}
+  {% endif %}
+  [runners.docker]
+    tls_verify = false
+    image = "ubuntu:20.04"
+    privileged = false
+    disable_entrypoint_overwrite = false
+    oom_kill_disable = false
+    disable_cache = false
+    volumes = ["/cache"]
+    shm_size = 0
+    pull_policy = ["if-not-present"]

ansible/runner/vars/.gitignore

+*
+
+!.gitignore
+!*.example
\ No newline at end of file

ansible/runner/vars/vars.yaml.example

+---
+
+users: 
+  - name: rlacko
+    sudo: yes
+    passwordless_sudo: yes
+    keys_url: https://git.sch.bme.hu/rlacko.keys
+ssh:
+  port: 10022
+  permitRootLogin: 'no'
+  pubkeyAuthentication: 'yes'
+  passwordAuthentication: 'no'
+  allow:
+    users: 'rlacko'
+runner:
+  name:
+  url:
+  token:
+  s3cache: 
+    server_address:
+    bucket_name:
+    access_key:
+    secret_key:

terraform/runner-tmp.tf

@@ -23,9 +23,10 @@ resource "proxmox_vm_qemu" "runner-tmp" {
     network {
         model = "virtio"
         bridge = "vmbr211"
+        macaddr = "42:63:41:D8:F7:DE"
     }
 
-    ipconfig0 = "ip=152.66.211.122/24,gw=152.66.211.254"
+    ipconfig0 = "ip=152.66.211.9/24,gw=152.66.211.254"
 
     sshkeys = <<EOF
     ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXuXr/Mz1ENkvZ+Ntc9dF1r8VK62XaZtsMaV7N+CMZ8 rlacko@personal