From 04091ede7593e436ee702c6268ac08bd374dbb43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
Date: Wed, 8 Apr 2026 10:35:40 +0200
Subject: [PATCH] v0.3.0-5: fix UID/GID to 125, wait for user manager and
 podman socket

- Fix gitea-runner UID/GID to 125 for stable user@125.service unit name
- Use BindsTo= for gitea-runner-podman.service dependency
- Wait for user@125.service and Podman socket before runner starts
- Add ExecStartPre socket wait loop (60s timeout)
- Ship commented-out limits.conf drop-in for resource caps
---
 gitea-act-runner.sysusers   |  4 ++--
 gitea-act_runner.spec       | 16 +++++++++++++++-
 gitea-act_runner@.service   |  7 +++++--
 gitea-runner-podman.service |  3 ++-
 limits.conf                 | 33 +++++++++++++++++++++++++++++++++
 5 files changed, 57 insertions(+), 6 deletions(-)
 create mode 100644 limits.conf

diff --git a/gitea-act-runner.sysusers b/gitea-act-runner.sysusers
index de2693b..c0de927 100644
--- a/gitea-act-runner.sysusers
+++ b/gitea-act-runner.sysusers
@@ -1,2 +1,2 @@
-# Type Name             ID             GECOS                  Home directory                  Shell
-u      gitea-runner     -              "Gitea Act Runner"     /var/lib/gitea/runners          /sbin/nologin
+g gitea-runner 125
+u gitea-runner 125:125 "Gitea Act Runner" /var/lib/gitea/runners /sbin/nologin
diff --git a/gitea-act_runner.spec b/gitea-act_runner.spec
index 96a4219..16826c5 100644
--- a/gitea-act_runner.spec
+++ b/gitea-act_runner.spec
@@ -1,6 +1,6 @@
 Name:           gitea-act_runner
 Version:        0.3.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Gitea act runner service.
 License:        MIT
 Group:          System Environment/Base
@@ -14,6 +14,7 @@ Source12:       gitea-act-runner-setup
 Source13:       gitea-act-runner.sysusers
 Source14:       gitea-runner-podman.service
 Source15:       storage.conf
+Source16:       limits.conf
 
 BuildRequires:  systemd-rpm-macros
 Requires:       podman
@@ -54,6 +55,10 @@ install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/runners
 install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/runners/.config/containers
 install -m 644 %{SOURCE15} %{buildroot}%{_sharedstatedir}/gitea/runners/.config/containers/storage.conf
 
+# Resource limits drop-in (shipped commented out as a template)
+install -d -m 755 %{buildroot}%{_sysconfdir}/systemd/system/gitea-act_runner@.service.d
+install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/systemd/system/gitea-act_runner@.service.d/limits.conf
+
 install -d -m 755 %{buildroot}/var/cache/act-runner/pnpm-store
 
 %pre
@@ -94,6 +99,9 @@ fi
 %{_unitdir}/gitea-runner-podman.service
 %{_sysusersdir}/gitea-act-runner.conf
 
+%dir %{_sysconfdir}/systemd/system/gitea-act_runner@.service.d
+%config(noreplace) %{_sysconfdir}/systemd/system/gitea-act_runner@.service.d/limits.conf
+
 %defattr(-,gitea-runner,gitea-runner,750)
 %dir %{_sharedstatedir}/gitea/runners
 %dir %{_sysconfdir}/gitea
@@ -108,6 +116,12 @@ fi
 %dir /var/cache/act-runner/pnpm-store
 
 %changelog
+* Wed Apr 08 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-5
+- Fix gitea-runner UID/GID to 125 for stable user@125.service unit name
+- Use BindsTo= for gitea-runner-podman.service dependency
+- Wait for user@125.service and Podman socket before runner starts
+- Ship commented-out limits.conf drop-in for resource caps
+
 * Mon Apr 06 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-4
 - Add Podman btrfs storage.conf for gitea-runner user
 - Add dependency on gitea-runner-podman.service
diff --git a/gitea-act_runner@.service b/gitea-act_runner@.service
index 0d30551..d8988c5 100644
--- a/gitea-act_runner@.service
+++ b/gitea-act_runner@.service
@@ -1,7 +1,8 @@
 [Unit]
 Description=Act runner is a runner for Gitea
-After=network.target gitea-runner-podman.service
-Requires=gitea-runner-podman.service
+After=network.target gitea-runner-podman.service user@125.service
+Wants=user@125.service
+BindsTo=gitea-runner-podman.service
 ConditionPathExists=/var/lib/gitea/runners/%i/.runner
 StartLimitIntervalSec=60
 StartLimitBurst=3
@@ -15,6 +16,8 @@ StateDirectoryMode=0750
 WorkingDirectory=/var/lib/gitea/runners/%i
 Environment=HOME=/var/lib/gitea/runners/%i
 
+# Wait for podman to actually create its socket before starting
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 60); do [ -S /run/gitea-runner/podman/podman.sock ] && exit 0; sleep 1; done; echo "podman socket never appeared" >&2; exit 1'
 ExecStart=/usr/bin/gitea-act-runner daemon -c /etc/gitea/runners/%i.yaml
 
 Restart=on-failure
diff --git a/gitea-runner-podman.service b/gitea-runner-podman.service
index 80ca98c..6cd47b3 100644
--- a/gitea-runner-podman.service
+++ b/gitea-runner-podman.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Podman API socket for Gitea Act Runner
-After=network.target systemd-logind.service
+After=network.target systemd-logind.service user@125.service
+Wants=user@125.service
 
 [Service]
 Type=exec
diff --git a/limits.conf b/limits.conf
new file mode 100644
index 0000000..79f49be
--- /dev/null
+++ b/limits.conf
@@ -0,0 +1,33 @@
+# Resource limits drop-in for gitea-act_runner@.service
+# ======================================================
+#
+# Installed to:
+#   /etc/systemd/system/gitea-act_runner@.service.d/limits.conf
+#
+# This file is shipped with all values commented out as examples.
+# Uncomment and adjust to protect the host from runaway CI jobs.
+#
+# A runaway build can exhaust memory and take down user@125.service
+# (the rootless user manager), which kills the Podman socket and
+# breaks all running runners until the service is restarted.
+#
+# Setting MemoryHigh/MemoryMax caps the cgroup, so the kernel OOM
+# killer targets the runner's children first instead of user@.service.
+#
+# Recommended starting points for a dedicated CI host:
+#   MemoryHigh : soft limit — kernel throttles above this
+#   MemoryMax  : hard limit — kernel kills processes above this
+#   TasksMax   : max number of tasks (processes + threads)
+#
+# Also consider adding matching limits in your runner config.yaml
+# under container.options, e.g.:
+#   options: --memory=8g --memory-swap=8g -v /var/cache/act-runner/pnpm-store:/cache/pnpm-store:z
+#
+# After editing, reload systemd:
+#   systemctl daemon-reload
+#   systemctl restart gitea-act_runner@<instance>.service
+
+[Service]
+# MemoryHigh=10G
+# MemoryMax=12G
+# TasksMax=4096