v0.3.0-5: fix UID/GID to 125, wait for user manager and podman socket

- Fix gitea-runner UID/GID to 125 for stable user@125.service unit name - Use BindsTo= for gitea-runner-podman.service dependency - Wait for user@125.service and Podman socket before runner starts - Add ExecStartPre socket wait loop (60s timeout) - Ship commented-out limits.conf drop-in for resource caps
2026-04-08 10:35:40 +02:00
parent c741ce2aaf
commit 04091ede75
5 changed files with 57 additions and 6 deletions
--- a/gitea-act-runner.sysusers
+++ b/gitea-act-runner.sysusers
@@ -1,2 +1,2 @@
-# Type Name             ID             GECOS                  Home directory                  Shell
+g gitea-runner 125
-u      gitea-runner     -              "Gitea Act Runner"     /var/lib/gitea/runners          /sbin/nologin
+u gitea-runner 125:125 "Gitea Act Runner" /var/lib/gitea/runners /sbin/nologin
--- a/gitea-act_runner.spec
+++ b/gitea-act_runner.spec
@@ -1,6 +1,6 @@
 Name:           gitea-act_runner
 Version:        0.3.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Gitea act runner service.
 License:        MIT
 Group:          System Environment/Base
@@ -14,6 +14,7 @@ Source12:       gitea-act-runner-setup
 Source13:       gitea-act-runner.sysusers
 Source14:       gitea-runner-podman.service
 Source15:       storage.conf
 Source16:       limits.conf
 BuildRequires:  systemd-rpm-macros
 Requires:       podman
@@ -54,6 +55,10 @@ install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/runners
 install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/runners/.config/containers
 install -m 644 %{SOURCE15} %{buildroot}%{_sharedstatedir}/gitea/runners/.config/containers/storage.conf
 # Resource limits drop-in (shipped commented out as a template)
 install -d -m 755 %{buildroot}%{_sysconfdir}/systemd/system/gitea-act_runner@.service.d
 install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/systemd/system/gitea-act_runner@.service.d/limits.conf
 install -d -m 755 %{buildroot}/var/cache/act-runner/pnpm-store
 %pre
@@ -94,6 +99,9 @@ fi
 %{_unitdir}/gitea-runner-podman.service
 %{_sysusersdir}/gitea-act-runner.conf
 %dir %{_sysconfdir}/systemd/system/gitea-act_runner@.service.d
 %config(noreplace) %{_sysconfdir}/systemd/system/gitea-act_runner@.service.d/limits.conf
 %defattr(-,gitea-runner,gitea-runner,750)
 %dir %{_sharedstatedir}/gitea/runners
 %dir %{_sysconfdir}/gitea
@@ -108,6 +116,12 @@ fi
 %dir /var/cache/act-runner/pnpm-store
 %changelog
 * Wed Apr 08 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-5
 - Fix gitea-runner UID/GID to 125 for stable user@125.service unit name
 - Use BindsTo= for gitea-runner-podman.service dependency
 - Wait for user@125.service and Podman socket before runner starts
 - Ship commented-out limits.conf drop-in for resource caps
 * Mon Apr 06 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-4
 - Add Podman btrfs storage.conf for gitea-runner user
 - Add dependency on gitea-runner-podman.service
--- a/gitea-act_runner@.service
+++ b/gitea-act_runner@.service
@@ -1,7 +1,8 @@
 [Unit]
 Description=Act runner is a runner for Gitea
-After=network.target gitea-runner-podman.service
+After=network.target gitea-runner-podman.service user@125.service
-Requires=gitea-runner-podman.service
+Wants=user@125.service
 BindsTo=gitea-runner-podman.service
 ConditionPathExists=/var/lib/gitea/runners/%i/.runner
 StartLimitIntervalSec=60
 StartLimitBurst=3
@@ -15,6 +16,8 @@ StateDirectoryMode=0750
 WorkingDirectory=/var/lib/gitea/runners/%i
 Environment=HOME=/var/lib/gitea/runners/%i
 # Wait for podman to actually create its socket before starting
 ExecStartPre=/bin/sh -c 'for i in $(seq 1 60); do [ -S /run/gitea-runner/podman/podman.sock ] && exit 0; sleep 1; done; echo "podman socket never appeared" >&2; exit 1'
 ExecStart=/usr/bin/gitea-act-runner daemon -c /etc/gitea/runners/%i.yaml
 Restart=on-failure
--- a/gitea-runner-podman.service
+++ b/gitea-runner-podman.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Podman API socket for Gitea Act Runner
-After=network.target systemd-logind.service
+After=network.target systemd-logind.service user@125.service
 Wants=user@125.service
 [Service]
 Type=exec
--- a/limits.conf
+++ b/limits.conf
@@ -0,0 +1,33 @@
 # Resource limits drop-in for gitea-act_runner@.service
 # ======================================================
 #
 # Installed to:
 #   /etc/systemd/system/gitea-act_runner@.service.d/limits.conf
 #
 # This file is shipped with all values commented out as examples.
 # Uncomment and adjust to protect the host from runaway CI jobs.
 #
 # A runaway build can exhaust memory and take down user@125.service
 # (the rootless user manager), which kills the Podman socket and
 # breaks all running runners until the service is restarted.
 #
 # Setting MemoryHigh/MemoryMax caps the cgroup, so the kernel OOM
 # killer targets the runner's children first instead of user@.service.
 #
 # Recommended starting points for a dedicated CI host:
 #   MemoryHigh : soft limit — kernel throttles above this
 #   MemoryMax  : hard limit — kernel kills processes above this
 #   TasksMax   : max number of tasks (processes + threads)
 #
 # Also consider adding matching limits in your runner config.yaml
 # under container.options, e.g.:
 #   options: --memory=8g --memory-swap=8g -v /var/cache/act-runner/pnpm-store:/cache/pnpm-store:z
 #
 # After editing, reload systemd:
 #   systemctl daemon-reload
 #   systemctl restart gitea-act_runner@<instance>.service
 [Service]
 # MemoryHigh=10G
 # MemoryMax=12G
 # TasksMax=4096
`@@ -1,2 +1,2 @@`
	`# Type Name ID GECOS Home directory Shell`	`g gitea-runner 125`
	`u gitea-runner - "Gitea Act Runner" /var/lib/gitea/runners /sbin/nologin`	`u gitea-runner 125:125 "Gitea Act Runner" /var/lib/gitea/runners /sbin/nologin`