Building container images inside a containerized runner

Actions

Zeash March 4, 2025, 11:42am 1

Hello,

I’ve been trying to build and push a container image from one of my repositories using Gitea Actions, but I’m having trouble running Docker’s actions, or rather, anything involving the Docker socket.

This is supposedly a working example, but I’ve tried applying its steps in my example and I get this error:

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

My workflow code:

name: Build and push container image
run-name: ${{ gitea.actor }} is building and pushing container image
on: create

env:
  GITEA_DOMAIN: git.mydomain.com
  GITEA_REGISTRY_USER: myuser
  RESULT_IMAGE_NAME: owner/image

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GITEA_DOMAIN }}
          username: ${{ env.GITEA_REGISTRY_USER }}
          password: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}
      - name: Build and push image
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: ${{ env.GITEA_DOMAIN }}/${{ env.RESULT_IMAGE_NAME }}:${{ gitea.ref }}

I’ve tried mounting the runner’s Docker socket but to no avail. Is this something specific to containerized act runners and if so how do I fix it? Any help is much appreciated.

monomon March 5, 2025, 3:46pm 2

I had a hell of a time achieving this, but it worked.

I had the following in the builder config.yaml, under container

privileged: true
options: --cap-add=SYS_ADMIN --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw

(I don’t know if everything is needed, I think so)
These are the options to launch the build container with

In docker-compose of the runner I have

services:
  gitea-runner:
    image: gitea.local:8080/proj/gitea-runner:latest
    restart: always
    privileged: true
    environment:
      - GITEA_INSTANCE_URL=https://gitea.local:8080/
      - GITEA_RUNNER_REGISTRATION_TOKEN=xxx
      - DOCKER_HOST=unix:///run/podman/podman.sock
    volumes:
      - ./data:/gitea/
      - "/run/podman/podman.sock:/run/podman/podman.sock"
    devices:
      - /dev/fuse:/dev/fuse
    security_opt:
      - seccomp=unconfined
      - label=disable
    cap_add:
      - SYS_ADMIN
    build:
      context: .
      dockerfile: Dockerfile
    user: "$UID:$GID"
    secrets:
      ...

Again, some of this may be superfluous. This is the file that the runner is created from.

Then I think the workflows are just normal docker/podman commands.

1 Like