Creating Docker Images Inside Kubernetes Act Runner?

Pardon me if this is known, but I couldn’t find any good documentation on what I’m seeing here.

I’m trying to build docker images inside of an act runner that I have running as a stateful-set of pods running inside a kubernetes cluster.

Various things I’ve tried have all yielded in effectively a failure to talk to docker, i.e:

Cannot connect to the Docker daemon at tcp://localhost:2375. Is the docker daemon running?

My workflow at present is as such:

name: Deploy to production

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    container:
      image: catthehacker/ubuntu:act-latest
      env:
        DOCKER_HOST: tcp://localhost:2375

      ports:
        - 2375

      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - /certs

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Run docker compose build
        run: docker compose -f docker/webserver/docker-compose.yml build

And the act runner I’m using looks like this:


apiVersion: v1
kind: Pod
metadata:
  labels:
    app: act-runner
    apps.kubernetes.io/pod-index: "0"
    statefulset.kubernetes.io/pod-name: act-runner-0
  name: act-runner-0
  namespace: gitea
spec:
  containers:
  - env:
    - name: DOCKER_HOST
      value: tcp://localhost:2376
    - name: DOCKER_CERT_PATH
      value: /certs/client
    - name: DOCKER_TLS_VERIFY
      value: "1"
    - name: GITEA__log__LEVEL
      value: debug
    - name: GITEA_INSTANCE_URL
      value: https://example.com
    - name: GITEA_RUNNER_REGISTRATION_TOKEN
      value: supersecrettoken
    - name: GITEA_RUNNER_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
            path: namespace

If there’s anything obvious I’m missing, please let me know; would be nice to get this figured out.

Of course. Now that I step away, I made another step.

If anyone else is curious, what I did, was keep most of the above the same, except:

  • I found out that my dind-rootless created a docker.sock under /run/user/1000/docker.sock
  • Found out that there’s a valid_volumes setting in the config that lets you allow certain regexes/volumes to be mounted.

I also took the opportunity to turn debug logging onto high for the gitea runner (in the configmap) and it made things more apparent.

I’m not quite running but docker isn’t squealing anymore.

If you want to have docker-in-docker, you have two options. First is to run separate container with running docker daemon in it linked to you job as service (see actions services syntax for details). IIRC this container must be privileged. In order to use dind that way, docker daemon must listen on some tcp port and you need to set DOCKER_HOST to docker container name (not localhost since it will be treated as same container where client is run).
Second option is to pass docker socket from host to act_runner container (it should be noted in its manifest) and then into job. Insecure, if you care.
Finally, docker images can be built by other engines like podman (buildah) or kaniko. Those don’t need any socket access but still require some capabilities to be set on container running them.