#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
@whitequark would containers using gVisor as a container runtime solve for this?
-
@whitequark would containers using gVisor as a container runtime solve for this?
@freya in theory yes, in practice i couldn't get gVisor to work with podman and i don't trust dockerd any more than Linux
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
not specifically that bug, just the bug class i was worried about for a while
-
@freya in theory yes, in practice i couldn't get gVisor to work with podman and i don't trust dockerd any more than Linux
@whitequark oh really! podman doesn't have the --runtime=runsc option? why not trusting docker, can I ask?
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
@whitequark do you plan to support running workers on wondows hosts? And is there anything we can do to help?
-
@whitequark oh really! podman doesn't have the --runtime=runsc option? why not trusting docker, can I ask?
@freya it does, gvisor just crashes for reasons i could not triage in reasonable time
rootful dockerd, well, is a big attack surface. rootless dockerd didn't provide some of the functionality i needed
-
@whitequark do you plan to support running workers on wondows hosts? And is there anything we can do to help?
@janl yes (already underway) and uh want to buy me a motherboard?
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
@whitequark MicroVMs sound like a good fit I think. It’s somewhere on my list of things to look into…
Sebastian Cohnen (@tisba@ruby.social)
Copy Fail (https://copy.fail/, CVE-2026-31431) is a good reminder why I don’t want to run CI jobs only in containers. It would be great to get some momentum to https://code.forgejo.org/forgejo/forgejo-actions-feature-requests/issues/4 (microVMs for forgejo actions). At least on bare metal (or nested VMs with nested KVM) this would make things a lot safer. It would also simplify the usage of containers/docker in CI jobs without compromising security, which is kind of a pain with Codeberg Action currently. #security
Ruby.social (ruby.social)
-
@whitequark MicroVMs sound like a good fit I think. It’s somewhere on my list of things to look into…
Sebastian Cohnen (@tisba@ruby.social)
Copy Fail (https://copy.fail/, CVE-2026-31431) is a good reminder why I don’t want to run CI jobs only in containers. It would be great to get some momentum to https://code.forgejo.org/forgejo/forgejo-actions-feature-requests/issues/4 (microVMs for forgejo actions). At least on bare metal (or nested VMs with nested KVM) this would make things a lot safer. It would also simplify the usage of containers/docker in CI jobs without compromising security, which is kind of a pain with Codeberg Action currently. #security
Ruby.social (ruby.social)
@tisba yep, already on it
-
@tisba yep, already on it
@whitequark that’s awesome! 🤩
-
@whitequark oh really! podman doesn't have the --runtime=runsc option? why not trusting docker, can I ask?
@freya @whitequark ime podman with the socket + gvisor is buggy af with forgejo actions.
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
@whitequark copy-on-write shallow clones of VMs works great for CI. I was doing it back in 2011 or so.
-
@whitequark copy-on-write shallow clones of VMs works great for CI. I was doing it back in 2011 or so.
@thejpster yep, the plan is to do something like that with microVMs (or the closest approximation if the obvious solution is non-viable)
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
@whitequark containers: the convenience of a VM and the security of rawdogging userspace
-
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
@whitequark dunno what copyfail is but we're gonna end up doing the same
currently working on migration to our alpine+libvirt+scripts hypervisor os on main server specifically to allow for stuff like this
eventually plan to make a thing to let us do docker compose style services, but as a full VM per service or a container runtime if required -
@thejpster yep, the plan is to do something like that with microVMs (or the closest approximation if the obvious solution is non-viable)
@whitequark I suspect you won't be using VMware vSphere and the VMware Perl SDK though
-
@janl yes (already underway) and uh want to buy me a motherboard?
@whitequark I have my old box collecting dust while waiting for a crazy enough buyer. Im slowly lowering price, but probably it’s not going to be sold in next few months.
If it’s any use for you in meantime, I can give you direct access to bcm webui so you can do whatever you like with it
We can figure out how much of heads up you need in case someone would be willing to buy it. And I have second low power box that can be used for backups
EPYC 7551P (1gen, 32C/64T) on Gigabyte MZ01-CE1 (with browser based KVM)
RAM 256G: 8× 32G M393A4K40BB2-CTD DDR4-2666
NVME 2T: 1× WD Black SN850X
HDD 12T: 4× 3TB HGST Ultrastar 7K300- 2× Tesla P40 (if you are in a mood for messing with sharing gpu with workers)
-
@whitequark dunno what copyfail is but we're gonna end up doing the same
currently working on migration to our alpine+libvirt+scripts hypervisor os on main server specifically to allow for stuff like this
eventually plan to make a thing to let us do docker compose style services, but as a full VM per service or a container runtime if required@whitequark hoping there is a way to speed up vm launch time though, if you have any resources that might be useful, feel free to send us, medical issues are making it almost impossible for us to focus enough to find resources on how to best do this kinda thing securely and decently
while we'd love to use xcp-ng, the old kernel / xen kinda limits its use on little guys (fucked cpu freq scaling), and proxmox requires so much host configuration for our weird setups which we'd rather avoid, so making our own embedded style alpine distro with A/B boot specifically for this -
@whitequark containers: the convenience of a VM and the security of rawdogging userspace
-
@whitequark hoping there is a way to speed up vm launch time though, if you have any resources that might be useful, feel free to send us, medical issues are making it almost impossible for us to focus enough to find resources on how to best do this kinda thing securely and decently
while we'd love to use xcp-ng, the old kernel / xen kinda limits its use on little guys (fucked cpu freq scaling), and proxmox requires so much host configuration for our weird setups which we'd rather avoid, so making our own embedded style alpine distro with A/B boot specifically for this@chaos firecracker or crosvm is the current plan but i'm not recommending either until i get actual operational experience
