forgejo/docs
32
45
Fork
You've already forked docs
203

Runner installation: Simplify docker compose setup and instructions + add section on firewall considerations #1634

Open
benjaoming wants to merge 10 commits from benjaoming/docs:benjaoming-docs-runner-installation into next
pull from: benjaoming/docs:benjaoming-docs-runner-installation
merge into: forgejo:next
forgejo:next
forgejo:v14.0
forgejo:v13.0
forgejo:v11.0
forgejo:v12.0
forgejo:bp-v12.0-a6c8557
forgejo:v7.0
forgejo:v10.0
forgejo:v9.0
forgejo:v8.0
forgejo:v1.21
forgejo:v1.20
forgejo:v1.19
First-time contributor
Copy link
  • I noted that the Docker Compose configuration can be simplified to accommodate a service for the registration itself.
  • A section of firewall considerations has been added, but I wasn't sure what was the best place.

I can either move or remove the firewall considerations, or split them into a separate PR?

Comment: It's a bit like these installation instructions could benefit from being split up.

* I noted that the Docker Compose configuration can be simplified to accommodate a service for the registration itself. * A section of firewall considerations has been added, but I wasn't sure what was the best place. I can either move or remove the firewall considerations, or split them into a separate PR? Comment: It's a bit like these installation instructions could benefit from being split up.
Update docs/admin/actions/runner-installation.md
Some checks failed
pr / preview (pull_request_target) Failing after 20s
acddcdc84b
Contributor
Copy link

Can you please share here a copy/paste of a shell session of these instructions run from a newly installed OS to verify it works as expected? It looks simpler but relies on docker compose functionalities that I don't know about (depends-on: [], profile neverstarted...) and I wonder how it ensures ordering with the runner itself). I suppose a minimum docker-compose version is required for that to work properly. I also am not sure how the interactive part of the setup happens in this context 🤔

Can you please share here a copy/paste of a shell session of these instructions run from a newly installed OS to verify it works as expected? It looks simpler but relies on docker compose functionalities that I don't know about (depends-on: [], profile neverstarted...) and I wonder how it ensures ordering with the runner itself). I suppose a minimum docker-compose version is required for that to work properly. I also am not sure how the interactive part of the setup happens in this context 🤔
sclu1034 requested changes 2025年12月15日 09:56:56 +01:00
Dismissed
@ -398,3 +398,3 @@
```
It does not run as root:
It does not run as root, but runs with the current user's ID, for instance:
Member
Copy link

Incorrect. The fact that it lines up with your user on your machine is purely incidental.

The user in the image uses 1000:1000 because that's what the Dockerfile specifies. It has no correlation to anything else.

Incorrect. The fact that it lines up with your user on your machine is purely incidental. The user in the image uses `1000:1000` because that's what the Dockerfile specifies. It has no correlation to anything else.
Author
First-time contributor
Copy link

Ack! You're right, I hope the updated text gives more clarity.

Ack! You're right, I hope the updated text gives more clarity.
benjaoming marked this conversation as resolved
@ -405,3 +405,3 @@
```
One way to run the Docker image is via Docker Compose. To do so, as root, first prepare a `data` directory with non-root permissions (in this case, we pick `1001:1001`):
One way to run the Docker image is via Docker Compose. To do so, as root, first prepare a `data` directory with non-root permissions. We pick `1001:1001` - which might incidentally match the first user added on a new system with `useradd`, otherwise adjust as needed:
Member
Copy link

the first user added on a new system with useradd

Incorrect. The majority of distributions ship with UID_MIN=1000, so 1001 would be the second user added.
And the goal here is to not match the main user, so as to limit what a compromised workflow can do to the system.

> the first user added on a new system with `useradd` Incorrect. The majority of distributions ship with `UID_MIN=1000`, so `1001` would be the second user added. And the goal here is to _not_ match the main user, so as to limit what a compromised workflow can do to the system.
Author
First-time contributor
Copy link

That's what I meant to say yeah, what I meant by "first user added", it's because most new systems install a user with ID 1000, so 1001 is the first "custom" user :)

Hope the update gives more clarity.

That's what I meant to say yeah, what I meant by "first user added", it's because most new systems install a user with ID 1000, so 1001 is the first "custom" user :) Hope the update gives more clarity.
Member
Copy link

You still don't want this to match with a user on the system. The entire "matches with a user" is irrelevant at best, unwanted at worst.

The existing line is good enough. If you really must write something here, then it should be about picking a UID that will not be used for a user on the system.

You still don't want this to match with a user on the system. The entire "matches with a user" is irrelevant at best, unwanted at worst. The existing line is good enough. If you really must write something here, then it should be about picking a UID that will not be used for a user on the system.
Author
First-time contributor
Copy link

I understand the structure of the documentation a bit in hindsight, so I had already stumbled upon the useradd --create-home runner in the "Binary installation" instructions, which I actually like :)

unwanted at worst.

That's what I want, too... I want the reader to actively decide to NOT use 1000 because that gives the Docker containers access to the default user... which is probably not what they want.

1001 is arbitrary in the sense that it may or may not match with an existing user.

The most deliberate action would be to create a user, then print out the ID, then use that ID?

I understand the structure of the documentation a bit in hindsight, so I had already stumbled upon the `useradd --create-home runner` in the "Binary installation" instructions, which I actually like :) > unwanted at worst. That's what I want, too... I want the reader to actively decide to NOT use `1000` because that gives the Docker containers access to the default user... which is probably not what they want. 1001 is arbitrary in the sense that it may or may not match with an existing user. The most deliberate action would be to create a user, then print out the ID, then use that ID?
Author
First-time contributor
Copy link

I've adjusted the text a bit.

But I think to have a clear path through the instructions, we might actually be better off with a preceding useradd instruction that gives people a secure baseline, guaranteeing that they don't unintentionally pick a user ID that's associated with something else on the host system.

What do you think about adding that?

I've adjusted the text a bit. But I think to have a clear path through the instructions, we might actually be better off with a preceding `useradd` instruction that gives people a secure baseline, guaranteeing that they don't unintentionally pick a user ID that's associated with something else on the host system. What do you think about adding that?
Member
Copy link

@benjaoming wrote in #1634 (comment):

The most deliberate action would be to create a user, then print out the ID, then use that ID?

No. I'll repeat: This UID should not match any user. "Create a user, then match the UID" is the opposite of "don't match a user", literally.
A UID should be picked for which there will never be a user on the system. As long as a user exists, there is a chance that it is given more permissions than it needs to.

But this shouldn't be elaborated in this document. That's what /admin/actions/security exists for. At most, this section should mention something like "pick a UID that doesn't match any user on the system", to not make the initial installation too complicated.
It's rather simple to change the UID afterwards.

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8937915: > The most deliberate action would be to create a user, then print out the ID, then use that ID? No. I'll repeat: This UID should not match _any_ user. "Create a user, then match the UID" is the opposite of "don't match a user", literally. A UID should be picked for which there will never be a user on the system. As long as a user exists, there is a chance that it is given more permissions than it needs to. But this shouldn't be elaborated in this document. That's what `/admin/actions/security` exists for. At most, this section should mention something like "pick a UID that doesn't match any user on the system", to not make the initial installation too complicated. It's rather simple to change the UID afterwards.
Author
First-time contributor
Copy link

I mean it's great if it matches a user that's designated to the purpose.

What I don't like about 1001 is that someone might unknowingly add a user later with that ID for a different purpose. Since 1001 isn't listed in /etc/passwd, it's hard to tell that it's actually being used for this setup.

I'll strip it out now, not pursuing anymore discussion, thanks for the feedback 👍

I mean it's great if it matches a user that's **designated** to the purpose. What I don't like about 1001 is that someone might unknowingly add a user later with that ID for a different purpose. Since 1001 isn't listed in `/etc/passwd`, it's hard to tell that it's actually being used for this setup. I'll strip it out now, not pursuing anymore discussion, thanks for the feedback 👍
Author
First-time contributor
Copy link

Removed the proposed text. I'll leave it here for reference:

The idea is avoid unintentionally matching your default user's ID (1000). Instead, we pick an unused ID or an ID that matches a user account that you have designated to the runner. We configure the following docker-compose.yml to user the same ID.

Removed the proposed text. I'll leave it here for reference: > The idea is avoid unintentionally matching your default user's ID (1000). Instead, we pick an unused ID *or* an ID that matches a user account that you have designated to the runner. We configure the following `docker-compose.yml` to user the same ID.
Author
First-time contributor
Copy link

A UID should be picked for which there will never be a user on the system. As long as a user exists, there is a chance that it is given more permissions than it needs to.

That's also true 👍

> A UID should be picked for which there will never be a user on the system. As long as a user exists, there is a chance that it is given more permissions than it needs to. That's also true 👍
sclu1034 marked this conversation as resolved
@ -418,1 +412,3 @@
chmod g+s data/.cache
$ chown -R 1001:1001 data
$ chmod 775 data/.cache
$ chmod g+s data/.cache
Member
Copy link

As the line above says, this should be run as root. So the conventional prompt symbol would be #.
But why change this at all? It becomes much more tedious to copy this way.

As the line above says, this should be run as root. So the conventional prompt symbol would be `#`. But why change this at all? It becomes much more tedious to copy this way.
Author
First-time contributor
Copy link

Updated to fit in one-line copy paste

I don't think that creating a one-time setup.sh is conventional in a documentation. Blindly copy-pasting commands is like an anti-pattern that makes me, the reader, not actually read what I'm doing 😇

I hope the update is to your satisfaction.

Updated to fit in one-line copy paste I don't think that creating a one-time `setup.sh` is conventional in a documentation. Blindly copy-pasting commands is like an anti-pattern that makes me, the reader, not actually read what I'm doing 😇 I hope the update is to your satisfaction.
Member
Copy link

@benjaoming wrote in #1634 (comment):

Blindly copy-pasting commands is like an anti-pattern

Yes, but we cannot control what the reader does, and the fact is that readers do copy&paste. The best we can do is to make it both readable and not-error prone at the same time.

For that I usually prefer a clear one command per line is better than extra symbols or fancy one-liners. I don't mind if you want to remove the shebang and other parts related to making it a script, but I don't see a good reason to change the content.

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8937699: > Blindly copy-pasting commands is like an anti-pattern Yes, but we cannot control what the reader does, and the fact is that readers _do_ copy&paste. The best we can do is to make it both readable and not-error prone at the same time. For that I usually prefer a clear one command per line is better than extra symbols or fancy one-liners. I don't mind if you want to remove the shebang and other parts related to making it a script, but I don't see a good reason to change the content.
Author
First-time contributor
Copy link

I'm just very convinced that if I don't add the prompt $, then the next reviewer will point out that all the other command-line instructions in the docs are using them 🙄

(btw I think this is a UI problem that has been solved in other documentation frameworks where the prompt symbol won't be part of the selected text for copy-pasting)

I'm just very convinced that if I don't add the prompt `$`, then the next reviewer will point out that all the other command-line instructions in the docs are using them 🙄 (btw I think this is a UI problem that has been solved in other documentation frameworks where the prompt symbol won't be part of the selected text for copy-pasting)
Contributor
Copy link

@benjaoming just to reassure you: once you have addressed @sclu1034 review comments to satisfaction it is extremely unlikely that someone else suggests something different. In my experience @sclu1034 reviews are very detailed and thorough.

@benjaoming just to reassure you: once you have addressed @sclu1034 review comments to satisfaction it is extremely unlikely that someone else suggests something different. In my experience @sclu1034 reviews are very detailed and thorough.
Author
First-time contributor
Copy link

That's cool, this is not worth discussing IMO, was just trying to get rid of a (for me) strange instruction to create a setup.sh file. I did some stuff, received more push-back, I hope we can conclude soon.

That's cool, this is not worth discussing IMO, was just trying to get rid of a (for me) strange instruction to create a `setup.sh` file. I did some stuff, received more push-back, I hope we can conclude soon.
Member
Copy link

It is true that other shell code blocks usually do have that prompt symbol. I guess the current version is a good enough compromise, then.

Or would be, I guess my comment was late.

It is true that other shell code blocks usually do have that prompt symbol. I guess the current version is a good enough compromise, then. Or would be, I guess my comment was late.
Contributor
Copy link

@benjaoming wrote in #1634 (comment):

I did some stuff, received more push-back, I hope we can conclude soon.

This is not push-back, this is the review cycle. When I'm on the receiving side of a review I tend to agree with the reviewer on all points, except when it makes no sense. As a pull request author (this is a personal view) I think I'm expected to propose a change that makes things better. Whatever a review asks me to do besides that objective I treat as a matter of preference and go along with it.

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8944689: > I did some stuff, received more push-back, I hope we can conclude soon. This is not push-back, this is the review cycle. When I'm on the receiving side of a review I tend to agree with the reviewer on all points, except when it makes no sense. As a pull request author (this is a personal view) I think I'm expected to propose a change that makes things better. Whatever a review asks me to do besides that objective I treat as a matter of preference and go along with it.
Author
First-time contributor
Copy link

@earl-warren This is a meta thing about review culture etc... but I'm very grateful that people review and put an effort into it, and I think these are great comments, I just don't have the bandwidth to keep up.

My use of "push-back" comes from this understanding:

We are all selectively prioritizing where to put our efforts. For instance, I made the observation that I would like to remove the setup.sh-approach part and just write the commands as they are. At that point, I didn't have the follow-up review input in mind. In fact, I have no previous interaction experience in this repo IIRC.

Since my main purpose wasn't to update this part, then I would rather skip the change, given that a lot of scrutiny is applied here.

In an alternative version, no one would have cared and just said "yup, whatever" - that's what I mean by push-back. Not that it's ill-willed, but that it's a place where people specifically have opinions - as opposed to other places!

For instance, there was no review or comments on the firewall considerations, which surprises me 😄

@earl-warren This is a meta thing about review culture etc... but I'm very grateful that people review and put an effort into it, and I think these are great comments, I just don't have the bandwidth to keep up. My use of "push-back" comes from this understanding: We are all selectively prioritizing where to put our efforts. For instance, I made the observation that I would like to remove the `setup.sh`-approach part and just write the commands as they are. At that point, I didn't have the follow-up review input in mind. In fact, I have no previous interaction experience in this repo IIRC. Since my main purpose wasn't to update this part, then I would rather skip the change, given that a lot of scrutiny is applied here. In an alternative version, no one would have cared and just said "yup, whatever" - that's what I mean by push-back. Not that it's ill-willed, but that it's a place where people specifically have opinions - as opposed to other places! For instance, there was no review or comments on the firewall considerations, which surprises me 😄
Contributor
Copy link

but I'm very grateful that people review and put an effort into it, and I think these are great comments, I just don't have the bandwidth to keep up.

If you are pressed by time, doing what the review suggests is a lot faster than arguing against it.

> but I'm very grateful that people review and put an effort into it, and I think these are great comments, I just don't have the bandwidth to keep up. If you are pressed by time, doing what the review suggests is a lot faster than arguing against it.
Contributor
Copy link

@benjaoming wrote in #1634 (comment):

For instance, there was no review or comments on the firewall considerations, which surprises me 😄

They are generic considerations with specific examples that require interpretation from the reader. There is little room for misleading anyone and it can inspire someone. The accuracy of the information there is of no real consequence.

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8945460: > For instance, there was no review or comments on the firewall considerations, which surprises me :smile: They are generic considerations with specific examples that require interpretation from the reader. There is little room for misleading anyone and it can inspire someone. The accuracy of the information there is of no real consequence.
Author
First-time contributor
Copy link

If you are pressed by time, doing what the review suggests is a lot faster than arguing against it.

That was the strategy, I think you've missed it.. but should be evident from the amount of commits 😉

> If you are pressed by time, doing what the review suggests is a lot faster than arguing against it. That was the strategy, I think you've missed it.. but should be evident from the amount of commits 😉
sclu1034 marked this conversation as resolved
Update docs/admin/actions/runner-installation.md
Some checks failed
pr / preview (pull_request_target) Failing after 1m0s
769a7ef186
Author
First-time contributor
Copy link

@earl-warren

The basic structure is to have two services for runner, but where runner-register inherits from runner. This is mainly to ensure consistency with the volume + image name.

Running docker compose run runner-register on an existing system looks like this (I had already bootstrapped this system with the command).

$ docker compose run runner-register
[+] Creating 1/1
 ✔ Container docker_dind Running 0.0s 
INFO Registering runner, arch=amd64, os=linux, version=v12.1.2. 
WARN Runner in user-mode. 
INFO Runner is already registered, overwrite local config? [y/N]

The interaction will happen directly in the user's terminal, that's how docker compose run <service> works 👍

I suppose a minimum docker-compose version is required for that to work properly.

Can you explain more about what you mean here? I removed the version "3.8" here because docker compose does not require nor recommend having this anymore - but maybe you're referring to something else?

@earl-warren The basic structure is to have two services for `runner`, but where `runner-register` inherits from `runner`. This is **mainly** to ensure consistency with the volume + image name. Running `docker compose run runner-register` on an existing system looks like this (I had already bootstrapped this system with the command). ``` $ docker compose run runner-register [+] Creating 1/1 ✔ Container docker_dind Running 0.0s INFO Registering runner, arch=amd64, os=linux, version=v12.1.2. WARN Runner in user-mode. INFO Runner is already registered, overwrite local config? [y/N] ``` The interaction will happen directly in the user's terminal, that's how `docker compose run <service>` works 👍 > I suppose a minimum docker-compose version is required for that to work properly. Can you explain more about what you mean here? I removed the version "3.8" here because docker compose does not require nor recommend having this anymore - but maybe you're referring to something else?
Lint issues
All checks were successful
pr / preview (pull_request_target) Successful in 1m25s
e6a69f8297
Collaborator
Copy link

Preview ready: https://forgejo.codeberg.page/@docs_pull_1634/
https://forgejo.codeberg.page/@docs_pull_1634/docs/next/admin/actions/runner-installation/

Preview ready: https://forgejo.codeberg.page/@docs_pull_1634/ https://forgejo.codeberg.page/@docs_pull_1634/docs/next/admin/actions/runner-installation/
Adjust instructions/comment for picking user ID
Some checks failed
pr / preview (pull_request_target) Failing after 19s
7f935aa121
Update to revert proposed changes in explaining choice if user/group ID
All checks were successful
pr / preview (pull_request_target) Successful in 1m23s
a99850d9c6
Contributor
Copy link

@benjaoming wrote in #1634 (comment):

👍

I suppose a minimum docker-compose version is required for that to work properly.

Can you explain more about what you mean here? I removed the version "3.8" here because docker compose does not require nor recommend having this anymore - but maybe you're referring to something else?

I meant that it would be good to specify: "this will work out of the box with docker compose version X and above".

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8937735: > :+1: > > > I suppose a minimum docker-compose version is required for that to work properly. > > Can you explain more about what you mean here? I removed the version "3.8" here because docker compose does not require nor recommend having this anymore - but maybe you're referring to something else? I meant that it would be good to specify: "this will work out of the box with docker compose version X and above".
Author
First-time contributor
Copy link

I meant that it would be good to specify: "this will work out of the box with docker compose version X and above".

I think that writing commands as docker compose rather than docker-compose is enough. There hasn't been a lot of instability in the most recent years, and AFAIK this configuration isn't risky. We could add an inline comment like # Tested on docker compose 2.40". The thing is also that docker compose` (the tool) has one version numbering while the configuration schema is something I think they stopped maintaining.

From their docs:

Version two of the Docker Compose command-line binary was announced in 2020, is written in Go, and is invoked with docker compose. Compose v2 ignores the version top-level element in the compose.yaml file.

https://docs.docker.com/reference/compose-file/version-and-name/
https://docs.docker.com/compose/intro/history/

> I meant that it would be good to specify: "this will work out of the box with docker compose version X and above". I think that writing commands as `docker compose` rather than `docker-compose` is enough. There hasn't been a lot of instability in the most recent years, and AFAIK this configuration isn't risky. We could add an inline comment like `# Tested on docker compose 2.40". The thing is also that `docker compose` (the tool) has one version numbering while the configuration schema is something I think they stopped maintaining. From their docs: > Version two of the Docker Compose command-line binary was announced in 2020, is written in Go, and is invoked with docker compose. Compose v2 ignores the version top-level element in the compose.yaml file. https://docs.docker.com/reference/compose-file/version-and-name/ https://docs.docker.com/compose/intro/history/
@ -405,3 +405,3 @@
```
One way to run the Docker image is via Docker Compose. To do so, as root, first prepare a `data` directory with non-root permissions (in this case, we pick `1001:1001`):
We need to observe that the user ID has creditials for the Docker volume that we mount for storing data.
Member
Copy link

Minor correction on terminology: The examples don't mount a "Docker volume", they (bind-)mount a host directory.

"Docker volume" specifically relates to something like docker volume create runner-data, and while technically an option, too, it would make accessing the config file much harder.

Minor correction on terminology: The examples don't mount a "Docker volume", they (bind-)mount a host directory. "Docker volume" specifically relates to something like `docker volume create runner-data`, and while technically an option, too, it would make accessing the config file much harder.
Author
First-time contributor
Copy link

That's fair! I had this in mind when writing it:

 volumes:
 - ./data:/data

So it's a docker volume, but it's also a bind mount? 😄

I tried to reword to get out of the pickle. I ended up changing the flow of the text a bit.

That's fair! I had this in mind when writing it: ``` volumes: - ./data:/data ``` So it's a docker volume, but it's also a bind mount? 😄 I tried to reword to get out of the pickle. I ended up changing the flow of the text a bit.
benjaoming marked this conversation as resolved
Update docs/admin/actions/runner-installation.md
All checks were successful
pr / preview (pull_request_target) Successful in 1m25s
bcf780d7a7
Contributor
Copy link

@benjaoming wrote in #1634 (comment):

I think that writing commands as docker compose rather than docker-compose is enough.

Ok. You could also just set the minimum version to the same version you are currently using. It will help in case someone runs into a problem that is unrelated, to rule that out as the possible cause. It is just an example so no need to be very precise on how far back you can go.

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8944617: > I think that writing commands as `docker compose` rather than `docker-compose` is enough. Ok. You could also just set the minimum version to the same version you are currently using. It will help in case someone runs into a problem that is unrelated, to rule that out as the possible cause. It is just an example so no need to be very precise on how far back you can go.
Author
First-time contributor
Copy link

I meant that it would be good to specify: "this will work out of the box with docker compose version X and above".

Ok. You could also just set the minimum version to the same version you are currently using. It will help in case someone runs into a problem that is unrelated, to rule that out as the possible cause. It is just an example so no need to be very precise on how far back you can go.

I have personally tested it on Docker Compose v2.40 - should we note that somewhere? I think an inline comment in the docker compose YAML will put it somewhere that it might be noticed and updated, since if future documentation writers change the configuration YAML, they can then notice that we're maintaing a "last tested on" comment

Alternatively, if I "bake" it into the paragraph text, there's a high chance it'll go unnoticed for the next 5 years and then suddenly no one else uses that version...

> I meant that it would be good to specify: "this will work out of the box with docker compose version X and above". > Ok. You could also just set the minimum version to the same version you are currently using. It will help in case someone runs into a problem that is unrelated, to rule that out as the possible cause. It is just an example so no need to be very precise on how far back you can go. I have personally tested it on Docker Compose v2.40 - should we note that somewhere? I think an inline comment in the docker compose YAML will put it somewhere that it might be noticed and updated, since if future documentation writers change the configuration YAML, they can then notice that we're maintaing a "last tested on" comment ❓ Alternatively, if I "bake" it into the paragraph text, there's a high chance it'll go unnoticed for the next 5 years and then suddenly no one else uses that version...
Contributor
Copy link

@benjaoming wrote in #1634 (comment):

I meant that it would be good to specify: "this will work out of the box with docker compose version X and above".

Ok. You could also just set the minimum version to the same version you are currently using. It will help in case someone runs into a problem that is unrelated, to rule that out as the possible cause. It is just an example so no need to be very precise on how far back you can go.

I have personally tested it on Docker Compose v2.40 - should we note that somewhere? I think an inline comment in the docker compose YAML will put it somewhere that it might be noticed and updated, since if future documentation writers change the configuration YAML, they can then notice that we're maintaing a "last tested on" comment

Alternatively, if I "bake" it into the paragraph text, there's a high chance it'll go unnoticed for the next 5 years and then suddenly no one else uses that version...

I withdraw my suggestion.

@benjaoming wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8944887: > > I meant that it would be good to specify: "this will work out of the box with docker compose version X and above". > > > Ok. You could also just set the minimum version to the same version you are currently using. It will help in case someone runs into a problem that is unrelated, to rule that out as the possible cause. It is just an example so no need to be very precise on how far back you can go. > > I have personally tested it on Docker Compose v2.40 - should we note that somewhere? I think an inline comment in the docker compose YAML will put it somewhere that it might be noticed and updated, since if future documentation writers change the configuration YAML, they can then notice that we're maintaing a "last tested on" comment :question: > > Alternatively, if I "bake" it into the paragraph text, there's a high chance it'll go unnoticed for the next 5 years and then suddenly no one else uses that version... I withdraw my suggestion.
Re-word to avoid conflating "docker volume" with "bind mount"
All checks were successful
pr / preview (pull_request_target) Successful in 1m26s
18b13382eb
Track Docker Compose testing version
All checks were successful
pr / preview (pull_request_target) Successful in 1m25s
816e744ffb

The text looks good now 👍

The one command that might be worth mentioning for completeness is the final docker compose up -d, since the registration leaves you with only the dind instance running.

The text looks good now 👍 The one command that might be worth mentioning for completeness is the final `docker compose up -d`, since the registration leaves you with only the dind instance running.
Remove tracking Docker Compose version again
Some checks failed
pr / preview (pull_request_target) Failing after 1m55s
5aac5b27ec
Forgot docker compose up in the instructions 🤪 🙏
All checks were successful
pr / preview (pull_request_target) Successful in 1m23s
ef26b2a1ad
Author
First-time contributor
Copy link

The one command that might be worth mentioning for completeness is the final docker compose up -d, since the registration leaves you with only the dind instance running.

Oof I forgot that, thanks @sclu1034 🙏 - I've written both docker compose commands as block code now, I think it makes it easier for the reader to skim the document, because previously I put the docker compose run runner-register inline which is very easy to miss.

> The one command that might be worth mentioning for completeness is the final docker compose up -d, since the registration leaves you with only the dind instance running. Oof I forgot that, thanks @sclu1034 🙏 - I've written both docker compose commands as block code now, I think it makes it easier for the reader to skim the document, because previously I put the `docker compose run runner-register` *inline* which is very easy to miss.
Author
First-time contributor
Copy link

@earl-warren I've removed the version again from the Docker Compose configuration 👍

@earl-warren I've removed the version again from the Docker Compose configuration 👍
Author
First-time contributor
Copy link

Thanks for the reviews 🙏

Thanks for the reviews 🙏
@ -468,3 +473,3 @@
More [docker compose](https://docs.docker.com/compose/) examples [are provided](https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose) to demonstrate how to install the OCI image to successfully run a workflow.
### Firewall considerations
Member
Copy link

I'm sceptical it's the right place. There is a separate chapter "Securing Forgejo Actions Deployments" where it would fit better. Apart from that, I'm also not sure whether providing example commands makes sense. There are so many programs to manage firewall rules... For example, Fedora has firewall-cmd. Are any of those commands applicable? What if someone uses a separate appliance?

In my opinion, it's better to explain what should be done in general terms and refer to the documentation of the respective tools for the details.

I'm sceptical it's the right place. There is a separate chapter "Securing Forgejo Actions Deployments" where it would fit better. Apart from that, I'm also not sure whether providing example commands makes sense. There are so many programs to manage firewall rules... For example, Fedora has `firewall-cmd`. Are any of those commands applicable? What if someone uses a separate appliance? In my opinion, it's better to explain what should be done in general terms and refer to the documentation of the respective tools for the details.
Member
Copy link

@aahlenst wrote in #1634 (comment):

There are so many programs to manage firewall rules... For example, Fedora has firewall-cmd. Are any of those commands applicable? What if someone uses a separate appliance?

By that logic, we shouldn't provide Docker examples either. Or Systemd.

But the reality is that certain applications are well known within their use cases, so they can serve as examples for others to translate from as well. And I would put IPTables into that category of "known by most".
So I don't see any harm in providing both the general description and examples for one well known tool.

@aahlenst wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8945910: > There are so many programs to manage firewall rules... For example, Fedora has `firewall-cmd`. Are any of those commands applicable? What if someone uses a separate appliance? By that logic, we shouldn't provide Docker examples either. Or Systemd. But the reality is that certain applications are well known within their use cases, so they can serve as examples for others to translate from as well. And I would put IPTables into that category of "known by most". So I don't see any harm in providing both the general description and examples for one well known tool.
Member
Copy link

By that logic, we shouldn't provide Docker examples either. Or Systemd.

That takes what I wrote to an extreme.

So I don't see any harm in providing both the general description and examples for one well known tool.

Right now, the proposed text includes both iptables and ufw. It also writes rules to a file instead of using the ufw command line tool. Ideally, there should be links that help me discover what each command does. For example, I'm curious whether /16 is the netmask.

I'm not against including example commands at all. But the emphasis should be on the concepts, less on the commands.

> By that logic, we shouldn't provide Docker examples either. Or Systemd. That takes what I wrote to an extreme. > So I don't see any harm in providing both the general description and examples for one well known tool. Right now, the proposed text includes both `iptables` and `ufw`. It also writes rules to a file instead of using the `ufw` command line tool. Ideally, there should be links that help me discover what each command does. For example, I'm curious whether `/16` is the netmask. I'm not against including example commands at all. But the emphasis should be on the concepts, less on the commands.
Member
Copy link

@aahlenst wrote in #1634 (comment):

By that logic, we shouldn't provide Docker examples either. Or Systemd.

That takes what I wrote to an extreme.

It doesn't draw arbitrary lines which tools are or aren't eligible to be named in examples.

@aahlenst wrote in #1634 (comment):

It also writes rules to a file instead of using the ufw command line tool.

The cli doesn't allow specifying a chain.

@aahlenst wrote in #1634 (comment):

I'm curious whether /16 is the netmask

It's quite safe to assume that any kind of <ip>/<number> in a networking context is going to be a CIDR, unless it's actually marked otherwise.

@aahlenst wrote in #1634 (comment):

Ideally, there should be links that help me discover what each command does

Like I said, too complicated doesn't help here. A lengthy explanation of setting up networking around Forgejo and the runner would be great, but needs an entirely different mindset of the user to actually sit down and work through.
A "quick tip" style like this one here, however, works best if it deliberately skips that and stays short and to the point.

@aahlenst wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8947440: > > By that logic, we shouldn't provide Docker examples either. Or Systemd. > > That takes what I wrote to an extreme. It doesn't draw arbitrary lines which tools are or aren't eligible to be named in examples. @aahlenst wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8947440: > It also writes rules to a file instead of using the `ufw` command line tool. The cli doesn't allow specifying a chain. @aahlenst wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8947440: > I'm curious whether `/16` is the netmask It's quite safe to assume that any kind of `<ip>/<number>` in a networking context is going to be a CIDR, unless it's actually marked otherwise. @aahlenst wrote in https://codeberg.org/forgejo/docs/pulls/1634#issuecomment-8947440: > Ideally, there should be links that help me discover what each command does Like I said, too complicated doesn't help here. A lengthy explanation of setting up networking around Forgejo and the runner would be great, but needs an entirely different mindset of the user to actually sit down and work through. A "quick tip" style like this one here, however, works best if it deliberately skips that and stays short and to the point.
Member
Copy link

Like I said, too complicated doesn't help here.

I am not asking for making it complicated or long. I'm asking for not providing commands to copy and paste without explaining what they do and what their consequences are. If explaining those consequences makes it too long or too complicated, then it's not a quick tip to begin with.

Apart from that, packet filtering is not required to get up and running. If that were the case, I wouldn't say anything. I don't want people showing up here complaining that their VPN doesn't work anymore because of a wrong netmask or that they cannot reach Forgejo (which is accidentally hosted on the same network) or that their workflows break in mysterious ways.

A quick tip that "stays short and to the point" would be: "If the runner is attached to a local network, consider adding a firewall rule to block Docker containers from accessing other resources on the network. Please consult the manual of your operating system or firewall for how to do so."

> Like I said, too complicated doesn't help here. I am not asking for making it complicated or long. I'm asking for not providing commands to copy and paste without explaining what they do and what their consequences are. If explaining those consequences makes it too long or too complicated, then it's not a quick tip to begin with. Apart from that, packet filtering is not required to get up and running. If that were the case, I wouldn't say anything. I don't want people showing up here complaining that their VPN doesn't work anymore because of a wrong netmask or that they cannot reach Forgejo (which is accidentally hosted on the same network) or that their workflows break in mysterious ways. A quick tip that "stays short and to the point" would be: "If the runner is attached to a local network, consider adding a firewall rule to block Docker containers from accessing other resources on the network. Please consult the manual of your operating system or firewall for how to do so."
@ -470,1 +474,4 @@
### Firewall considerations
If the runner is attached to a local network, consider adding a firewall rule to block Docker containers from accessing other resources on the network.
Member
Copy link

That needs a lot more nuance and considerations. For example, runners might need to access local caches. What can break?

That needs a lot more nuance and considerations. For example, runners might need to access local caches. What can break?
Member
Copy link

Too complicated doesn't help either, because then the average person who isn't a network engineer will just give up.

For an article dedicated to networking around the runner it would make sense to elaborate, but for a quick "if you're hosting this at home, remember to exclude your home network" this looks fine to me.

Too complicated doesn't help either, because then the average person who isn't a network engineer will just give up. For an article dedicated to networking around the runner it would make sense to elaborate, but for a quick "if you're hosting this at home, remember to exclude your home network" this looks fine to me.
Author
First-time contributor
Copy link

"if you're hosting this at home, remember to exclude your home network"

That was EXACTLY the intention 🎯 Would it help if the word "home network" or "laptop" is added? I don't wanna scare very simple setups off - but I also don't think it's a good idea to leave the topic unaddressed so that the average user will have to do their own research.

Runners accessing other resources on a local network seem advanced enough, that I assume an administrator of such a setup would know what they're doing.

Btw regarding firewall-cmd, I think it could be added later by someone who uses it - since these are just quick examples, mentioning a few firewall configurations won't harm, since the intention is to provide initial guidance for users that would otherwise expose their home network 👍

from @aahlenst 's other comment:

There is a separate chapter "Securing Forgejo Actions Deployments" where it would fit better.

What about moving it there, but cross-referencing it from this guide? For instance with the text "If your setup is attached to a local network, for instance your home network or a portable laptop, then we recommend to see our Firewall Considerations [link]"

> "if you're hosting this at home, remember to exclude your home network" That was EXACTLY the intention 🎯 Would it help if the word "home network" or "laptop" is added? I don't wanna scare very simple setups off - but I also don't think it's a good idea to leave the topic unaddressed so that the average user will have to do their own research. Runners accessing other resources on a local network seem advanced enough, that I assume an administrator of such a setup would know what they're doing. Btw regarding `firewall-cmd`, I think it could be added later by someone who uses it - since these are just quick examples, mentioning a few firewall configurations won't harm, since the intention is to provide initial guidance for users that would otherwise expose their home network 👍 from @aahlenst 's other comment: > There is a separate chapter "Securing Forgejo Actions Deployments" where it would fit better. What about moving it there, but cross-referencing it from this guide? For instance with the text "If your setup is attached to a local network, for instance your home network or a portable laptop, then we recommend to see our Firewall Considerations [link]" ❓
Member
Copy link

For an article dedicated to networking around the runner it would make sense to elaborate, but for a quick "if you're hosting this at home, remember to exclude your home network" this looks fine to me.

I'm asking for the documentation to spell out the consequences. For example, what happens if Forgejo is hosted on the same network or someone uses the cache included in Forgejo Runner? Are those still accessible?

> For an article dedicated to networking around the runner it would make sense to elaborate, but for a quick "if you're hosting this at home, remember to exclude your home network" this looks fine to me. I'm asking for the documentation to spell out the consequences. For example, what happens if Forgejo is hosted on the same network or someone uses the cache included in Forgejo Runner? Are those still accessible?
Author
First-time contributor
Copy link

I'm asking for the documentation to spell out the consequences. For example, what happens if Forgejo is hosted on the same network or someone uses the cache included in Forgejo Runner? Are those still accessible?

I'm asking for the documentation to spell out the consequences. For example, what happens if Forgejo is hosted on the same network or someone uses the cache included in Forgejo Runner? Are those still accessible?
All checks were successful
pr / preview (pull_request_target) Successful in 1m23s
Required
Details
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u benjaoming-docs-runner-installation:benjaoming-benjaoming-docs-runner-installation
git switch benjaoming-benjaoming-docs-runner-installation
Sign in to join this conversation.
No reviewers
Labels
Clear labels
404

Broken links or missing content
backport/v1.19

Changes which should be backported to the v1.19 docs

Archived

backport/v1.20

Changes which should be backported to the v1.20 docs

Archived

backport/v1.21

Changes which should be backported to the v1.21 docs

Archived

backport/v10.0

Automated backport to v10.0

Archived

backport/v11.0

Automated backport to v11.0
backport/v12.0

Automated backport to v12.0

Archived

backport/v13.0

Automated backport to v13.0
backport/v14.0

Automated backport to v14.0
backport/v7.0

Automated backport to the v7.0 docs

Archived

backport/v8.0

Automated backport to the v8.0 docs

Archived

backport/v9.0

Automated backport to the v9.0 docs

Archived

good first issue

This issue is suitable for "drive-by contributors" wanting to contribute for the first time, and fixing it should be straightforward.
meta

Tooling and processes for maintaining the docs
new docs

Content to be added to the documentation

Archived

User research - Accessibility

Requires input about accessibility features, likely involves user testing.
User research - Blocked

Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community

Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)

Instance-wide configuration, authentication and other admin-only needs.
User research - Errors

How to deal with errors in the application and write helpful error messages.
User research - Filters

How filter and search is being worked with.
User research - Future backlog

The issue might be inspiring for future design work.
User research - Git workflow

AGit, fork-based and new Git workflow, PR creation etc
User research - Labels

Active research about Labels
User research - Moderation

Moderation Featuers for Admins are undergoing active User Research
User research - Needs input

Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard

Research on how users should know what to do next.
User research - Rendering

Text rendering, markup languages etc
User research - Repo creation

Active research about the New Repo dialog.
User research - Repo units

The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)

How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
5 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/docs!1634
Reference in a new issue
forgejo/docs
No description provided.
Delete branch "benjaoming/docs:benjaoming-docs-runner-installation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?