Member-only story
Running GitLab CI Pipelines with Rootless Podman: A Lightweight Solution
Running containers in CI/CD pipelines has become the norm, and GitLab CI makes it incredibly easy to integrate them into your workflows. But what if you want a more secure, rootless option? That’s where Podman comes in. With its ability to run containers without root privileges, Podman is gaining popularity as a safe alternative to Docker. In this post, I’ll guide you through setting up and running rootless Podman in GitLab CI, giving you the best of both worlds — security and efficiency. Let's go through the setup.
Please note that the content below is a bit advanced and would require knowledge on Kubernetes and Gitlab!!
Setup
There are 2 main configurations that you need to do for running Podman in Gitlab CI.
- Setup Kubernetes Cluster with CRI-O CNI enabled
- Deploy Gitlab Runner with rootless Podman for container build and execution
I. Setup Kubernetes Cluster with CRI-O CNI enabled
I am bringing up the Kubernetes Cluster using Kubeadm on Ubuntu VM for this use case. Below are the steps required to start from zero
1. Update base Ubuntu install
sudo apt update && sudo apt -y upgrade2. Install utilities required for subsequent steps
sudo apt install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common3. Disable swap
sudo swapoff -a4. Remark out the swap line in the fstab file and save the change
sudo vi /etc/fstab5. Enable ip forwarding
sudo sysctl -w net.ipv4.ip_forward=16. Add net.ipv4.ip_forward = 1 to persistent config
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
EOF7. Load br_netfilter and overlay module
sudo modprobe br_netfilter
sudo modprobe overlay8. Add br_netfilter and overlay to persistent config
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf…
