add dind-rootless

.github/workflows/build.yml

@@ -41,6 +41,8 @@ jobs:
             DOCKER_IMAGE_TAG: latest
           - DOCKER_IMAGE_FLAVOR: dind
             DOCKER_IMAGE_TAG: dind-latest
+          - DOCKER_IMAGE_FLAVOR: dind-rootless
+            DOCKER_IMAGE_TAG: dind-rootless-latest
       fail-fast: true
     steps:
     - name: Show environment variables

image/Dockerfile

@@ -27,7 +27,7 @@ ARG UPX_COMPRESS=true
 
 ARG BASE_LAYER_CACHE_KEY
 
-# dood|dind
+# dood|dind|dind-rootless
 ARG FLAVOR
 
 RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
@@ -124,8 +124,25 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
     curl -sSfL "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack
     chmod +x /usr/local/bin/dind-hack
 
+    if [[ $FLAVOR == dind-rootless ]]; then
+      # https://docs.docker.com/engine/security/rootless/
+      apt-get install --no-install-recommends -y \
+        dbus-user-session \
+        docker-ce-rootless-extras \
+        kmod \
+        iproute2 \
+        slirp4netns \
+        uidmap
+
+      runuser -u act -g act -- /usr/bin/dockerd-rootless-setuptool.sh install --skip-iptables
+
+      # workaround "failed to load plugin io.containerd.internal.v1.opt  error="mkdir /opt/containerd: permission denied"
+      mkdir /opt/containerd
+      chown act:act /opt/containerd
+    else
       usermod -aG docker act
     fi
+  fi
 
   echo "#################################################"
   echo "Cleanup..."

image/run.sh

@@ -33,7 +33,31 @@ fi
 #################################################################
 # start docker deamon (if installed = DinD)
 #################################################################
-if [[ -f /usr/bin/dockerd ]]; then
+if [[ -f /etc/init.d/docker-rootless ]]; then
+  export DOCKER_MODE=dind-rootless
+  log INFO "Starting Docker engine (rootless)..."
+  export DOCKER_HOST=unix://$HOME/.docker/run/docker.sock
+  if [ ! -f $HOME/.config/docker/daemon.json ]; then
+    # workaround for "Not using native diff for overlay2, this may cause degraded performance for building images: running in a user namespace  storage-driver=overlay2"
+    mkdir -p $HOME/.config/docker
+    echo '{"storage-driver":"fuse-overlayfs"}' > $HOME/.config/docker/daemon.json
+  fi
+
+  export container=docker # from dind-hack
+  export XDG_RUNTIME_DIR=$HOME/.docker/run
+  mkdir -p $XDG_RUNTIME_DIR
+  rm -f $XDG_RUNTIME_DIR/docker.pid $XDG_RUNTIME_DIR/docker/containerd/containerd.pid
+  /usr/bin/dockerd-rootless.sh -p $HOME/.docker/run/docker.pid > "$HOME/.docker/docker.log" 2>&1 &
+  export DOCKER_PID=$!
+  while ! docker stats --no-stream &>/dev/null; do
+    log INFO "Waiting for Docker engine to start..."
+    sleep 2
+    tail -n 1 /data/.docker/docker.log
+  done
+  echo "==========================================================="
+  docker info
+  echo "==========================================================="
+elif [[ -f /usr/bin/dockerd ]]; then
   export DOCKER_MODE=dind
   log INFO "Starting Docker engine..."
   sudo rm -f /var/run/docker.pid /run/docker/containerd/containerd.pid

image/run_runner.sh

@@ -15,7 +15,8 @@ cd /data
 #################################################################
 # ensure act user has read/write access to /var/run/docker.sock
 #################################################################
-if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then
+if [[ $DOCKER_MODE != "dind-rootless" ]]; then
+  if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then
     docker_group=$(stat -c '%G' /var/run/docker.sock)
     if [[ $docker_group == "UNKNOWN" ]]; then
       docker_gid=$(stat -c '%g' /var/run/docker.sock)
@@ -28,6 +29,7 @@ if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then
       log INFO "Adding user [act] to docker group [$(getent group $docker_group)]..."
       sudo usermod -aG $docker_group act
     fi
+  fi
 fi