abstract vale
Hello,
I've made a small dagger script that can compile, test and package the app and push the image to a registry. It works great locally.
I'm using a self-hosted forgejo + woodpecker CI using rootless podman. Is there any way to integrate dagger here so I can automate my builds? Currently it fails with:
1 : connect
1 : connect ERROR [0.0s]
1 : ! start engine: driver for scheme "image" was not available
lavish estuary
Hello,
I've made a small dagger script that can compile, test and package the a...
hey @abstract vale! Dagger doesn't work with rootless OCI runtimes unfortunately. https://docs.dagger.io/faq/#why-does-the-dagger-engine-need-to-run-in-a-privileged-container
what other users in the community end up doing is to setup a separate pool of rootful workers to run their pipelines in there if you have very strict security constraints
abstract vale
Ah, that's a shame. I will have to ponder how to integrate some rootful workers!
abstract vale
Hmm, doing a quick test with normal root docker as a runner and running docker version from docker:cli works:
+ docker version
Client:
Version: 29.0.0
API version: 1.52
Go version: go1.25.4
Git commit: 3d4129b
Built: Mon Nov 10 21:45:29 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.0.0
API version: 1.52 (minimum version 1.44)
Go version: go1.25.4
Git commit: d105562
Built: Mon Nov 10 21:47:52 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.1.5
GitCommit: fcd43222d6b07379a4be9786bda52438f0dd16a1
runc:
Version: 1.3.3
GitCommit: v1.3.3-0-gd842d77
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Using the same configuration (environment variable for the DOCKER_HOST still gives me the same error as above
steps:
- name: test
image: docker:cli
environment:
DOCKER_HOST: 'tcp://docker:2376'
DOCKER_CERT_PATH: '/dind-certs/client'
DOCKER_TLS_VERIFY: '1'
volumes:
- /opt/woodpeckerci/dind-certs:/dind-certs
commands:
- docker version
- name: build
image: hexpm/elixir:1.18.4-erlang-25.0.4-debian-trixie-20250908-slim
volumes:
- /opt/woodpeckerci/dind-certs:/dind-certs
environment:
DOCKER_HOST: 'tcp://docker:2376'
DOCKER_CERT_PATH: '/dind-certs/client'
DOCKER_TLS_VERIFY: '1'
commands:
- apt update
- apt install -y git
- elixir ci.exs
dense sage
Hi everyone!
Sorry, I'm jumping on the thread....
What do you define as "rootless"?
I've been using dagger through podman using my normal user since yesterday and it seems to work flawlessly.
While podman is running as non-root, dagger container is started with --privileged though. Do you consider that rootless?
I'm designing a new CI from scratch and I'd like to make the correct decision right now and not do something that might come back and bite me.
If dagger works correctly through podman as a normal user as long as it has "--privileged" then I'm happy to leave it like that, else I'll change my design
lavish estuary
Hi everyone!
Sorry, I'm jumping on the thread....
What do you define as "rootl...
hey! no worries, we're all here to exchange opinions
What do you define as "rootless"?
While podman is running as non-root, dagger container is started with --privileged though. Do you consider that rootless?
this wouldn't be considered rootless