Create new user freedesktop-sdk to run CI as

ansible/roles/base_config/tasks/configure-mounts.yml

@@ -29,3 +29,12 @@
     src: "{{ mount.device }}"
     fstype: "{{ mount.type }}"
     state: mounted
+
+- name: Set privileges
+  become: yes
+  ansible.builtin.file:
+    path: "{{ mount.path }}"
+    state: directory
+    owner: "{{ mount.owner }}"
+    mode: '0755'
+  when: mount.owner is defined

ansible/roles/runner_config/tasks/main.yml

@@ -5,6 +5,8 @@
       - runner_config_registration_token is defined
 
 - name: Pull buildbox-casd container image
+  become: yes
+  become_user: "{{ runner_config_ci_user }}"
   containers.podman.podman_image:
     name: "{{ runner_config_buildbox_container_image }}"
   when: runner_config_local_cas_enabled
@@ -14,9 +16,12 @@
     path: "{{ runner_config_local_cas_prefix }}/cas"
     state: directory
     mode: "0755"
+    owner: "{{ runner_config_ci_user }}"
   when: runner_config_local_cas_enabled
 
 - name: Run buildbox-casd container
+  become: yes
+  become_user: "{{ runner_config_ci_user }}"
   containers.podman.podman_container:
     name: "{{ runner_config_buildbox_container_name }}"
     image: "{{ runner_config_buildbox_container_image }}"
@@ -35,6 +40,8 @@
   when: runner_config_local_cas_enabled
 
 - name: Enable buildbox-casd systemd service
+  become: yes
+  become_user: "{{ runner_config_ci_user }}"
   ansible.builtin.systemd:
     name: "{{ runner_config_container_prefix }}-{{ runner_config_buildbox_container_name }}"
     state: started
@@ -47,6 +54,11 @@
     dest: /etc/gitlab-runner/config.toml
     mode: '0600'
 
+- name: Get freedesktop-sdk user details
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ runner_config_ci_user }}"
+
 - name: Register runner
   ansible.builtin.command: # noqa no-changed-when
     cmd: >-
@@ -55,7 +67,7 @@
       --url https://gitlab.com/
       --registration-token {{ runner_config_registration_token }}
       --executor docker
-      --docker-host unix:///run/podman/podman.sock
+      --docker-host unix:///run/user/{{ ansible_facts.getent_passwd["{{ runner_config_ci_user }}"][1] }}/podman/podman.sock
       --docker-image {{ runner_config_default_image }}
       --docker-privileged
       --docker-pull-policy always

ansible/roles/runner_config/vars/main.yml

@@ -3,3 +3,4 @@ runner_config_container_prefix: container
 runner_config_buildbox_container_name: buildbox-casd
 runner_config_buildbox_container_image: >-
   registry.gitlab.com/freedesktop-sdk/infrastructure/freedesktop-sdk-docker-images/buildbox-casd:latest
+runner_config_ci_user: freedesktop-sdk

ansible/roles/runner_setup/tasks/main.yml

@@ -62,9 +62,35 @@
       - binfmt-support
       - gitlab-runner
       - qemu-user-static
+      - slirp4netns
+      - uidmap
+      - acl
     default_release: "{{ ansible_distribution_release }}-backports"
     install_recommends: no
 
+- name: Create runner user
+  ansible.builtin.user:
+    name: "{{ runner_setup_ci_user }}"
+
+- name: Change owner of /dev/kvm
+  become: yes
+  ansible.builtin.file:
+    path: /dev/kvm
+    owner: "{{ runner_setup_ci_user }}"
+
+- name: Enable lingering
+  become: yes
+  ansible.builtin.command:
+    cmd: "loginctl enable-linger {{ runner_setup_ci_user }}"
+    creates: "/var/lib/systemd/linger/{{ runner_setup_ci_user }}"
+
+- name: Enable podman socket
+  become: yes
+  scope: global
+  ansible.builtin.systemd:
+    name: podman.socket
+    enabled: yes
+
 - name: Enable gitlab-runner
   ansible.builtin.systemd:
     name: gitlab-runner

ansible/roles/runner_setup/vars/main.yml

+---
+runner_setup_ci_user: freedesktop-sdk