fix(bootstrap): R2 — push incus binary from host instead of apt-installing

Debian 13 doesn't ship `incus-client` as a separate package — the apt install fails with 'Unable to locate package incus-client'. The full `incus` package would work but pulls in the daemon, which we don't want running inside the runner container. Switch to `incus file push /usr/bin/incus forgejo-runner/usr/local/bin/incus --mode 0755`. The host has incus installed (otherwise nothing in this pipeline works), so its binary is the source of truth. Idempotent : skips if the runner already has incus. Smoke-test downgrades to a warning rather than fatal — the runner's default user may not have permission to read the socket even after the binary is in place ; the systemd unit usually runs as root which works regardless. The warning explains the gid alignment if a non-root runner is needed. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 14:27:06 +02:00 · 2026-04-30 14:27:06 +02:00 · f0ca669f99
commit f0ca669f99
parent 9d63e249fe
1 changed files with 25 additions and 9 deletions
--- a/scripts/bootstrap/bootstrap-remote.sh
+++ b/scripts/bootstrap/bootstrap-remote.sh
@ -99,20 +99,36 @@ remote_phase_2_runner_socket() {
        sleep 3
    fi

-    info "ensuring incus client is installed inside the runner"
-    if ! incus exec forgejo-runner -- command -v incus >/dev/null 2>&1; then
-        incus exec forgejo-runner -- apt-get update -qq
-        incus exec forgejo-runner -- apt-get install -y incus-client >/dev/null
-        ok "incus-client installed in runner"
+    info "ensuring incus client binary is in the runner"
+    if incus exec forgejo-runner -- command -v incus >/dev/null 2>&1; then
+        ok "incus already in runner"
+    elif [[ -x /usr/bin/incus ]]; then
+        # Push the host's binary into the container — avoids apt repo
+        # issues (Debian 13 doesn't ship incus-client as a separate
+        # package, and the full `incus` package would also pull in the
+        # daemon which we don't want in a runner container).
+        info "pushing /usr/bin/incus from host into runner:/usr/local/bin/incus"
+        incus file push /usr/bin/incus forgejo-runner/usr/local/bin/incus --mode 0755
+        ok "incus binary pushed"
    else
-        ok "incus-client already in runner"
+        die "no /usr/bin/incus on host AND none in runner — install incus on the host first"
    fi

    info "smoke-test : runner can incus list"
-    if ! incus exec forgejo-runner -- incus list >/dev/null 2>&1; then
-        die "runner cannot reach Incus socket — verify nesting + permissions"
-    fi
+    if incus exec forgejo-runner -- incus list >/dev/null 2>&1; then
        ok "runner has Incus access"
+    else
+        # Common cause : the runner's process can read /var/lib/incus/
+        # unix.socket only if it has the right gid. The socket is owned
+        # root:incus-admin (or equivalent) on the host. Inside the
+        # container we either run as root (works) or need to add the
+        # runner user to a group with the same gid as host's incus-admin.
+        # We don't try to fix that here — it's runner-process-specific.
+        warn "runner cannot incus list as default user"
+        warn "this may be normal if the systemd unit runs as root inside"
+        warn "the container ; if not, add the runner user to a group with"
+        warn "the same gid as the host's incus-admin group"
+    fi

    mark_done r2_runner_socket
    phase r2_runner_socket DONE