Support for rootless Podman

[worldofgeese]

I have a rootless Podman setup that uses podman-in-podman to run Forgejo runners as you can see here:

services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: openclaw-tailscale
    hostname: openclaw
    environment:
      - TS_AUTHKEY=
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=true
      - TS_SERVE_CONFIG=/config/serve.json
      - TS_AUTH_ONCE=true
    volumes:
      - ~/.openclaw-tailscale-state:/var/lib/tailscale:Z
      - ./serve.json:/config/serve.json:ro,Z
    restart: unless-stopped

  openclaw-gateway:
    build:
      context: .
      dockerfile: ./Containerfile.nix
      target: runtime
    container_name: openclaw-gateway
    restart: unless-stopped
    stdin_open: true
    tty: true
    network_mode: service:tailscale
    depends_on:
      - tailscale
    environment:
      - NODE_ENV=production
      - UMASK=002
      - OPENCLAW_SKIP_SERVICE_CHECK=true
    volumes:
      # Using the named volume we migrated to
      - openclaw_data:/home/node/.openclaw:U,Z
#      - ./compose.yaml:/home/node/.openclaw/workspace/compose.yaml:Z,U

  openclaw-cli:
    build:
      context: .
      dockerfile: ./Containerfile.nix
      target: runtime
    container_name: openclaw-cli
    stdin_open: true
    tty: true
    environment:
      - NODE_ENV=production
      - UMASK=002
    volumes:
      - openclaw_data:/home/node/.openclaw:U,Z
    profiles:
      - cli

  podman-in-podman:
    image: quay.io/podman/stable
    container_name: podman-in-podman
    privileged: true
    environment:
      - _CONTAINERS_USERNS_CONFIGURED=""
    volumes:
      - podman_data:/var/lib/containers:Z
    security_opt:
      - label=disable
    command: ["podman", "system", "service", "-t", "0", "tcp:0.0.0.0:2375"]
    restart: unless-stopped

  forgejo-runner:
    image: data.forgejo.org/forgejo/runner:11
    container_name: forgejo_runner
    working_dir: /data
    depends_on:
      - podman-in-podman
    environment:
      - DOCKER_HOST=tcp://podman-in-podman:2375
    volumes:
      - openclaw_data:/home/node/.openclaw:U,Z
      - runner_data:/data:Z,U
    restart: unless-stopped
    command: ["/bin/sh", "-c", "sleep 5; forgejo-runner daemon --config /data/config.yml"]

volumes:
  openclaw_data:
    external: true
  podman_data:
  runner_data:

Would such support be possible for Perry workspaces? I'd like to make use of them, but I don't think aliasing docker to podman is going to be enough.

[gricha]

have you tried running it with podman instead of docker? im generally not opposed to having different runner presuming it's a cheap swap, but i also didn't have time to see how deeply integrated docker is vs. just being a runtime we can swap around

[worldofgeese]

Opened a PR to introduce support!

[gricha]

thank you, ill be a bit swamped this week, will try to check it over the weekend, high level thing i think i'd wanna introduce though is see at what level we can abstract the actual runtime so docker/podman/sysbox/whathave you is just an abstracted layer injected into a context below it. the problem with current implementation will be that it introduces a bunch of podman/docker specific if/else conditions that i think we can avoid. if we can get there that would be great, for specific environments to use anything OCI compatible would actually be pretty fantastic.