gabyx
September 27, 2025, 12:37pm
1
Does somebody know if using virtualisation.oci-containers.containers.mycontainer.podman.user = podmanpodman run -it --user <user>:<group> as executed as root user or does it run the container with rootless podman under user podman ?
I would like to be doing the second. Or how can I run rootless podman containers in NixOS?
1 Like
gabyx
September 27, 2025, 3:35pm
3
AH niice! Missed that, so I can run podman service as another user, instead of root really cool.
gabyx
September 27, 2025, 3:46pm
4
But there is no way of running podman both as root (normal) and having oci-containers with another user right? you need another nixos vm for that maybe? or copy the nixos module oci-containers and replicate it under oci-containers-custom or whatever?
What use case do you have in mind?
gabyx
September 27, 2025, 4:08pm
6
Ah just aroot.
I thought of making it a bit safer by making an additional runner which truely runs over rootless podlam. But either I have rootless podman or I use the normal rootfull setupā¦
master ā gabyx:feat/add-gitlab-runner-docs
opened 09:46AM - 08 Sep 25 UTC
This documents the `gitlab-runner` service with a concret example which works ouā¦ t of the box.
The `gitlab-runner.nix` has been moved to `gitlab-runner/runner.nix` with `runner.md` documentation.
:heart: NixCon25 was awesome and talking to @Nebucatnetzer gave me enthusiasm to share this documentation and extend it with a example which works. As CI with Nix is a really important cornerstone to make adoption greater. This is used here: https://gitlab.com/data-custodian/custodian
and took quite some while to figure out how to do it etc. We are using that setup since 1 year.
The NixOS wiki on the gitlab-runner is also outdated and not so nice.
Feedback needed: @NixOS/documentation-team: I know the example is a bit bigger, maybe the NixOS manual is the wrong location for this, but it would be nice, also to help people with these sort of things.
Do you have another location in mind which is Git checked in?
- [ ] Is there a possibility to test the example, or at least build it somehow?
Feedback needed @Nebucatnetzer:
- [ ] I think its good to integrate the `min-size` and `max-size` settings into the `nixDaemonImage`. How to?
## Things done
- Built on platform:
- [ ] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- Tested, as applicable:
- [ ] [NixOS tests] in [nixos/tests].
- [ ] [Package tests] at `passthru.tests`.
- [ ] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality.
- [ ] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage].
- [ ] Tested basic functionality of all binary files, usually in `./result/bin/`.
- Nixpkgs Release Notes
- [ ] Package update: when the change is major or breaking.
- NixOS Release Notes
- [ ] Module addition: when adding a new NixOS module.
- [ ] Module update: when the change is significant.
- [ ] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs.
[NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests
[Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests
[nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage
[CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md
[lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests
[maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md
[nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests
[pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md
[pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test
---
Add a :+1: [reaction] to [pull requests you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc
master ā gabyx:feat/add-gitlab-runner-docs
opened 09:46AM - 08 Sep 25 UTC
This documents the `gitlab-runner` service with a concret example which works ouā¦ t of the box.
The `gitlab-runner.nix` has been moved to `gitlab-runner/runner.nix` with `runner.md` documentation.
:heart: NixCon25 was awesome and talking to @Nebucatnetzer gave me enthusiasm to share this documentation and extend it with a example which works. As CI with Nix is a really important cornerstone to make adoption greater. This is used here: https://gitlab.com/data-custodian/custodian
and took quite some while to figure out how to do it etc. We are using that setup since 1 year.
The NixOS wiki on the gitlab-runner is also outdated and not so nice.
Feedback needed: @NixOS/documentation-team: I know the example is a bit bigger, maybe the NixOS manual is the wrong location for this, but it would be nice, also to help people with these sort of things.
Do you have another location in mind which is Git checked in?
- [ ] Is there a possibility to test the example, or at least build it somehow?
Feedback needed @Nebucatnetzer:
- [ ] I think its good to integrate the `min-size` and `max-size` settings into the `nixDaemonImage`. How to?
## Things done
- Built on platform:
- [ ] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- Tested, as applicable:
- [ ] [NixOS tests] in [nixos/tests].
- [ ] [Package tests] at `passthru.tests`.
- [ ] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality.
- [ ] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage].
- [ ] Tested basic functionality of all binary files, usually in `./result/bin/`.
- Nixpkgs Release Notes
- [ ] Package update: when the change is major or breaking.
- NixOS Release Notes
- [ ] Module addition: when adding a new NixOS module.
- [ ] Module update: when the change is significant.
- [ ] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs.
[NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests
[Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests
[nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage
[CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md
[lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests
[maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md
[nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests
[pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md
[pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test
---
Add a :+1: [reaction] to [pull requests you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc
I saw a talk on that topic that proposed: change mapping of container so root inside the container is a user outside the container.
podman run \
--uidmap="0:$(id -u user):1" \
--uidmap="1:$(grep -Po '(?<=^user:).*$' /etc/subuid | head -1)" \
--gidmap="0:$(id -g user):1" \
--gidmap="1:$(grep -Po '(?<=^user:).*$' /etc/subgid | head -1")
See also: GitHub - neverpanic/podman-rootful-network: Rootful Networking with Rootless Podman Containers (GitHub - neverpanic/podman-rootful-network: Rootful Networking with Rootless Podman Containers
gabyx
September 27, 2025, 4:29pm
8
Ah thats also nice, so we can just run over podman without running completely as root.
Iāve never tried it tbh. but always wanted to. So I would be interested in your feedback if you succeed. My use case would be that some networks need root to work but I would not want to run the whole container as root.
Did you get a fully functional version of it? I tried it myself but I couldnāt get it up and runningā¦
gabyx
January 28, 2026, 8:30pm
11
NixOs Gitlab Runner
It would be good maybe to try setting the above docker