From 323c46fba10363eb6d7129f32065dbed4a8a7881 Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Wed, 10 Jun 2026 08:51:44 +0200
Subject: [PATCH] fix(ci): share dind's unix socket with the runner (jobs need
 a mountable docker host)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

gitea/runner can only bind-mount a UNIX-socket docker host into job
containers — the old tcp://localhost:2376 + TLS daemon address cannot be
mounted, so build jobs still had no docker API. Share dind's
/var/run/docker.sock with the runner via a /var/run emptyDir and drop the
DOCKER_HOST/TLS env; the runner auto-finds the socket and the bind path
resolves inside dind where the socket lives.
---
 .../production/fleet/ci/gitea-runner.yaml     | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/infrastructure/production/fleet/ci/gitea-runner.yaml b/infrastructure/production/fleet/ci/gitea-runner.yaml
index c662d0e..0cd3fde 100644
--- a/infrastructure/production/fleet/ci/gitea-runner.yaml
+++ b/infrastructure/production/fleet/ci/gitea-runner.yaml
@@ -97,19 +97,19 @@ spec:
             # image with the usual build tooling; jobs run via the dind sidecar.
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04,docker:docker://docker:27-cli"
-            - name: DOCKER_HOST
-              value: tcp://localhost:2376
-            - name: DOCKER_CERT_PATH
-              value: /certs/client
-            - name: DOCKER_TLS_VERIFY
-              value: "1"
+            # No DOCKER_HOST: the runner auto-finds the dind daemon's unix
+            # socket on the shared /var/run volume. A unix socket (unlike the
+            # old tcp://localhost:2376) is the only kind of docker host the
+            # runner can bind-mount into job containers — and the bind is
+            # resolved by dockerd inside dind, where the path exists too — so
+            # `docker build` works inside the build jobs.
             - name: CONFIG_FILE
               value: /config/config.yaml
           volumeMounts:
             - name: runner-data
               mountPath: /data
-            - name: docker-certs
-              mountPath: /certs
+            - name: docker-run
+              mountPath: /var/run
             - name: runner-config
               mountPath: /config
         - name: dind
@@ -125,6 +125,10 @@ spec:
           volumeMounts:
             - name: docker-certs
               mountPath: /certs
+            # dockerd serves /var/run/docker.sock here; sharing the volume
+            # hands that socket to the runner container above.
+            - name: docker-run
+              mountPath: /var/run
             - name: dind-storage
               mountPath: /var/lib/docker
       volumes:
@@ -133,6 +137,8 @@ spec:
             claimName: runner-data
         - name: docker-certs
           emptyDir: {}
+        - name: docker-run
+          emptyDir: {}
         - name: dind-storage
           emptyDir: {}
         - name: runner-config