Using DinD on self-hosted runners.

marc-casavant · marc-casavant · commit d3de9cfff11b · 2026-02-25T09:28:08.000-05:00
diff --git a/.github/workflows/ci-multi-server-tests.yml b/.github/workflows/ci-multi-server-tests.yml
@@ -157,56 +157,83 @@ jobs:
     runs-on: self-hosted
     if: ${{ needs.pre-test.outputs.selfhosted == '1' }}
 
+    services:
+      dind:
+        image: docker:dind
+        options: --privileged
+        env:
+          DOCKER_TLS_CERTDIR: ""
+          #  Bypass the squid proxy for internal registry access.
+          NO_PROXY: "*.networkradius.com,127.0.0.1"
+        #  Mount the host's internal CA so dind trusts
+        #  docker.internal.networkradius.com for image pulls.
+        #
+        #  Share the runner's workspace with dind so that docker
+        #  compose bind-mounts (radiusd.conf, env-setup.sh, listener
+        #  dirs, etc.) resolve to real files inside the dind daemon.
+        #
+        #  github.workspace is the HOST path to the workspace.
+        #  The runner mounts it into the job container at a
+        #  different path (/__w/...), so we use a fixed mount
+        #  point (/workspace) that both containers agree on.
+        volumes:
+          - /usr/local/share/ca-certificates/networkradius.com.crt:/etc/docker/certs.d/docker.internal.networkradius.com/ca.crt:ro
+          - ${{ github.workspace }}:/workspace
+
     env:
       MULTI_SERVER_TEST_LOG: build/tests/multi-server/freeradius-multi-server/multi_server_test.log
       MULTI_SERVER_TEST_LISTENER_LOG: build/tests/multi-server/freeradius-listener-logs/custom_test-env-5hs-autoaccept.txt.bak
+
+    container:
+      image: docker.internal.networkradius.com/self-hosted
+      #  "privileged" is needed for Samba install
+      #  "memory-swap -1" enables full use of host swap and may help
+      #    with containers randomly quitting with "The operation was
+      #    canceled"
+      options: >-
+        --privileged
+        --memory-swap -1
+      env:
+        DOCKER_HOST: tcp://dind:2375
+        NO_PROXY: dind
+      #  Shared workspace — see dind volumes comment above.
+      volumes:
+        - ${{ github.workspace }}:/workspace
+
+    defaults:
+      run:
+        working-directory: /workspace
+
     steps:
 
-      #  Need git installed for checkout to behave normally
-      - name: Install multi-server framework test environment dependencies
+      - name: Install extra packages
         run: |
-          apt-get update
-          apt-get install -y build-essential
-          apt-get install -y --no-install-recommends git git-lfs ca-certificates
-          make --version
+          apt-get update && apt-get install -y --no-install-recommends docker.io docker-buildx docker-compose-v2 python3-venv
 
       # Checkout, but defer pulling LFS objects until we've restored the cache
       - uses: actions/checkout@v4
         with:
           lfs: false
 
-      - name: Get pre-built Docker image for self-hosted runner test
-        shell: bash
+      #  Authenticate to the internal registry via the dind daemon.
+      #  The host Docker daemon is logged in via the runner's
+      #  job-started hook, but dind is a separate daemon with no
+      #  auth config.
+      - name: Login to internal Docker registry
         env:
-          DOCKER_REGISTRY: docker.internal.networkradius.com
-          DOCKER_IMAGE: self-hosted-ubuntu24
+          DOCKER_USERNAME: ${{ secrets.DOCKER_REPO_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_REPO_PASSWORD }}
         run: |
-          docker pull "${DOCKER_REGISTRY}/${DOCKER_IMAGE}"
-
-          # Tag freeradius build image using using a non-OS specific name to be used with the multi-server docker compose environment.
-          docker tag "${DOCKER_REGISTRY}/${DOCKER_IMAGE}" freeradius-build:latest
-
-          # Display all docker images for debugging purposes
-          docker images --all
+          echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin https://docker.internal.networkradius.com/
 
-      - name: Configure and build freeradius-server from src
-        shell: bash
+      - name: Build Docker image from source
         run: |
-          # The multi-server test framework requires the availability of the $BUILD_DIR, hence why
-          # the following is needed before running multi-server tests.
-          ./configure
-          make -j"$(nproc)" all
+          make docker.ubuntu24.build
+          docker tag freeradius4/ubuntu24:latest freeradius-build:latest
+          docker images --all
 
       - name: Run test-5hs-autoaccept test
-        shell: bash
         run: |
-          if ! docker images --format '{{.Repository}}:{{.Tag}}' | grep -q "^freeradius-build:latest$"; then
-            echo "Error: freeradius-build:latest Docker image not found and required for multi-server test environment."
-            exit 1
-          fi
-
-          ls -l
-          which make
           make -f src/tests/multi-server/all.mk test-5hs-autoaccept
 
       - name: Verify test results
