Use local registry to stash intermediate image

.github/workflows/build.yml

@@ -20,6 +20,12 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    services:
+      registry:
+        image: docker.io/library/registry:latest
+        ports:
+          - 5000:5000
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -45,11 +51,11 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: false
-          tags: localhost/feedbin:edge
+          push: true
+          tags: localhost:5000/feedbin:edge
 
       - name: Force Rootful Native OverlayFS
-        run: |-
+        run: |
           printf '%s\n' '#!/bin/sh' 'exec /usr/bin/sudo -n -- /usr/bin/buildah "$@"' | sudo tee /usr/local/bin/buildah
           printf '%s\n' '#!/bin/sh' 'exec /usr/bin/sudo -n -- /usr/bin/podman "$@"' | sudo tee /usr/local/bin/podman
           printf '%s\n' '#!/bin/sh' 'exec /usr/bin/sudo -n -- /usr/bin/skopeo "$@"' | sudo tee /usr/local/bin/skopeo
@@ -63,8 +69,8 @@ jobs:
           containerfiles: |-
             Containerfile
           extra-args: |-
+            --net=host
             --security-opt=seccomp=unconfined
-            --volume /var/run/docker.sock:/var/run/docker.sock
 
       - name: Push
         if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }}

Containerfile

@@ -6,7 +6,14 @@ RUN podman pull docker.io/library/caddy:2-alpine \
  && podman pull docker.io/library/redis:6-alpine \
  && podman pull docker.io/minio/mc:latest \
  && podman pull docker.io/minio/minio:latest \
- && podman pull docker-daemon:localhost/feedbin:edge \
+ && printf '%s\n' \
+           '[[registry]]' \
+           'prefix = "localhost"' \
+           'location = "localhost"' \
+           'insecure = true' \
+  | tee /etc/containers/registries.conf.d/localhost.conf \
+ && podman pull localhost:5000/feedbin:edge \
+ && rm /etc/containers/registries.conf.d/localhost.conf \
  && rm -rf /usr/share/containers/storage \
  && mv /var/lib/containers/storage /usr/share/containers/storage
 

etc/systemd/system/container-feedbin-extract.service

@@ -10,7 +10,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n
 Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
-ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm -d --replace --name feedbin-extract --net host --env-file /data/feedbin/.env --env PORT=3001 --workdir /opt/feedbin/extract localhost/feedbin:edge /bin/sh -c 'if test -n "$EXTRACT_USER" -a -n "$EXTRACT_SECRET"; then echo "$EXTRACT_SECRET" >"users/$EXTRACT_USER"; fi && exec "$@"' -- node app/server.js
+ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm -d --replace --name feedbin-extract --net host --env-file /data/feedbin/.env --env PORT=3001 --workdir /opt/feedbin/extract localhost:5000/feedbin:edge /bin/sh -c 'if test -n "$EXTRACT_USER" -a -n "$EXTRACT_SECRET"; then echo "$EXTRACT_SECRET" >"users/$EXTRACT_USER"; fi && exec "$@"' -- node app/server.js
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 Type=notify

etc/systemd/system/container-feedbin-privacy-please.service

@@ -10,7 +10,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n
 Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
-ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm -d --replace --name feedbin-privacy-please --net host --env-file /data/privacy-please/.env --env PORT=3002 --workdir /opt/feedbin/privacy-please localhost/feedbin:edge
+ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm -d --replace --name feedbin-privacy-please --net host --env-file /data/privacy-please/.env --env PORT=3002 --workdir /opt/feedbin/privacy-please localhost:5000/feedbin:edge
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 Type=notify

etc/systemd/system/container-feedbin-rake.service

@@ -6,6 +6,6 @@ After=network-online.target container-elasticsearch.service container-postgres.s
 RequiresMountsFor=%t/containers
 
 [Service]
-ExecStart=/usr/bin/podman run --rm --name feedbin-rake --net host --volume /var/run/postgresql:/var/run/postgresql:rw --env-file /data/feedbin/.env localhost/feedbin:edge /bin/sh -c 'until pg_isready; do sleep 1; done && until curl -fsSo /dev/null --head "${ELASTICSEARCH_URL:-http://127.0.0.1:9200}"; do sleep 1; done && bundle exec rake db:migrate || bundle exec rake db:setup'
+ExecStart=/usr/bin/podman run --rm --name feedbin-rake --net host --volume /var/run/postgresql:/var/run/postgresql:rw --env-file /data/feedbin/.env localhost:5000/feedbin:edge /bin/sh -c 'until pg_isready; do sleep 1; done && until curl -fsSo /dev/null --head "${ELASTICSEARCH_URL:-http://127.0.0.1:9200}"; do sleep 1; done && bundle exec rake db:migrate || bundle exec rake db:setup'
 Type=oneshot
 RemainAfterExit=yes

etc/systemd/system/container-feedbin.service

@@ -10,7 +10,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n
 Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
-ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm -d --replace --name feedbin --net host --volume /var/run/postgresql:/var/run/postgresql:rw --env-file /data/feedbin/.env --env RAILS_SERVE_STATIC_FILES=true localhost/feedbin:edge /bin/sh -c 'bundle exec rake assets:precompile && bundle exec foreman start && exec bundle exec rails server'
+ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm -d --replace --name feedbin --net host --volume /var/run/postgresql:/var/run/postgresql:rw --env-file /data/feedbin/.env --env RAILS_SERVE_STATIC_FILES=true localhost:5000/feedbin:edge /bin/sh -c 'bundle exec rake assets:precompile && bundle exec foreman start && exec bundle exec rails server'
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 Type=notify