Isolated Runners (sysbox)
Runaway offers two runtimes per scale set. The default suits homelab use; the isolated runtime trades warm Docker layers for github-hosted-style isolation.
The two runtimes
Section titled “The two runtimes”-
shared-daemon(default) — every runner on a host shares that host’s Docker daemon. Fast, warm-cache-friendly, and the right default for homelab use. The downside: a misbehaving job can leave cached layers, dangling images, and BuildKit cache on the host daemon that persist across runner generations. -
isolated-sysbox— wraps each runner in sysbox’s user-namespaced nested dockerd. The runner gets its own inner Docker daemon; anydocker buildordocker runinside the job uses that inner daemon; on container exit, everything — layers, images, BuildKit cache — is gone.
This matches github-hosted semantics: cold Docker layers per job, but warm
filesystem caches still flow through the /cache
volume, which bind-mounts in regardless of runtime.
Enabling isolated runners
Section titled “Enabling isolated runners”-
Install sysbox-runc on the host. Tick the sysbox option when enrolling the host, or install it later from the host detail page. See Running multiple hosts for host enrollment.
-
Pick the runtime on the scale set. Choose
isolated-sysboxin the scale set’s runtime setting. -
Keep the standard image. The default
myoung34/github-runner:latestships a Docker daemon inside it, which is all the isolated runtime needs. The hub starts that inner dockerd automatically at runner boot (it injectsSTART_DOCKER_SERVICE=true) — you don’t configure anything.
- Selecting the isolated runtime suppresses the host Docker-socket bind — the
runner uses its own inner daemon, not the host’s, so there’s no
/var/run/docker.sockmount. - sysbox is opt-in. Scale sets on the default
shared-daemonruntime are unaffected whether or not sysbox is installed on any host.