docs: add self-hosted runner requirements

Mossaka · claude · Mossaka · commit c97443f76cfc · 2026-02-21T01:17:08.000Z
Document the requirements for self-hosted runners (Linux, Docker,
sudo, iptables) and note they are untested but should work.
Also cover Docker-in-Docker scenarios.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/docs/compatibility.md b/docs/compatibility.md
@@ -48,6 +48,23 @@ The minimum Node.js version is specified in `package.json` under `engines.node:
 
 GitHub-hosted macOS runners are themselves virtual machines (`Apple M1 (Virtual)`) that do not support nested virtualization. AWF requires Docker for the Squid proxy container, agent container, and MCP Gateway — all of which need a Linux VM on macOS. Docker Desktop, colima (with both `vz` and `qemu` VM types), and Apple's `container` tool were all tested and none can provide Docker on these runners. The root cause error is: `Virtualization is not available on this hardware`.
 
+### Self-hosted runners
+
+Self-hosted runners are not tested by the gh-aw team, but should work if they meet these requirements:
+
+| Requirement | Details |
+|-------------|---------|
+| **Operating system** | Linux (Ubuntu 22.04+ recommended). macOS and Windows are not supported. |
+| **Architecture** | x86_64 or arm64. AWF container images are published for both. |
+| **Docker** | Docker Engine 20.10+ and Docker Compose v2+ must be installed and running. |
+| **sudo access** | The runner user must have passwordless `sudo` for iptables manipulation. |
+| **iptables** | `iptables` must be available (standard on most Linux distributions). |
+| **Network** | Outbound HTTPS access to `ghcr.io` for pulling container images (unless using `--build-local`). |
+
+If your self-hosted runner is a VM, nested virtualization is **not** required — Docker runs natively on Linux without a VM layer. This is unlike macOS, where Docker always needs a Linux VM.
+
+If your self-hosted runner runs inside a Docker container itself (Docker-in-Docker), you need `--privileged` mode or the equivalent capabilities (`NET_ADMIN`, `SYS_ADMIN`) for iptables and container networking to work.
+
 ### Architecture
 
 | Architecture | Status | Notes |
