Docker executor ignores security_opt
Summary
When running the Docker executor in a LXC container it fails to launch Docker containers because it seems to ignore the required security_opt configuration setting. The required value of security_opt that needs to be passed to Docker when launching the container is apparmor=lxc-container-default
Steps to reproduce
Install a runner in a LXC container, configure security_opt in the runner's config.toml:
concurrent = 1
check_interval = 0
[[runners]]
name = "ci-runner2"
url = "http://gitlab.bublar/"
token = "0e7c4db7e85bb833123427a7c41cc7"
executor = "docker"
[runners.docker]
security_opt = ["apparmor:lxc-container-default"]
tls_verify = false
image = "ubuntu:16.04"
privileged = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
[runners.cache]Try to launch a build.
Actual behavior
Running with gitlab-ci-multi-runner 9.2.0 (adfc387)
on ci-runner2 (0e7c4db7)
Using Docker executor with image williamyeh/ansible:alpine3 ...
ERROR: Failed to create container volume for /builds/emil.flink Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded.
ERROR: Preparation failed: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded.Expected behavior
Run docker successfully with --security-opt apparmor=lxc-container-default
Relevant logs and/or screenshots
Running with gitlab-ci-multi-runner 9.2.0 (adfc387)
on ci-runner2 (0e7c4db7)
Using Docker executor with image williamyeh/ansible:alpine3 ...
ERROR: Failed to create container volume for /builds/emil.flink Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded.
ERROR: Preparation failed: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded.gitlab-runner@ci-runner2:~$ docker run williamyeh/ansible:alpine3
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded.
ERRO[0000] error getting events from daemon: net/http: request canceledgitlab-runner@ci-runner2:~$ docker run --security-opt apparmor=lxc-container-default williamyeh/ansible:alpine3
ansible-playbook 2.3.1.0
config file =
configured module search path = Default w/o overrides
python version = 2.7.12 (default, Jun 29 2016, 08:57:23) [GCC 5.3.0]Environment description
Custom installation with the Docker executor.
gitlab-runner@ci-runner2:~$ docker info
Containers: 9
Running: 0
Paused: 0
Stopped: 9
Images: 3
Server Version: 17.05.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-78-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 125.8GiB
Name: ci-runner2
ID: HJ76:QTHS:FLSI:YQ5U:ZMDC:KRYE:FIM7:VWGV:JSZX:JU4V:HV3J:YTH2
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabledUsed GitLab Runner version
gitlab-runner@ci-runner2:~$ gitlab-runner --version
Version: 9.2.0
Git revision: adfc387
Git branch: 9-2-stable
GO version: go1.7.5
Built: Mon, 22 May 2017 16:00:53 +0000
OS/Arch: linux/amd64Edited by Emil Flink