could not lock config file /root/.gitconfig: Operation not permitted error in docker executor since upgrade to runner 13.2

Summary

Since the update I get the following issue with the docker executor, regardless of the container across all projects.:

...
Getting source from Git repository
error: could not lock config file /root/.gitconfig: Operation not permitted
ERROR: Job failed: exit code 1

Steps to reproduce

It is through out all containers. However, one of my .gitlab-ci.yml looks like this:

.gitlab-ci.yml 
image: aergus/latex

build_test:
  tags:
    - lab
    - docker
  script:
    - ./build.sh
  • Docker runner in default configuration on ubuntu 18.04.4 (all patched)
  • it all worked before 13.2.

Actual behavior

I get this error in my job log and the job fails:

...
Getting source from Git repository
error: could not lock config file /root/.gitconfig: Operation not permitted

Expected behavior

I would expect the container to run.

Relevant logs and/or screenshots

job log 
Running with gitlab-runner 13.2.0 (353dd94e)
  on name and tags 0ab8d384
Preparing the "docker" executor
Using Docker executor with image aergus/latex ...
Using locally found image version due to if-not-present pull policy
Using docker image sha256:c1838d640a69449c94dfe7c634590ed14b4e5823363de0e8238f0429ebeacc53 for aergus/latex ...
Preparing environment
Running on runner-0ab8d384-project-90-concurrent-0 via host...
Getting source from Git repository
error: could not lock config file /root/.gitconfig: Operation not permitted
ERROR: Job failed: exit code 1

Environment description

This is an omnibus installation, however the gitlab-runner is from the ppa.

config.toml contents 
[[runners]]
  name = "name and tags"
  url = "https://git.host.tld/ci"
  token = "<token>"
  executor = "docker"
  environment = ["DOCKER_DRIVER=overlay2"]
  [runners.cache]
  [runners.docker]
    tls_verify = false
    image = "image:stable"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    pull_policy = "if-not-present"
    shm_size = 0

Workaround

There's two workarounds at the moment:

  1. Use the overlay2 storage driver: This is typically the recommended driver to use anyway, and just happens to fix the problem at the moment.

  2. Or, temporarily Override the helper image to use gitlab/gitlab-runner-helper:x86_64-6fbc7474

    [[runners]]
  (...)
  executor = "docker"
  [runners.docker]
    (...)
    helper_image = "gitlab/gitlab-runner-helper:x86_64-6fbc7474"
Edited by Arran Walker