Docker executor ignores security_opt setting in config.toml
Summary
Adding security_opt settings to a runner's definition in config.toml appears to have no impact on the settings used.
A similar issue was posted as #2525 (closed) but was closed without being resolved.
Steps to reproduce
- Register a runner to use a
dockerexecutor with adocker:stableimage - Edit the related section in the
config.tomlfile - In the
[runners.docker]section add asecurity_optsuch as:security_opt = ["seccomp:unconfined"] - Add a
docker infostep to a.gitlab-ci.ymlscript - Check the "Security Options" in the
docker infooutput
Actual behavior
The security options appear to be unaffected
Expected behavior
I would expect the security options to be different
Relevant logs and/or screenshots
config.toml
[[runners]]
name = "#######"
url = "#######"
token = "#######"
executor = "docker"
[runners.docker]
tls_verify = false
image = "docker:stable"
privileged = true
security_opt = ["seccomp:unconfined"]
disable_cache = false
cache_dir = "cache"
volumes = ["/cache"]
[runners.cache]
Insecure = falsedocker info from the build log:
$ docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.09.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 0
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.16.0-7-amd64
Operating System: Alpine Linux v3.8 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.817GiB
Name: 2d34f5c123fc
ID: 5NOB:OFG3:E4PQ:X5J5:PHHZ:EO5M:LMVK:ZVS3:MKDY:Z2HD:4VPW:TWFU
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Enginefrom .gitlab-ci.yml:
image: docker:stable
variables:
HANKER_ENV: "ci"
services:
- docker:dind
before_script:
- apk update
- apk add git python python-dev py-pip build-base
- pip install docker-compose
build:
stage: build
script:
# See: https://gitlab.com/gitlab-org/gitlab-runner/issues/2064
- sed '/search/ d' /etc/resolv.conf > tmp; cat tmp > /etc/resolv.conf
- echo "export HANKER_ENV='ci'" >> docker/default.env
- . ./hanker.sh
- docker info
- hanker-buildMore background: The hanker-build step is an alias for a more complicated docker-compose build command. This build script worked for months but stopped working after an upgrade about a month ago. Here is the error that I now get during the hanker-build step:
$ hanker-build
redis uses an image, skipping
db uses an image, skipping
mailhog uses an image, skipping
selenium_hub uses an image, skipping
selenium_chrome uses an image, skipping
selenium_firefox uses an image, skipping
Building python
Step 1/11 : FROM hampshire/python:3.6.6-stretch-apache
3.6.6-stretch-apache: Pulling from hampshire/python
Digest: sha256:471285074fc5072f143ff0b63cc206b7176f396a6a582c43faad1c8afa90f1de
Status: Downloaded newer image for hampshire/python:3.6.6-stretch-apache
---> e59560d30bab
Step 2/11 : ARG BUILD_ENV=prod
---> Running in c0f092d2eb34
Removing intermediate container c0f092d2eb34
---> cf7513ab1663
Step 3/11 : WORKDIR /usr/src/app
---> Running in ada2da78d69e
Removing intermediate container ada2da78d69e
---> 53c747385145
Step 4/11 : COPY ./Pipfile .
---> 383a34e423f3
Step 5/11 : COPY ./Pipfile.lock .
---> d16b8bf1e2a9
Step 6/11 : COPY ./docker/InterCall/ /usr/local/InterCall/
---> cc656c24252c
Step 7/11 : RUN if [ ${BUILD_ENV} = 'prod' ]; then pipenv install --system; else pipenv install --system --dev; fi
---> Running in fb760c2ab1b8
Service 'python' failed to build: OCI runtime create failed: container_linux.go:348: starting container process caused "error loading seccomp filter into kernel: invalid argument": unknown
ERROR: Job failed: exit code 1I have discovered that any invocation of pip or pipenv in the related Dockerfile will cause the seccomp error. I was hoping that I could get past that by changing the security options in the runner configuration. If there is some other way to get the build to work, I would also be interested in knowing abut it.
From the Dockerfile used in the build step:
FROM hampshire/python:3.6.6-stretch-apache
ARG BUILD_ENV=prod
WORKDIR /usr/src/app
COPY ./Pipfile .
COPY ./Pipfile.lock .
RUN if [ ${BUILD_ENV} = 'prod' ]; \
then pipenv install --system; \
else pipenv install --system --dev; \
fiEnvironment description
Self-hosted Gitlab CE 11.5.1
from docker info on the host machine:
Containers: 50
Running: 6
Paused: 0
Stopped: 44
Images: 284
Server Version: 17.05.0-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 639
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Kernel Version: 3.16.0-7-amd64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.817GiB
Name: #######
ID: #######
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseUsed GitLab Runner version
Version: 9.5.1
Git revision: 96b34cc
Git branch: 9-5-stable
GO version: go1.8.3
Built: Wed, 04 Oct 2017 16:26:27 +0000
OS/Arch: linux/amd64