Skip to content

Support specifying Linux capabilities to add/drop in Docker executor

docker run has two levels of granularity for granting additional capabilities to containers:

  • --privileged which basically gives the container full control; almost as if it were running directly on the host
  • --cap-add and --cap-drop which allow for fine-grained control over the exact set of capabilities granted to the container

The GitLab CI Multi Runner's config.toml [runners.docker] section accepts a privileged flag which effectively passes --privileged to docker run.

This issue requests adding cap-add and cap-drop parameters to config.toml also. It will allow giving only a small set of specific privileges to the containers which may be required for a build / test cycle.