Skip to content

Docker executor: add services_security_opt config option

Glenn Dirkxrequested to merge
juravenator/gitlab-runner:docker-service-security-opt into main

What does this MR do?

Adds SecurityOpt from the docker executor settings to the HostConfig for services in createHostConfigForService() like already done in createHostConfig().

Why was this MR needed?

While trying to set up rootless container building using BuildKit on our self-hosted docker runners (using this blog post), I noticed that setting security_opt = ["apparmor:unconfined", "seccomp:unconfined"] had no effect on the service containers in the CI pipeline, and had to fall back to privileged = true.

By also using security_opt in service containers, I could avoid having to run our containers in privileged mode.

What's the best way to test this MR?

The following .gitlab-ci.yml will only succeed when either

  • privileged = true is set in the config.toml of the current gitlab-runner
  • security_opt = ["apparmor:unconfined", "seccomp:unconfined"] is set in the config.toml of a gitlab-runner containing the change in this MR
stages:
- build

buildkitd:
  stage: build

  variables:
    BUILDKIT_HOST: tcp://buildkitd:1234

  services:
  - alias: buildkitd
    name: moby/buildkit:rootless
    command:
    - "--oci-worker-no-process-sandbox"
    - "--addr"
    - "tcp://0.0.0.0:1234"

  image:
    name: moby/buildkit:rootless
    entrypoint: [ "sh", "-c" ]
  script:
  - |
    buildctl build \
        --frontend=dockerfile.v0 \
        --local context=. \
        --local dockerfile=.
  tags:
  - mycustomrunner

Merge request reports