Docker executor: add services_security_opt config option
What does this MR do?
Adds SecurityOpt from the docker executor settings to the HostConfig for services in createHostConfigForService() like already done in createHostConfig().
Why was this MR needed?
While trying to set up rootless container building using BuildKit on our self-hosted docker runners (using this blog post), I noticed that setting security_opt = ["apparmor:unconfined", "seccomp:unconfined"] had no effect on the service containers in the CI pipeline, and had to fall back to privileged = true.
By also using security_opt in service containers, I could avoid having to run our containers in privileged mode.
What's the best way to test this MR?
The following .gitlab-ci.yml will only succeed when either
-
privileged = trueis set in the config.toml of the current gitlab-runner -
security_opt = ["apparmor:unconfined", "seccomp:unconfined"]is set in the config.toml of a gitlab-runner containing the change in this MR
stages:
- build
buildkitd:
stage: build
variables:
BUILDKIT_HOST: tcp://buildkitd:1234
services:
- alias: buildkitd
name: moby/buildkit:rootless
command:
- "--oci-worker-no-process-sandbox"
- "--addr"
- "tcp://0.0.0.0:1234"
image:
name: moby/buildkit:rootless
entrypoint: [ "sh", "-c" ]
script:
- |
buildctl build \
--frontend=dockerfile.v0 \
--local context=. \
--local dockerfile=.
tags:
- mycustomrunner