Add support for specifying seccomp profile path in Docker executor (!6602) · Merge requests · GitLab.org / gitlab-runner

What does this MR do?

Adds support for specifying seccomp profile path instead of just inline JSON in the Docker executor security options.

Why was this MR needed?

Implements the below linked feature requests. One major use case is building container images using buildkit / buildah which does not work with the default Docker seccomp profile.

This allows specifying a slighter weaker profile instead of running the jobs unconfined. Previously this was only possible by specifying the seccomp profile inline in the runner config, which is very impractical given the large size of such profiles.

What's the best way to test this MR?

Configure GitLab runner like this and observe (docker inspect <name of the container running a job>) that the contents of the profile path are used in SecurityOpt.

[[runners]]
  [runners.docker]
    security_opt = ["seccomp=/etc/gitlab-runner/my-seccomp.json"]

An example profile can be obtained from https://github.com/moby/profiles/blob/main/seccomp/default.json

What are the relevant issue numbers?

Closes #27235 (closed)

Add support for specifying seccomp profile path in Docker executor

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports