## Description I am trying to set up docker-in-docker using user namespace isolation instead of privileged mode. For this to work the docker-in-docker service must be started with the capabilities `SYS_ADMIN`, `NET_ADMIN` and `SYS_PTRACE`. Unfortunately the `cap_add` (and `cap_drop`) options only apply to the main docker container, and not to service containers that are created. ## Proposal `cap_add` and `cap_drop` should be used when creating services as well. ## Links to related issues and merge requests / references * `cap_add` was added in merge request !91 * Source code that configures capabilities for the normal containers: [executor_docker.go line 692-711](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/v1.9.1/executors/docker/executor_docker.go#L692-711) * Source code that configures service containers: [executor_docker.go line 539-548](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/v1.9.1/executors/docker/executor_docker.go#L539-548)