3

Last time I used docker in docker for runners, but it requires privileged mode

compose file:

version: '3.7'
services:
  runner:
    image: gitlab/gitlab-runner:latest
    volumes:
      - ./config:/etc/gitlab-runner
      - ./run:/var/run/
#      - /var/run/docker.sock:/var/run/docker.sock

  docker:
    image: docker:dind
    restart: always
    privileged: true # <-- security problems
    volumes:
      - ./run:/var/run/

I have a personal PC. I have a Gitlab team that needs to run docker build or docker-compose up scripts with Gitlab CI. I really want to speed up CI. That is why I share my host docker with runners, now they have docker cache (images, and so on) and when one stage build image and another one require it is really fast.

I have the same problem with Jenkins. I need to share host docker with worker nodes.

Last time I wanted to test the new approach and run runners with their own docker. I almost don't have 2 important things: - resource limit (I want to share 7 of 8 CPU cores, 10 of 16 GB memory, some HDD limits) - security

It is important to add: I don't have CI scripts that require GPU, network capabilities, mounting some devices and so on. They usually do simple docker build and docker push, sometimes I need to grab artifacts with docker cp, that is all. Main question: how to run docker in docker without root privileges to host machine?

Both - socket sharing or privileged mode give vulnerabilities to host machines, and have a virtual machine (like VirtualBox or something) is slow and hard to do, also I want to share resources, and want that docker can use 10 of 16 GB, but 10 GB should be free when it doesn't use it.

I have some non-informative errors from dind contatiner (before fail) when I run it with usual priviliges:

gitlab-runner-docker | mount: permission denied (are you root?)
gitlab-runner-docker | mount: permission denied (are you root?)
gitlab-runner-docker | Could not mount /sys/kernel/security.
gitlab-runner-docker | AppArmor detection and --privileged mode might break.

What problems I will have if try to run docker in docker without privileged mode? How to do it?

Improve this question
1
  • "What problems I will have if try to run docker in docker without privileged mode?" It won't work. You won't be able to build images or run containers.
    – BMitch
    Commented Aug 22, 2019 at 22:58

1 Answer 1

Reset to default
0

well, regarding the load balancing of the ram memory, I can't help but you can run a docker in docker (dind) without sudo permissions by adding your current user to the docker group,

I don't see the security of the shared sockets because it loses its integrity but I would recommend instantiating the dind with the parameter the composer with the privileged parameter: true

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .