Last time I used docker in docker for runners, but it requires privileged mode
compose file:
version: '3.7'
services:
runner:
image: gitlab/gitlab-runner:latest
volumes:
- ./config:/etc/gitlab-runner
- ./run:/var/run/
# - /var/run/docker.sock:/var/run/docker.sock
docker:
image: docker:dind
restart: always
privileged: true # <-- security problems
volumes:
- ./run:/var/run/
I have a personal PC. I have a Gitlab team that needs to run docker build
or docker-compose up
scripts with Gitlab CI. I really want to speed up CI. That is why I share my host docker with runners, now they have docker cache (images, and so on) and when one stage build image and another one require it is really fast.
I have the same problem with Jenkins. I need to share host docker with worker nodes.
Last time I wanted to test the new approach and run runners with their own docker. I almost don't have 2 important things: - resource limit (I want to share 7 of 8 CPU cores, 10 of 16 GB memory, some HDD limits) - security
It is important to add: I don't have CI scripts that require GPU, network capabilities, mounting some devices and so on. They usually do simple docker build
and docker push
, sometimes I need to grab artifacts with docker cp
, that is all.
Main question: how to run docker in docker without root privileges to host machine?
Both - socket sharing or privileged mode give vulnerabilities to host machines, and have a virtual machine (like VirtualBox or something) is slow and hard to do, also I want to share resources, and want that docker can use 10 of 16 GB, but 10 GB should be free when it doesn't use it.
I have some non-informative errors from dind contatiner (before fail) when I run it with usual priviliges:
gitlab-runner-docker | mount: permission denied (are you root?)
gitlab-runner-docker | mount: permission denied (are you root?)
gitlab-runner-docker | Could not mount /sys/kernel/security.
gitlab-runner-docker | AppArmor detection and --privileged mode might break.
What problems I will have if try to run docker in docker without privileged mode? How to do it?