Commit 5fc6a7dc authored by Tomasz Maczukin's avatar Tomasz Maczukin

Update using_docker_build.md, clarify the 'privileged' mode requirement

[ci skip]
parent 793a7664
...@@ -88,24 +88,56 @@ In order to do that follow the steps: ...@@ -88,24 +88,56 @@ In order to do that follow the steps:
--token RUNNER_TOKEN \ --token RUNNER_TOKEN \
--executor docker \ --executor docker \
--description "My Docker Runner" \ --description "My Docker Runner" \
--docker-image "gitlab/dind:latest" \ --docker-image "docker:latest" \
--docker-privileged --docker-privileged
``` ```
The above command will register new Runner to use special [gitlab/dind](https://registry.hub.docker.com/u/gitlab/dind/) image which is provided by GitLab Inc. The above command will register a new Runner to use special `docker:latest` image which is provided by Docker
The image at the start runs Docker daemon in [docker-in-docker](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/) mode. creators. **Notice that it's using the `privileged` mode to start build and service containers.** If you want to use
[docker-in-docker](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/) mode, you always have to use
`privileged = true` in your docker containers.
The above command will create a `config.toml` entry similar to this:
```
[[runners]]
url = "https://gitlab.com/ci"
token = TOKEN
executor = "docker"
[runners.docker]
tls_verify = false
image = "docker:latest"
privileged = true
disable_cache = false
volumes = ["/cache"]
[runners.cache]
Insecure = false
```
If you want to use Shared Runners available on your GitLab CE/EE installation, to build docker images, then
make sure that your Shared Runners configuration have `privileged` mode set to `true`.
1. You can now use `docker` from build script: 1. You can now use `docker` from build script:
```yaml ```yaml
image: docker:latest
services:
- docker:dind
before_script: before_script:
- docker info - docker info
build_image: build:
stage: build
script: script:
- docker build -t my-docker-image . - docker build -t my-docker-image .
- docker run my-docker-image /script/to/run/tests - docker run my-docker-image /script/to/run/tests
``` ```
1. However, by enabling `--docker-privileged` you are effectively disables all security mechanisms of containers and exposing your host to privilege escalation which can lead to container breakout. 1. However, by enabling `--docker-privileged` you are effectively disables all security mechanisms of containers and
For more information, check out [Runtime privilege](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration). exposing your host to privilege escalation which can lead to container breakout.
\ No newline at end of file
For more information, check out [Runtime privilege](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration).
An example project using this approach can be found here: https://gitlab.com/gitlab-examples/docker.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment