@@ -88,9 +96,9 @@ For more information please read [On Docker security: `docker` group considered
...
@@ -88,9 +96,9 @@ For more information please read [On Docker security: `docker` group considered
The second approach is to use the special docker-in-docker (dind)
The second approach is to use the special docker-in-docker (dind)
[Docker image](https://hub.docker.com/_/docker/) with all tools installed
[Docker image](https://hub.docker.com/_/docker/) with all tools installed
(`docker`) and run the job script in context of that
(`docker`) and run the job script in context of that
image in privileged mode.
image in privileged mode.
NOTE: **Note:**`docker-compose` is not part of docker-in-docker (dind). In case you'd like to use `docker-compose` in your CI builds, please follow the [installation instructions for docker-compose](https://docs.docker.com/compose/install/) provided by docker.
NOTE: **Note:**`docker-compose` is not part of docker-in-docker (dind). In case you'd like to use `docker-compose` in your CI builds, please follow the [installation instructions for docker-compose](https://docs.docker.com/compose/install/) provided by docker.
In order to do that, follow the steps:
In order to do that, follow the steps:
...
@@ -115,6 +123,13 @@ In order to do that, follow the steps:
...
@@ -115,6 +123,13 @@ In order to do that, follow the steps:
want to use [docker-in-docker] mode, you always have to use `privileged = true`
want to use [docker-in-docker] mode, you always have to use `privileged = true`
in your Docker containers.
in your Docker containers.
DANGER: **Danger:**
By enabling `--docker-privileged`, you are effectively disabling all of
the security mechanisms of containers and exposing your host to privilege
escalation which can lead to container breakout. For more information, check
out the official Docker documentation on
[Runtime privilege and Linux capabilities][docker-cap].
The above command will create a `config.toml` entry similar to this:
The above command will create a `config.toml` entry similar to this:
```toml
```toml
...
@@ -173,11 +188,6 @@ In order to do that, follow the steps:
...
@@ -173,11 +188,6 @@ In order to do that, follow the steps:
Docker-in-Docker works well, and is the recommended configuration, but it is
Docker-in-Docker works well, and is the recommended configuration, but it is
not without its own challenges:
not without its own challenges:
- By enabling `--docker-privileged`, you are effectively disabling all of
the security mechanisms of containers and exposing your host to privilege
escalation which can lead to container breakout. For more information, check
out the official Docker documentation on
[Runtime privilege and Linux capabilities][docker-cap].
- When using docker-in-docker, each job is in a clean environment without the past
- When using docker-in-docker, each job is in a clean environment without the past
history. Concurrent jobs work fine because every build gets it's own
history. Concurrent jobs work fine because every build gets it's own
instance of Docker engine so they won't conflict with each other. But this
instance of Docker engine so they won't conflict with each other. But this