Commit 4ed9c80f authored by Kevin Daudt's avatar Kevin Daudt

register-runner: mount docker socket in container

In order for jobs on this runner to be able to build docker images, the
build container needs access to docker.

One option is to use docker-in-docker, but this is not a recommended
option.

The other option is to mount the docker socket from the host to the
build containers. This is technically the best option, but it comes with
some issues:

* CI jobs get full access to docker, with all it's security implications
* Different jobs can create conflicting images / containers
* Jobs could create images which remain on the host, and could be
  accidentaly (or on purpose) be used by other jobs. This is limited by
  the setting to always fetch images from the registry.

This remains a trade-off between security and convenience, but it should
be used with care.
parent 88bab045
......@@ -10,5 +10,6 @@ gitlab-runner register \
--tag-list "docker-alpine,$ARCH" \
--run-untagged="true" \
--locked="false" \
--access-level="not_protected"
--docker-helper-image alpinelinux/gitlab-runner-helper:latest
--access-level="not_protected" \
--docker-helper-image alpinelinux/gitlab-runner-helper:latest \
--docker-volumes /var/run/docker.sock:/var/run/docker.sock
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment