Page MenuHomePhabricator
Create Task
Maniphest T320411

Evaluate if Docker can be executed as non-root on Trusted Runners
Closed, DeclinedPublic
Actions

Description

In the setup of Trusted Runners T295481 the idea came up to run the Docker executor on Trusted Runners with less privileges. This dedicated task is about running the Docker executor as non-root and with disabled sudo/dropped SETUID and SETGID capabilities (like the docs recommend for more security hardening).

This feature is not strictly needed to open Trusted Runners to the public but could enhance the security even more. Both the security improvements but also the added restrictions to CI jobs should be evaluated.

See also:
https://docs.gitlab.com/runner/security/#usage-of-docker-executor
https://docs.gitlab.com/runner/executors/docker.html
https://wikitech.wikimedia.org/wiki/GitLab/Gitlab_Runner/Security_Evaluation#Rootless_Docker_and_dropped_Docker_capabilities

Details

SubjectRepoBranchLines +/-
gitlab_runner: add option to drop Docker capabilitiesoperations/puppetproduction+11 -1
Customize query in gerrit

Related Objects

Event Timeline

Jelto created this task.Oct 10 2022, 12:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 10 2022, 12:53 PM
Jelto mentioned this in T295481: Setup GitLab Runner in trusted environment.Oct 10 2022, 12:53 PM
gerritbot added a comment.Oct 10 2022, 1:06 PM

Change 773746 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/puppet@production] gitlab_runner: add option to drop Docker capabilities

https://gerrit.wikimedia.org/r/773746

gerritbot added a project: Patch-For-Review.Oct 10 2022, 1:06 PM
LSobanski moved this task from Incoming to Backlog on the collaboration-services board.Oct 18 2022, 3:55 PM
LSobanski triaged this task as Low priority.Jan 17 2023, 4:10 PM
gerritbot added a comment.Feb 15 2023, 1:46 PM

Change 773746 abandoned by Jelto:

[operations/puppet@production] gitlab_runner: add option to drop Docker capabilities

Reason:

not needed at the moment

https://gerrit.wikimedia.org/r/773746

Maintenance_bot removed a project: Patch-For-Review.Feb 15 2023, 2:11 PM
LSobanski closed this task as Declined.Oct 16 2023, 3:51 PM
LSobanski subscribed.

The cost of implementing this would not be comparable to the gains.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits