Skip to content

Cannot use Docker executor when Docker is setup using user namespaces

Summary

I run GitLab Runner as a Docker container on my host. My host dockerd is running using user namespace, so user inside the container are mapped to a different of user ID on the host, this avoids the root user sharing the same ID as the host one. In this context, it is not possible to use the Docker executor.

What is happening is, first to run GitLab Runner container we need to share the docker.sock, but it will not have the necessary right because it is running in a different user namespace. One work around is to run the GitLab Runner container on the host namespace by using --user_ns=host. Then it is possible to use that runner for everything except Docker (or related) executor, that is because there is no way to configure the executor containers to run on the host namespace. Therefore those executor fails with permission denied when trying to use docker.

Steps to reproduce

  1. On the host configure Docker to run with user namespace activated ("userns-remap": "default" in daemon.json should do it)
  2. Pull gitlab-ce/gitlab-runner and run it using the --user_ns host flag
  3. Register the runner (by using docker exec on the newly created container) using the Docker executor
  4. Edit the config.toml of the runner to add a new volume to share the docker.sock
  5. Run a CI job using that runner's executor, for script do docker version that will be enough to show the problem.

Actual behavior

Here is the error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

Expected behavior

It should work (if you follow my steps, it should display the host docker version). If you do all of the above steps but without configuring user namespace on the host, then it all works.

Relevant logs and/or screenshots

Relevant information was provided above and below.

Environment description

The relevant points are:

  • Own installation of the runner (version 9.0.0)
  • Using the Docker executor
  • Docker version 17.03.1 with userns activated (it works with the default settings of Docker, so without user namespace)

Used GitLab Runner version

Runner Version:

Version:      9.0.0
Git revision: 08a9e6f
Git branch:   9-0-stable
GO version:   go1.7.5
Built:        Wed, 22 Mar 2017 16:29:52 +0000
OS/Arch:      linux/amd64

Job output:

Running with gitlab-ci-multi-runner 9.0.0 (08a9e6f)
  on Docker Deploy Runner (8a9bb0f6)
Using Docker executor with image docker:latest ...
Using docker image sha256:6480bec797036e8c7ce51c7ba7ec4ad6982a05aabd26d180cdc510d3afa40d5a ID=sha256:6480bec797036e8c7ce51c7ba7ec4ad6982a05aabd26d180cdc510d3afa40d5a for predefined container...
Pulling docker image docker:latest ...
Using docker image docker:latest ID=sha256:d953a76892ac0c90e9d075f0434e4031c9abde979051cb5247462a673148add7 for build container...
Running on runner-8a9bb0f6-project-14-concurrent-0 via runner.island.lan...
Cloning repository...
Cloning into '/builds/infra/containers/ntpd'...
Checking out e46bdf15 as master...
Skipping Git submodules setup
$ export IMAGE_TAG="$(echo -en $CI_COMMIT_REF_NAME | tr -c '[:alnum:]_.-' '-')-$(date +%Y%m%d)"
$ uname -a
Linux runner-8a9bb0f6-project-14-concurrent-0 4.8.0-45-generic #48~16.04.1-Ubuntu SMP Fri Mar 24 12:46:56 UTC 2017 x86_64 Linux
$ docker version
Client:
 Version:      17.03.1-ce
 API version:  1.27
 Go version:   go1.7.5
 Git commit:   c6d412e
 Built:        Tue Mar 28 00:40:02 2017
 OS/Arch:      linux/amd64
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/version: dial unix /var/run/docker.sock: connect: permission denied
ERROR: Job failed: exit code 1