Allow custom seccomp profiles to be loaded using a file on the docker runner configuration.toml
Description
As explained in the [runners.docker] section on the GitLab Runner config.docs: to set custom security options to the containers created in the runner, the option:
| Parameter | Description |
|---|---|
security_opt |
set security options (--security-opt in docker run), takes a list of ':' separated key/values |
... is used. However it's quite useful to use a .json file containing all these security options when they're a few (e.g. of a valid seccomp profile https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json) to avoid hardcoding them and polluting the config.toml file.
Proposal
Maybe accept both: list of key:value and file path (string) as argument for the security_opt config. option. (i.e. If the value is a list, use the current logic. If it's a string, consider it a path)
Activity
changed milestone to %Backlog
added feature proposal label
added executordocker label
@ayufan I missed this option while using a custom chrome-headless Dockerfile that needs some very specific whitelisted syscalls to properly run.
Here's Docker's default seccomp profile: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
I also linked above the one used by Jessie Frazelle on her Chrome Dockerfile: https://github.com/jessfraz/dockerfiles/blob/master/chrome/stable/Dockerfile
Is there a different way?
Here: https://docs.docker.com/engine/reference/run/#security-configuration are listed all the
docker runcurrently supported security configurations.
