Support specifying Linux capabilities to add/drop in Docker executor
docker run
has two levels of granularity for granting additional capabilities to containers:
-
--privileged
which basically gives the container full control; almost as if it were running directly on the host -
--cap-add
and--cap-drop
which allow for fine-grained control over the exact set of capabilities granted to the container
The GitLab CI Multi Runner's config.toml [runners.docker]
section accepts a privileged
flag which effectively passes --privileged
to docker run
.
This issue requests adding cap-add
and cap-drop
parameters to config.toml also. It will allow giving only a small set of specific privileges to the containers which may be required for a build / test cycle.