Add support for cap_add, cap_drop, and devices in Docker executor (!91) · Merge requests · GitLab.org / gitlab-runner

Merged username-removed-90962 requested to merge JonathonReinhart/gitlab-ci-multi-runner:support-cap-add-drop into master Feb 10, 2016

fsouze/go-dockerclient already supports these parameters in HostConfig.

This adds them to config.toml and passes them through.

See #984 (closed).

This has successfully been tested using local exec:

Capabilities have been tested using a test program, listcaps, using the following command line:
```
gitlab-ci-multi-runner-linux-amd64 exec docker --docker-cap-add NET_ADMIN --docker-cap-drop KILL --docker-cap-drop DAC_OVERRIDE build
```
You can see that the capabilities are effectively added and dropped.

Devices have been tested using a test program, kvmtest, using the following command lines:

gitlab-ci-multi-runner-linux-amd64 exec docker build    # fails, /dev/kvm doesn't exist
gitlab-ci-multi-runner-linux-amd64 exec docker --docker-devices /dev/kvm:/dev/kvm:r build    # fails, /dev/kvm is read-only
gitlab-ci-multi-runner-linux-amd64 exec docker --docker-devices /dev/kvm build   # succeeds

This has been tested with run, with the following config.toml, using the same projects as above.

concurrent = 1 

[[runners]]
  name = "devel-runner"
  url = "http://gitlab.example.com/ci/"
  token = "xxxxxxxx"
  limit = 1 
  executor = "docker"
  [runners.docker]
    privileged = false
    cap_add = ["NET_ADMIN"]
    cap_drop = ["DAC_OVERRIDE"]
    devices = ["/dev/kvm"]