Changes to GitLab runners configuration



Hello,

For historical reasons™ all GitLab runners were running with privileged
mode enabled. The happy side effect of this fact is that nothing special
was ever needed to run Docker or flatpak builds. It also means we were
extremely lucky that no one abused CAP_SYS_ADMIN and other elevated
privileges for bad things.

For past few days I've been working to ensure that Flatpak builds are
still functional without additional privileges. If your project is using
citemplates[1], the configuration change should be invisible to your
pipelines and you can keep on doing awesome GNOME work. However, if you
have modified default steps via 'extends' keyword (or by defining them
completely manually), please make sure that:

1) you are using the
registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome image or your
image does not run as root,
2) jobs using flatpak/flatpak-builder have "flatpak" tag defined,
3) flatpak-builder invocation includes --user -disable-rofiles-fuse for
building; 'flatpak-builder --run' includes --disable-rofiles-fuse.

If your project's pipeline is using Docker to build an image from
Dockerfile, consider switching to podman or buildah as they should work
unprivileged.

The only exception from these changes are runners assigned to
gnome-build-meta.

If you encounter any problems with running CI unprivileged, please poke
me on #sysadmin on irc.gnome.org or via Rocket.chat.

Bart


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]