I have a self-hosted GitLab 16.2 instance, and I am currently changing my setup from a shell executor to a docker executor using rootless podman. I configured that following the guide in the GitLab docs. My pipelines work in principle, but I am seeing intermittent failures of at least two different kinds, which maybe are worth separate topics.
I then somewhat randomly tried to set
privileged = true in the
[runners.docker] section of the
config.toml file, and luckily there are no failures any more. Now my assumption is that privileged mode with a rootless podman setup is much less critical than with podman (or docker) running as root because I think what this does is
podman run --privileged and the man page says that this only means that the code run in the container can potentially gain access to the host with the permissions of the user that runs podman. Because this is not
root in my case (I have a user
gitlab-runner for this), the host can only be accessed with the permissions of that user, bot not
root. So security should be the same as when running the shell executor as user
Do I have the right understanding, or am I opening a big security hole with privileged mode on a rootless podman setup?