Which is a secure way to build Docker images in GitLab's CI?

I have created a Docker runner that is binding the Docker socket /var/run/docker.sock into the container as described in 1:

sudo gitlab-runner register -n \
   --url https://gitlab.com/ \
   --registration-token REGISTRATION_TOKEN \
   --executor docker \
   --description "My Docker Runner" \
   --docker-image "docker:stable" \
   --docker-volumes /var/run/docker.sock:/var/run/docker.sock

I have read several posts/articles that recommend avoiding Docker-in-Docker deployment and instead advise use of Docker socket binding (e.g. https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/).

However a concern with this approach is that any developer who is able to add a Docker command in the .gitlab-ci.yml could access/stop/remove any of the containers running in the host. For example, adding docker rm -f $(docker ps -a -q) would remove all existing containers.

How can I avoid this?

1 Like