Which is a secure way to build Docker images in GitLab's CI?

elfiii · March 11, 2019, 9:10am

I have created a Docker runner that is binding the Docker socket /var/run/docker.sock into the container as described in 1:

sudo gitlab-runner register -n \
   --url https://gitlab.com/ \
   --registration-token REGISTRATION_TOKEN \
   --executor docker \
   --description "My Docker Runner" \
   --docker-image "docker:stable" \
   --docker-volumes /var/run/docker.sock:/var/run/docker.sock

I have read several posts/articles that recommend avoiding Docker-in-Docker deployment and instead advise use of Docker socket binding (e.g. https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/).

However a concern with this approach is that any developer who is able to add a Docker command in the .gitlab-ci.yml could access/stop/remove any of the containers running in the host. For example, adding docker rm -f $(docker ps -a -q) would remove all existing containers.

How can I avoid this?

Topic		Replies	Views
CI with docker - am I doing this right? How to Use GitLab	0	1303	November 16, 2017
When using runners inside Docker containers... how to actually deploy to the server? GitLab CI/CD	1	1521	June 25, 2017
Recently evaluating Gitlab-CI...is my setup ideal? How to Use GitLab	2	867	August 7, 2016
Is it possible to mount /var/run/docker.sock using a shared runner? GitLab CI/CD docker	1	634	November 2, 2022
Gitlab ci and docker How to Use GitLab	2	695	July 30, 2018

Which is a secure way to build Docker images in GitLab's CI?

Related topics