I have created a Docker runner that is binding the Docker socket /var/run/docker.sock into the container as described in 1:
sudo gitlab-runner register -n \ --url https://gitlab.com/ \ --registration-token REGISTRATION_TOKEN \ --executor docker \ --description "My Docker Runner" \ --docker-image "docker:stable" \ --docker-volumes /var/run/docker.sock:/var/run/docker.sock
I have read several posts/articles that recommend avoiding Docker-in-Docker deployment and instead advise use of Docker socket binding (e.g. https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/).
However a concern with this approach is that any developer who is able to add a Docker command in the
.gitlab-ci.yml could access/stop/remove any of the containers running in the host. For example, adding
docker rm -f $(docker ps -a -q) would remove all existing containers.
How can I avoid this?