Run docker as buildkite agent with userns-remap #341
Conversation
lox
force-pushed
the
run-docker-as-buildkite-agent
branch
from
039285c
to
908a1ea
Compare
|
I'm going to merge this after I put out a point release. I'm thinking of doing it as |
|
The release plan sounds good, testing aside! |
|
Possibly an rc1 so we can test if before it hits 2.3.0. |
|
What happens to other user ids in the container? eg nobody writing doctrine cache files out to a volume mount? I think will land in following user ids so there will be stuff owned by 501+$uid in that directory, so you probably still need the permission fixing scripts. but I'm not sure how mapping that to a range of 1 works. maybe it just flat out breaks? 👍 for an RC, this is a whole lot of change. The list of breaks from #32:
|
|
Yeah, that is a pretty epic list huh. |
|
I might try and make this opt-in. |
|
Maybe a v3.0 milestone feature? |
lox
force-pushed
the
run-docker-as-buildkite-agent
branch
from
0886af6
to
22e5929
Compare
templates/buildkite-elastic.yml
Outdated
| @@ -237,6 +237,14 @@ Parameters: | |||
| - false | |||
| Default: "true" | |||
|
|
|||
| EnableDockerUserNamespaceRemap: | |||
| Type: String | |||
| Description: Enables experimental feature to run docker as buildkite-agent | |||
There was a problem hiding this comment.
What if we let this feature be turned on using an ENV var?
If we do add it as another option on the stack setup screen, might need to make it clear that it's not "buildkite-agent" the binary we're taking about here in the description?
If it's a "this could be buggy, so you better know what you're doing" then perhaps we just say:
Enables experimental Docker userns-remap support
There was a problem hiding this comment.
The issue is that it needs to have the system docker daemon started with the setting
|
If this is an optional setting, are you ok with a 2.3.0 release @toolmantim? |
This uses the
--userns-remapfeature in recent docker daemons to remap the uid of root in docker containers to the buildkite-agent users on the host.