Allow setting of Docker volume label mode independent of read/write mode
What does this MR do?
Previously attempting to mount a volume with ro,z
or rw,z
would
fail because the Linux mount parser only allowed one option. It is
sometimes necessary to use both the ro
and z
flags at once when
mounting a volume in a container, such as when the host has SELinux
policies.
Why was this MR needed?
SELinux users attempting to set ro,z
for volumes would see invalid volume specification
:
What's the best way to test this MR?
Using CentOS with SELinux enabled, add a read-only volume for SSL certs:
[runners.docker]
volumes = ["/cache", "/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/gitlab-runner/certs/ca.crt:ro,z"]
Then launch a new job. This time the job launched successfully, but I saw some warnings due to ca-bundle.trust.crt
containing more than one cert:
I also added a sleep 300
to the CI job so I could docker inspect
the container:
"HostConfig": {
"Binds": [
"runner-5voej9gz-project-14-concurrent-0-cache-3c3f060a0374fc8bc39395164f415a70:/cache",
"/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/gitlab-runner/certs/ca.crt:ro,z",
"runner-5voej9gz-project-14-concurrent-0-cache-c33bcaa1fd2c77edfc3893b41966cea8:/builds"
],
What are the relevant issue numbers?
Relates to #29247 (closed)
Edited by Stan Hu