Details
-
Improvement
-
Status: Waiting for Infra
-
Major
-
Resolution: Unresolved
-
None
-
None
-
Incubator
Description
It would be great to have sysbox-runc docker runtime installed on Jenkins docker hosts to facilitate using custom docker images for Jenkins jobs.
Because many of the builds rely on docker, having a docker-in-docker (dind) configuration is often a must-have.
To achieve that there are 2 obvious ways:
1. Map -v /var/run/docker.sock:/var/run/docker.sock from the docker host, which eventually does the job, but leads to shared docker environment between host and any jenkins build utilizing the jenkins node's executors. e.g. nasty conflicts can appear when trying to do any sort of cleanup after job exec, definitely need using host network, leading to port conflicts, etc.
2. Run docker in docker. As far as I know, this requires running the container as privileged, which carries security implications.
A solution would be to install sysbox docker runtime https://github.com/nestybox/sysbox which then would allow running dind containers (number 2. in the list above) without the need for running in privileged mode. The only difference when starting such a container then would be additional argument `--runtime=sysbox-runc` replacing `--privileged` in this particular case.
Please consider if such runtime can be installed as neither of the 2 possible options at the moment is ideal IMO as it is either raised privileges or shared docker env.
Because many of the builds rely on docker, having a docker-in-docker (dind) configuration is often a must-have.
To achieve that there are 2 obvious ways:
1. Map -v /var/run/docker.sock:/var/run/docker.sock from the docker host, which eventually does the job, but leads to shared docker environment between host and any jenkins build utilizing the jenkins node's executors. e.g. nasty conflicts can appear when trying to do any sort of cleanup after job exec, definitely need using host network, leading to port conflicts, etc.
2. Run docker in docker. As far as I know, this requires running the container as privileged, which carries security implications.
A solution would be to install sysbox docker runtime https://github.com/nestybox/sysbox which then would allow running dind containers (number 2. in the list above) without the need for running in privileged mode. The only difference when starting such a container then would be additional argument `--runtime=sysbox-runc` replacing `--privileged` in this particular case.
Please consider if such runtime can be installed as neither of the 2 possible options at the moment is ideal IMO as it is either raised privileges or shared docker env.