Looks like I somehow sent an empty reply by mistake the first time
around. Let's try again...
On Fri, 2020-04-03 at 16:04 +0200, Erik Skultety wrote:
On Fri, Apr 03, 2020 at 03:50:21PM +0200, Andrea Bolognani wrote:
> I have tested this, though not extensively, on Linux and adding
> User=gitlab to the service file seems to be basically all that's
Did ^this actually work? I recall having some issues on Linux when I used the
User= directive and I could not get the agent pull a job from the server,
It would seem that way:
https://gitlab.com/abologna/libvirt/pipelines/132661098
Pay no attention to the failures in the second round of jobs, the
Docker daemon seems to be having some trouble getting in touch with
quay.io right now. It managed to pull the two images necessary for
the prebuild jobs before that, however.
Of course for that to work I had to add the gitlab user to the
docker group, which is another potential attack venue... The
alternative is running everything as root, however, so it would still
seem preferable to that. Hopefully at some point gitlab-runner will
grow a Podman executor :)
--
Andrea Bolognani / Red Hat / Virtualization