How to run Container Runner in Privileged Mode

Container Runner in Privileged Mode

In some cases, you may wish to run your docker containers in a privileged environment, such as to enable a GDB by setting --cap-add=SYS_PTRACE.

 

CircleCI Cloud's Docker executor does not offer this configuration at this time.
However, you can do this if you are using the self-hosted container runner.

Please cast your vote to this feature request to see this in the cloud environment.

 

Values Setup

agent:
resourceClasses:
namespace/container-runner:
token: ${TOKEN}
spec:
containers:
- resources:
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
securityContext:
privileged: true
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: Socket

 

Verifying Privileged Mode

You can run the following step within your job to verify the container is in privileged mode.

      - run:
          name: Privilege check
          command: |
            (ip link add dummy2 type dummy 2>&1 >/dev/null && echo "Running in privileged container" )|| (echo "Not in privileged container" )

You can also run the following Kubernetes command to verify.

kubectl get pod ${POD_NAME} -n <namespace> -o json | jq -r '.spec.containers[].securityContext.privileged'

 

Additional Resources

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.