G’day,
first of all, thanks to the Drone CI community for this great project. I like it a lot.
Unfortunately, I’ve come across an issue that I haven’t been able to resolve myself. So far I haven’t been able to find any related information so I’m asking here in hope for help.
I run a Drone CI Server on one host and a Docker Runner (agent) on another.
The agent runs on a host where Docker is configured to use the uid/gid namespace remapping feature; see https://docs.docker.com/engine/security/userns-remap/. This is done purely for security reasons to prevent containers that run under the root user from using the host’s root uid (i.e. zero).
The problem now is that pipeline steps that use the Docker plugin (plugin/docker) fail on the agent since they seem to be trying to create new priviledged containers in the remapped namespace. This is not supported by Docker which requires priviledged containers to be started in the host’s namespace. Consequently, those steps fail with the following error message in Drone UI and log:
Error response from daemon: privileged mode is incompatible with user namespaces. You must run the container in the host namespace when running privileged mode
I tried running the agent container itself within the host’s namespace, hoping that this would transitively affect child containers created by the agent itself, but to no avail. Unfortunately, I don’t see any way to adjust the way how child containers are created. I reckon adding the same option (--userns host) that I used for the agent container also for child containers would resolve the issue.
Has anybody seen the same issue and/or has found a workaround/solution?
Best,
Jens