Allow Docker Image "--privileged" Flag

Issue #13420 wontfix
Austin Nicholas
created an issue

Please add a setting in bitbucket-pipelines.yml to allow docker images to be started with the "--privileged" flag.

Use: privileged flag allows network configuration needed for VPN connection used for deployment to dev/qa server.

Official response

  • Matt Ryall staff

    We don't have any plans to support privileged containers in Pipelines in the foreseeable future, due to our security architecture. Build containers in Pipelines will only by granted the default Linux capabilities (see the top table). (This actually does include MKNOD, but not SYS_ADMIN.)

    So your options for running Docker containers that need more privileges (e.g. SYS_ADMIN) basically boil down to running them elsewhere yourself. Some ideas:

    • Run them on your own hosting provider (e.g. ECS), and connect to them over the internet in your build process
    • Add a vote and watch on issue #12753, which is for VPN connectivity. Once this is available, you'll be able to run them on your own infrastructure.

    This is a trade-off with Pipelines - the Docker containers are fast to start and cheap to run, but certain jobs cannot be run safely in a container sandbox on shared infrastructure.

Comments (9)

  1. Philip Hodder staff

    Hi Austin,

    We have some other solutions for VPNs in mind, instead of using the privileged flag (as this introduces some dangers security-wise).

    There is another ticket tracking general VPN support here: https://bitbucket.org/site/master/issues/12753/allow-customers-to-connect-the-pipelines

    I'll now close this ticket as a 'duplicate'.

    If there's any other reason you want the privileged flag, feel free to comment and have the ticket reopened. :)

    Thanks, Phil

  2. Hasan Yavuz Ă–ZDERYA

    @Philip Hodder Building appimages inside docker requires privileged mode because of libfuse. Actually it just needs to be run with these arguments:

    --cap-add SYS_ADMIN --cap-add MKNOD --device=/dev/fuse
    

    Would you have a solution for this?

    UPDATE: this is no longer an issue. Appimages can be built without fuse support.

  3. Vinoth Govindarajan

    I need to pass the following argument, to make the chome headless browser work to run my behat test cases, Is there any timeline on when this feature will be implemented, to pass arguments to the docker run command on bitbucket pipelines?

    --cap-add=SYS_ADMIN
    
  4. Peter Baumgartner

    My use case is to test configuration management with kitchen-docker. I need to run systemd in the container which requires either a privileged container or mounting the /sys/fs/cgroup volume as read-only in the container (details).

    As far as I can tell, neither of these are possible with pipelines today.

  5. Matt Ryall staff

    We don't have any plans to support privileged containers in Pipelines in the foreseeable future, due to our security architecture. Build containers in Pipelines will only by granted the default Linux capabilities (see the top table). (This actually does include MKNOD, but not SYS_ADMIN.)

    So your options for running Docker containers that need more privileges (e.g. SYS_ADMIN) basically boil down to running them elsewhere yourself. Some ideas:

    • Run them on your own hosting provider (e.g. ECS), and connect to them over the internet in your build process
    • Add a vote and watch on issue #12753, which is for VPN connectivity. Once this is available, you'll be able to run them on your own infrastructure.

    This is a trade-off with Pipelines - the Docker containers are fast to start and cheap to run, but certain jobs cannot be run safely in a container sandbox on shared infrastructure.

  6. Log in to comment