Mounting `/sys/firmware` in CI jobs
Description
Docker by default doesn't mount the /sys/firmware directory for secrecy reasons. However this directory contains the device tree, which is required by QEMU KVM to create KVM guests on platforms that use device tree (PowerPC at least). Currently there is no way I know of to tell GitLab runner to mount the device tree into the CI jobs, so you can't run KVM guests without excessive hackery or running as privileged containers (which, aside from the device tree issue, is unnecessary).
The Docker CLI has --security-opt systempaths=unconfined, which will mount /sys/firmware properly without resorting to privileged. However it's not actually a config recognised by the Docker daemon, so trying to pass security_opt = ["systempaths=unconfined", "apparmor=unconfined"] in the runner config causes jobs to fail with
ERROR: Job failed (system failure): prepare environment: Error response from daemon: invalid --security-opt 2: "systempaths=unconfined" (docker.go:570:0s). Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more informationWhat actually happens is the CLI looks for systempaths=unconfined and strips it out of the config, turning it into empty arrays for the MaskedPaths and ReadonlyPaths configs instead.
Proposal
I'm not sure what the best solution is here, it's unfortunate that the CLI and daemon have different configs.
-
If the GitLab runner config is meant to match the CLI options, then it should handle the
systempaths=unconfinedoption like the CLI does. -
If the GitLab runner config is meant to match the daemon config, it would be helpful to expose the above mentioned configs as
masked_pathsandreadonly_paths.