From 861d35184526b215c53eeaae758db85001b9480b Mon Sep 17 00:00:00 2001
From: Schallbert <schallbert@mailbox.org>
Date: Thu, 7 May 2026 21:20:33 +0000
Subject: [PATCH] add apparmor=rootlesskit in security_opt (#937)

paste depends_on chain from socket-runner-setup  to runner-dind-setup
add apparmor=rootlesscit in security_opt
add explanations for elevated privileges

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <2021+silverwind@noreply.gitea.com>
Reviewed-on: https://gitea.com/gitea/runner/pulls/937
Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com>
Co-authored-by: Schallbert <schallbert@mailbox.org>
Co-committed-by: Schallbert <schallbert@mailbox.org>
---
 examples/docker-compose/README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/examples/docker-compose/README.md b/examples/docker-compose/README.md
index 4b303694..5bca78aa 100644
--- a/examples/docker-compose/README.md
+++ b/examples/docker-compose/README.md
@@ -40,14 +40,21 @@
 
 ### Running `gitea-runner` using Docker-in-Docker (DIND)
 
+- `privileged` has to be set to `true` because in-container Docker daemon requires a lot of kernel capabilities and file system mounts like `procfs` and `sysfs`
+- `security_opt` sets the `apparmor` profile to `rootlesskit` for hosts running AppArmor (e.g. Ubuntu, Debian), where the kernel might otherwise block user namespace changes that Docker daemon requires for startup. The `rootlesskit` profile is provided by the `docker-ce-rootless-extras` package and is present on hosts where Docker was installed via the official installer or distro packages
+
 ```yml
 ...
   runner:
     image: gitea/runner:latest-dind-rootless
     restart: always
     privileged: true
+    security_opt:
+      - apparmor=rootlesskit
     depends_on:
-      - gitea
+      gitea:
+        condition: service_healthy
+        restart: true
     volumes:
       - ./data/runner:/data
     environment: