add apparmor=rootlesskit in security_opt (#937)

paste depends_on chain from socket-runner-setup to runner-dind-setup add apparmor=rootlesscit in security_opt add explanations for elevated privileges --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <2021+silverwind@noreply.gitea.com> Reviewed-on: https://gitea.com/gitea/runner/pulls/937 Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com> Co-authored-by: Schallbert <schallbert@mailbox.org> Co-committed-by: Schallbert <schallbert@mailbox.org>
2026-05-08 16:23:23 +02:00 · 2026-05-07 21:20:33 +00:00
parent cce8543d06
commit 861d351845
1 changed files with 8 additions and 1 deletions
--- a/examples/docker-compose/README.md
+++ b/examples/docker-compose/README.md
@@ -40,14 +40,21 @@

 ### Running `gitea-runner` using Docker-in-Docker (DIND)

+- `privileged` has to be set to `true` because in-container Docker daemon requires a lot of kernel capabilities and file system mounts like `procfs` and `sysfs`
+- `security_opt` sets the `apparmor` profile to `rootlesskit` for hosts running AppArmor (e.g. Ubuntu, Debian), where the kernel might otherwise block user namespace changes that Docker daemon requires for startup. The `rootlesskit` profile is provided by the `docker-ce-rootless-extras` package and is present on hosts where Docker was installed via the official installer or distro packages
+
 ```yml
 ...
  runner:
    image: gitea/runner:latest-dind-rootless
    restart: always
    privileged: true
+    security_opt:
+      - apparmor=rootlesskit
    depends_on:
-      - gitea
+      gitea:
+        condition: service_healthy
+        restart: true
    volumes:
      - ./data/runner:/data
    environment: