47

I created two GitLab jobs:

  • Test unit (using a PHP registered docker on GitLab)
  • Sonar (using docker service to run "Letsdeal/docker-sonar-scanner")

I use the following gitlab-ci-multi-runner configuration:

concurrent = 1
check_interval = 0

[[runners]]
  name = "name-ci"
  url = "https://uri/ci"
  token = "token"
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "docker:latest"
    privileged = true
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

The test unit job works correctly, but the Sonar job failed with the following messages:

service runner-f66e3b66-project-227-concurrent-0-docker-wait-for-service did timeout

2017-07-05T16:13:18.543802416Z mount: mounting none on /sys/kernel/security failed: Permission denied
2017-07-05T16:13:18.543846406Z Could not mount /sys/kernel/security.
2017-07-05T16:13:18.543855189Z AppArmor detection and --privileged mode might break.
2017-07-05T16:13:18.543861712Z mount: mounting none on /tmp failed: Permission denied

When I change the configuration param 'privileged' of 'runner.docker' to false, the Sonar job works but Test Unit fails:

service runner-f66e3b66-project-227-concurrent-0-mysql-wait-for-service did timeout

2017-07-05T15:08:49.178114891Z 
2017-07-05T15:08:49.178257497Z ERROR: mysqld failed while attempting to check config
2017-07-05T15:08:49.178266378Z command was: "mysqld --verbose --help"
2017-07-05T15:08:49.178271850Z 
2017-07-05T15:08:49.178276837Z mysqld: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Permission denied

The param "privileged" has to be true to be able to use docker in docker. But I don't understand why it makes permission broken for services like MySQL.

Here is my gitlab-ci file:

stage :
  - test-unit
  - analyse

.php_job_template: &php_job_template
  image: custom_docker_image
  before_script:
    - eval $(ssh-agent -s) && ssh-add <(echo "$SSH_PRIVATE_KEY")
    - mkdir -p ~/.ssh && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
  services :
    - mysql
  variables:
    MYSQL_DATABASE: blabla
    MYSQL_USER: blabla
    MYSQL_PASSWORD: blabla
    MYSQL_ROOT_PASSWORD: blabla

test_phpunit_dev:
  <<: *php_job_template
  stage: test-unit
  script:
    - mysql -h mysql -u blabla -pblabla <<< "SET GLOBAL sql_mode = '';"
    - php composer.phar install -q
    - php vendor/bin/phpunit -c tests/phpunit.xml

sonar:
  stage: analyse
  image: docker:1.12.6
  services:
    - docker:dind
  script:
    - docker run --rm -v `pwd`:/build -w /build letsdeal/sonar-scanner:2.7 scan -e

How do I fix this?

Deepak Rai
  • 2,163
  • 3
  • 21
  • 36
Bruno Maurice
  • 599
  • 3
  • 9
  • 6
    Seems to be an issue with AppArmor: https://github.com/docker-library/mysql/issues/330#issuecomment-334619489 This didn't happen if you don't have any MySQL server on your docker host. – Soullivaneuh Oct 06 '17 at 10:57
  • Do you have apparmor enable for docker? – Tarun Lalwani Oct 06 '17 at 11:15
  • There has MySQL server installed but we removed it. I will check if I forgot something related to AppArmor. Thanks @Soullivaneuh :) – Bruno Maurice Oct 12 '17 at 10:58

2 Answers2

1

Why don't use ciricihq/gitlab-sonar-scanner for instance ? It doesn't require to use dind or priviledged mode

official github repository

yodamad
  • 1,452
  • 14
  • 24
0

I had the same issue and was able to resolve it by removing MySQL (as I don't need it on my CI server, anyway) and disabling AppArmor. On Ubuntu, you can run:

# Remove Mysql
sudo apt-get remove mysql-server

# Disable AppArmor for MySQL
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

Source: https://www.cyberciti.biz/faq/ubuntu-linux-howto-disable-apparmor-commands/

XtraSimplicity
  • 5,704
  • 1
  • 28
  • 28