Hello, For historical reasons™ all GitLab runners were running with privileged mode enabled. The happy side effect of this fact is that nothing special was ever needed to run Docker or flatpak builds. It also means we were extremely lucky that no one abused CAP_SYS_ADMIN and other elevated privileges for bad things.
For past few days I've been working to ensure that Flatpak builds are still functional without additional privileges. If your project is using citemplates[1], the configuration change should be invisible to your pipelines and you can keep on doing awesome GNOME work. However, if you have modified default steps via 'extends' keyword (or by defining them completely manually), please make sure that: 1) you are using the registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome image or your image does not run as root, 2) jobs using flatpak/flatpak-builder have "flatpak" tag defined, 3) flatpak-builder invocation includes --user -disable-rofiles-fuse for building; 'flatpak-builder --run' includes --disable-rofiles-fuse. If your project's pipeline is using Docker to build an image from Dockerfile, consider switching to podman or buildah as they should work unprivileged. The only exception from these changes are runners assigned to gnome-build-meta. If you encounter any problems with running CI unprivileged, please poke me on #sysadmin on irc.gnome.org or via Rocket.chat. Bart _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/desktop-devel-list