►
From YouTube: The Docker-in-Docker requirement for Security features
Description
Philippe Lafoucrière, Distinguished Engineer, explains why and how Docker-in-Docker (DinD) is used for our Security Products, and the common pitfalls when configuring privileged GitLab Runners.
A
Mm
while
come
everyone
Anthea
perfectly
and
distinguished
engineering,
the
secure
team
and
today
we're
going
to
talk
about
darker
and
darker,
and
why,
in
matters
for
the
team
and
for
all
customers,
not
free,
you
can
see
my
screen
now
and
you
see
that
as
well.
The
whole
presentation
awesome
so,
let's
get
started,
I
have
a
few
slides
before
we
are
going
to
go
through
why
we
are
using
doctor
and
doctor
in
the
situation.
Why
it's
important
for
us?
A
How
do
you
set
up
that
with
a
deep
laminar?
If
you
use
the
tablet?
Obviously
you
don't
have
anything
to
do,
but
the
point
here
is
to
deal
with
the
customer
setup
and
now
to
end
the
beginning,
start
Android
faster
sorry,
we
compete
for
that.
We've
seen
so
far
real
quick
and
make
sure
that
you
understand
the
war
architecture
and
and
why
it's
not
working,
sometimes
just
a
few
words
at
the
end
to
explaining
why
we
want
to
get
rid
of
darker
and
darker.
That's
going
to
be
interesting
with
the
right
to
move.
A
So
what
did
we
use
darker
and
darker
in
the
security
products?
We
use
that
first
of
all,
in
a
few
products,
not
all
of
them
currently
SAS
dependency
scanning
engines
are
scanning
for
SAS
and
dependency
scanning.
We
use
that
because
we
need
to
be
a
became
of
orchestration
layer
where
example,
the
SAS
job
is
kind
of
an
empty
shell.
A
Don't
we
just
detect
and
be
able
to
map
the
languages
and
frameworks
that
were
using
in
the
project
with
the
analyzers
that
are
available
so
based
on
that
it's
going
to
download
and
run
your
visors
locally
with
the
chrome
project,
gather
all
the
results
into
a
single
output
format
and
I'll
put
that
format
to
create
the
report.
So
we
could
achieve
the
same.
Actually
without
this
orchestration
a
year,
we
still
miss
few
features
like
ignoring
some
paths
or
aggregating
the
analyzers
together.
Today,
it's
only
possible
to
have
one
that
is
running
at
the
time.
A
If
you
don't
have
this
kind
of
orchestration
in
place,
we
also
did
do
that
because
we
don't
want.
We
have
a
huge
single
image
where
we
have
everything
or
so,
because
it
might
introduce
some
new
and
expected
behaviors
like,
for
example,
tomorrow
we
want
to
support
a
new
field
from
work
for
PHP
and
that
framework
is
relying
on
some,
not
GS
dependencies
and
the
versions
that
we
have
in
the
image
are
not
exactly
the
versions
that
would
be
compatible
with
this
new
framework.
A
A
Consumer
scanning
is
different.
We
need
the
doctor
said
to
run
declare
analyzer
clerestory
to
them
locally
the
image
and
analyze
the
layers.
There
are
some
ways
to
deal
with
that
other
than
having
a
doctor
server,
but
it's
a
bit
more
work
and
we're
not
there.
Yet
we
have
some
issues
to
avoid
that,
but
it's
going
to
be
bit
more
complex
than
just
staffing
dependencies.
Can
we
quit
all
to
get
started
on
github,
CI,
so
quick
reminder
and
docker
is
running
darker.
It's
it's
a
client-server
application.
A
Keep
that
in
mind
when
you
type
daughter
into
your
terminal,
you
actually
use
the
clients
version
of
data,
but
this
client
is
completely
useless
without
our
December,
so
you
need
a
server
to
run
the
containers
and
to
make
sure
that
the
images
are
solved
somewhere.
Server
will
be
in
charge
of
managing
the
networks.
The
containers,
the
images
and
the
data
source
by
default
daughter
listens
socket
instead
of
a
port.
It
has
been
the
case
for
a
few
years
now
for
security
reasons.
A
It's
generally
this
time
that
we
have
here,
it
can
change
from
one
system
to
another,
but
it's
commonly
this
file
that
were
simulates
the
dark.
Your
clients
will
use
this
socket
by
default
unless
you
have
a
darker
cost
environment
variables,
this
file,
it's
the
case,
for
example,
in
some
jobs,
and
especially
with
with
out
of
the
box.
If
you
have
runners
running
on
the
community's
cholesterol,
better
things,
you
need
to
set
up
dr.
oz
a
bit
differently,
something
that
you
have
to
keep
in
mind
as
well.
A
Doctor
requires
a
lot
of
capabilities
in
your
system
and
it
has
to
run
as
root,
so
the
darker
side
will
always
run
as
root.
That's
important
for
the
rest
of
this
one,
the
circulation
I'm,
getting
back
to
github
runner.
This
is
all
you
configure
and
privilege
get
log
runner,
because
this
is
the
requirement.
If
you
want
to
run
darker
and
darker,
you
need
privilege,
gitlab
runner-
and
this
is
I
would
say
the
top
one
pitfall
that
we're
seeing
when
something
is
not
working
with
the
City
project.
A
It's
because
you
don't
have
this
privilege
line
inside
your
runners
configuration.
So
that's
the
key
point
here
and
you
use
that
actually,
the
second
part
of
the
stage
is
actually
a
github
CRA
ml5,
where
you
can
use
a
doctor
service
and
you
can
see
them
here.
It's
going
to
start
with
dr.
sevard
instaii
the
service
that
you
can
use
inside
your
script,
you're
not
supposed
to
use
the
data
server.
A
That
is
on
the
runner
and
we're
going
to
see
why,
in
a
few
minutes
as
well,
so
I
told
you
coming
towards
the
high
road
of
trucks
around
security
products
that
first
one
is
not
using
the
right
runners.
I
set
out
a
lot
of
times.
Multiple
runners
are
set
up
on
the
safest
eight
instance
and
when
the
job
is
running,
it's
not
using
the
privilege
runners
so
make
sure
that
the
right
sides
are
in
place
and
the
right
are
being
used.
A
A
The
third
one
is
so
pretty
common
and
I'm
going
to
have
a
full
slide
on
that,
pointing
the
darker
circuits.
It's
spreading
a
fusee,
because,
if
you're
with
the
doc,
the
official
dark
of
the
cloud,
there
are
many
mentions
of
munching
the
darker
socket
into
the
runner.
So
it's
super
confusing
because
you
might
think
if
I
want
to
run
a
privilege
rather
I
should
move
the
darker
socket,
pretty
make
sense
right,
I'm,
not
much
it's
actually.
This
line
that
you
see
at
the
top
of
the
screen
you
have.
A
The
bar
on
darker
dots
are
minted
to
the
same
file
inside
the
runner.
Containers
of
every
runner
is
actually
a
container,
but
you
have
to
understand
and
the
the
world
picture
and
we're
going
to
drag
down
to
details
on
the
coast.
We
have
a
darker
server
and
that
backer
said,
I
will
run
the
darker
sorry
the
get
LeBron
when
we
run
a
job
with
the
darker
service.
We
won't
wear
our
own
darker
Savior,
so
that
we
are
completely
isolated
from
the
house
when
you
run
a
job
like
the
sastra
inside
the
job.
A
A
The
darker
sockets
that
you
are
using
is
not
the
one
that
you
think
it's
not
the
one
of
the
darker
service,
it's
the
one
on
the
post,
so
not
only
you
are
creating
a
security
issue
because
your
jobs
are
going
to
run
directly
on
Hoss,
but
also
when
the
job
is
running.
These
PWDs
of
the
current
directory
that
we
had
there.
It's
not
exactly
the
one
that
they
are
speaking
of
in
the
context
of
the
job.
A
This
folder
contains
a
lot
of
files
and
all
the
files
can
be
maintained
in
there,
but
on
the
host
guess
what
this
folder
doesn't
exist
with
the
darker
server
on
the
authors
of
that
any
clue
about
this
PWD,
the
staff
will
slash
your
project.
So,
in
the
end,
it's
going
to
end
up
with
emptier
you're,
expecting
to
see
a
lot
of
fights,
and
you
don't
see
anything
and
that's
a
common
question
that
we
had
it's
an
engineer.
What's
what's
going
on,
my
first
job
doesn't
see
any
of
my
files.
It's
because
of
this.
A
You
are
talking
to
the
wrong
darker
server.
This
one
doesn't
know
anything
about
your
project,
so
that's
probably
the
most
common
bid
for
that
were
seen
and
I
will
take
questions
on
that
a
bit
later
so
doctor
doctor
is
really
a
food
for
us
attempts
to
isolate
the
container
of
the
context
and
the
role
of
mothers.
But
yes,
it
has
a
lot
of
drawbacks
and
that's
why
we
want
to
get
rid
of
it.
A
First
of
all,
if
I
take
back
my
overall
picture
of
the
darker
executor
in
the
github
runnable,
we
have
one
docker
standard
here,
one
local
server
and
the
guitar
brother
itself
that
will
be
spin
off
as
done
for
a
built
and
in
the
sass
job.
Here
we
are
using
docker,
run,
etc,
etc.
The
problem
is
when
we
do
that
the
images
are
going
to
be
pulled
on
the
get
lebrun
or
darker
server.
A
So
if
I
have,
for
example,
Java
and
Titan
and
I
took
that's
so
sums
image
by
the
way,
I
know
it's
not
the
right
hand,
the
room,
that's
a
private
joke
if
you're
using
the
JavaScript,
analyzer
and
python
analyzer
that
are
going
to
be
downloaded
and
Brian
inside
this
context.
But
guess
what
after
you
do
it
when
once
the
job
is
done,
all
this
context
is
going
to
be
removed.
A
So
all
the
door
percent
off
here
and
it's
data
is
going
to
be
completely
wiped
off
from
the
O's,
and
so
there
is
no
more
Python
and
JavaScript
analyzer
images
anywhere
there.
The
cache
doesn't
doesn't
persist
anymore.
So
if
I
want
to
run
the
sass
job
again,
I
will
have
to
run
that
and
to
download
again
the
images.
So,
if
I
add
a
lot
of
images,
I
have
to
download
that
every
time,
so
it's
not
great
for
the
cache.
A
Even
bigger
than
that,
okay,
so
let's
take
it
a
very
tiny
example.
Let's
say
I
want
to
run
alpine
on
my
machine
I'm
on
the
Mac.
Here,
it's
pretty
straightforward
here.
A
A
If
I
exit
the
container
oops,
if
I
exit
the
container
and
restart
again
I,
would
have
to
freshen
the
version
of
that
container.
So
that's
good.
The
thing
is
inside
this
container.
I
have
a
bunch
of
files
that
are
specific
to
this
consumer.
So,
for
example,
here
I
don't
have
any
access
to
any
device
that
would
be
on
the
host
for
security
reasons,
but
if
I
do
the
same,
if
I
run.
A
A
A
It's
going
to
crush
my
war
daughter
installation,
it's
not
really
a
big
deal
for
my
host,
my
Mac
machine
instead,
but
guess
what
is
going
to
occur
on
a
Linux
server
or
any
self
Austin
installation
if
I
do
that
I'm
outside
of
the
container.
That
means,
if
I'm
eager
to
access
the
device,
the
Hatt
arrived
on
any
other
device.
A
Just
for
capacity
easier,
for
example,
if
I
check
the
sloppiness
parameter,
I
can
change
that.
Let's
make
61
to
this
to
this
file,
if
I
carried
it
61
I
get
out
of
the
container,
so
I
here
on
the
host
I
run
another
container.
If
I
do
the
same
here,
you
see
that
I
changed
the
parameter
directly
on
the
host
and
I
will
change
in
the
behavior
of
the
home.
B
Hey
this
is
DT
I'll
jump
in
with
a
good
question.
Yeah,
can
you
go
back
to
the
slide
where
it
showed
the
mounting
of
the
socket
being
the
same
yeah
this
one-
and
this
was
great
I'm
gonna-
have
to
go
through
this
presentation,
one
more
time
to
get
some
of
the
finally,
but
can
you
explain
that
that
dual
the
the
mounting
there
and
is
that
the
part
of
the
core
problem
of
the
the
visibility
between
the
the
runner
and
the
host,
and
is
that
a
requirement.
A
It's
absolutely
not
a
requirement,
it's
actually
one
of
the
pitfalls.
If
you
do
that,
if
you
moon
this
volume
to
the
data
Brunner
doctor
instance
you're,
going
to
use
the
socket
on
the
post,
so
you're
going
to
use
this
server
and
this
server
will
actually
be.
You
know
just
on
this
side
and
you
can't
actually
hit
it.
That's
right!
That's
really.
A
B
A
By
default,
I
saw
that
multiple
times
in
the
in
the
documentation
got
it.
That's
why
I
also
saw
some
customers
being
super
confused
because
they
started
to
come
to
your
gate,
lab
I
would
say
the
regular
way,
with
the
discovered
afterwards
that
they
need
some
pretty
runners
for
the
security
features,
and
at
that
point
we
have
the
skin
of
the
first
runners
that
we
set
up
and
they
are
trying
to
set
up
this
new
one
and
in
the
documentation.
A
A
See
an
empty
beer
if
the
result
of
this
gun
is
empty.
Probably
that
first
thing
check
that
check.
If
the
volume
is
mounted
it's
likely
to
be
the
rhythm
okay,
if
you
understand
this
kind
of
Russian
doors
paradigm,
where
you
have
a
darker
running
darker,
that
will
run
the
other.
If
you
understand
exactly
where
you
are
in
which
level
it's
going
to
be
a
lot
easier,
and
here
you
can
see
that
we
are
bypassing
completely
there
yet
layers
that
the
job
itself
is
running
directly
on
the
host.
Exactly
absolutely.
A
C
A
Yeah,
absolutely
right
Bernice!
Thank
you
for
that.
So
it's
not
of
the
what
we
could.
The
auto
scaling
feature
on
the
on
the
guitar
burner.
Auto
scanning
means
we're
going
to
spin
up
as
many
runners
as
we
need,
but
the
point
is:
we
are
also
able
to
spin
up
runners
for
every
goods.
So
all
the
runners
have
a
configuration
with
the
maxford
set
to
one,
so
one
runner
is
used,
one
word
and
one
ending.
So
there
is
no
way
of
collision.
For
example,
runner
can't
be
used
twice
for
two
jobs
and
we
don't.
A
We
don't
have
to
care
about
isolation
between
the
jobs
anymore,
because
we
are
training
out
full
VM
for
the
job,
and
you
can
see
that
we
are
adding
another
layer
to
the
Russian
Russian
door
system
that
Kiev
here
the
ball
house
is
going
to
be
wiped
out
right
after
the
job.
So
we
don't
care
if
there
is
a
security
issue
and
the
user
can
get
out
of
the
docker
container.
C
A
Sorry,
there
is
a
way
to
check
that
out
and
we
are
good
example,
but
it's
really
really
tedious
for
our
customers
who
have
doctrine
machines
being
created
and
what
out
it's
a
full
new
environment.
They
want
to
get
started
and
that's
usually
one
of
the
drawback
of
having
the
our
conductor.
We
are
dealing
with
customers
that
are
evaluating
ultimate,
so
they
are
in
the
process
of
Appeals
and
they
don't
have
unlimited
resources.
They
don't
have
a
limited
time
and
doing
that
kind
of
working
on.
Is
it's
really
time
consuming?
So
you
want
to
do
that.
A
If
you
have
a
very
stable
architecture
like
we
haven't,
people
come,
but
if
it
just
Lee
evaluates
the
security
features,
that's
a
lot
of
overhead.
So
that's
why
they
generally
prefer
to
just
remove
the
sass.
For
example,
layer
this
has
requested
run,
run
the
rate
video
analyzer
on
the
project
so
that
they
don't
have
to
create
any
privileged
remembers.
I.
D
A
That's
that's
a
great
patient
auditor,
so
actually
the
detection
mechanism
is
hosted
on
in
every
analyzer.
They
come
up
with
a
way
of
saying
if
there
is
that
kind
of
fun
in
in
the
repository
I'm,
a
particular
riser.
So
all
this
business
logic
is
already
hold
hell
in
the
analyzers
themselves.
So
in
the
future
we
will
get
rid
of
talking
doctor
and
the
soft
Orchestrator.
All
the
analyzers
we'd
have
to
run
and
they
will
exit
very
quickly
because
they
will
say
I'm
not
compatible.
A
They
will
accept
by
the
way
it
you
might
think
that
it's
not
performing,
but
actually
it's
more
performant
that
what
we
have
today,
because
all
these
analyzers,
when
you
run
them
directly
instead
of
inside
SAS,
they
are
going
to
be
cached
on
the
get
lab
Runner.
So,
although
github
runner
is
is
running
there,
if
you
use
a
darker
executor
and
you
have
an
image
declare
in
the
image
title
version,
the
runner
will
pull
this
image,
but
this
image
will
be
stored
in
the
file
system
for
a
long
time.
A
A
We
are
at
time.
Is
there
any
last
question
light
sensor?
All
right,
I
really
hope
that
was
useful
for
you
and
for
the
customer
success
on
that
and
support
team.
If
you
have
any
other
questions,
please
feel
free
to
reach
out
and
stock
emoji
set.
Your
channel
would
be
happy
to
answer
that
with
that
I
will
wish
you
happy
end
of
the
day.
So
you
will
my
why,
thanks
for
the.