Container Runner in Privileged Mode

In some cases, you may wish to run your docker containers in a privileged environment, such as to enable a GDB by setting --cap-add=SYS_PTRACE.

CircleCI Cloud's Docker executor does not offer this configuration at this time.
However, you can do this if you are using the self-hosted container runner.

Please cast your vote to this feature request to see this in the cloud environment.

Values Setup

agent:
  resourceClasses:
    namespace/container-runner:
     token: ${TOKEN}
     spec:
       containers:
        - resources:
          volumeMounts:
             - name: docker-socket
               mountPath: /var/run/docker.sock
          securityContext:
           privileged: true
       volumes:
         - name: docker-socket
           hostPath:
             path: /var/run/docker.sock
             type: Socket

Verifying Privileged Mode

You can run the following step within your job to verify the container is in privileged mode.

      - run:
          name: Privilege check
          command: |
            (ip link add dummy2 type dummy 2>&1 >/dev/null && echo "Running in privileged container" )|| (echo "Not in privileged container" )

You can also run the following Kubernetes command to verify.

kubectl get pod ${POD_NAME} -n ${PODNAME} -o json | jq -r '.spec.containers[].securityContext.privileged'

Additional Resources

Configure a Security Context for a Pod or Container

Troubleshooting Self-Hosted Runners (Machine Runner & Container Runner)

How to use imagePullSecrets on Container Runner

Does Container Runner support SSH Debugging?

Container Runner job failing to copy circleci-agent into container

Troubleshooting Self-Hosted Runners (Machine Runner & Container Runner)

How to run Container Runner in Privileged Mode

Container Runner in Privileged Mode

Values Setup

Verifying Privileged Mode

Additional Resources