Gitlab CI + DinD + MySQL services permission issue

Question

I created two GitLab jobs:

• Test unit (using a PHP registered docker on GitLab)
• Sonar (using docker service to run "Letsdeal/docker-sonar-scanner")

I use the following gitlab-ci-multi-runner configuration:

concurrent = 1 check_interval = 0  [[runners]]   name = "name-ci"   url = "https://uri/ci"   token = "token"   executor = "docker"   [runners.docker]     tls_verify = false     image = "docker:latest"     privileged = true     disable_cache = false     volumes = ["/cache"]     shm_size = 0   [runners.cache] 

The test unit job works correctly, but the Sonar job failed with the following messages:

service runner-f66e3b66-project-227-concurrent-0-docker-wait-for-service did timeout  2017-07-05T16:13:18.543802416Z mount: mounting none on /sys/kernel/security failed: Permission denied 2017-07-05T16:13:18.543846406Z Could not mount /sys/kernel/security. 2017-07-05T16:13:18.543855189Z AppArmor detection and --privileged mode might break. 2017-07-05T16:13:18.543861712Z mount: mounting none on /tmp failed: Permission denied 

When I change the configuration param 'privileged' of 'runner.docker' to false, the Sonar job works but Test Unit fails:

service runner-f66e3b66-project-227-concurrent-0-mysql-wait-for-service did timeout  2017-07-05T15:08:49.178114891Z  2017-07-05T15:08:49.178257497Z ERROR: mysqld failed while attempting to check config 2017-07-05T15:08:49.178266378Z command was: "mysqld --verbose --help" 2017-07-05T15:08:49.178271850Z  2017-07-05T15:08:49.178276837Z mysqld: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Permission denied 

The param "privileged" has to be true to be able to use docker in docker. But I don't understand why it makes permission broken for services like MySQL.

Here is my gitlab-ci file:

stage :   - test-unit   - analyse  .php_job_template: &php_job_template   image: custom_docker_image   before_script:     - eval $(ssh-agent -s) && ssh-add <(echo "$SSH_PRIVATE_KEY")     - mkdir -p ~/.ssh && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config   services :     - mysql   variables:     MYSQL_DATABASE: blabla     MYSQL_USER: blabla     MYSQL_PASSWORD: blabla     MYSQL_ROOT_PASSWORD: blabla  test_phpunit_dev:   <<: *php_job_template   stage: test-unit   script:     - mysql -h mysql -u blabla -pblabla <<< "SET GLOBAL sql_mode = '';"     - php composer.phar install -q     - php vendor/bin/phpunit -c tests/phpunit.xml  sonar:   stage: analyse   image: docker:1.12.6   services:     - docker:dind   script:     - docker run --rm -v `pwd`:/build -w /build letsdeal/sonar-scanner:2.7 scan -e 

How do I fix this?

Answer 1

Why don't use ciricihq/gitlab-sonar-scanner for instance ? It doesn't require to use dind or priviledged mode

official github repository