Hello, someone raised a security concern about the binding of docker.sock in a Github issue. Supposedly, it can be solved by using gitea/act_runner:latest-dind-rootless.
However, in the act runner deployment examples, the DIND example is ran with privileged: true. Isn’t this also a security risk?
Should I be worried about using runners on a machine?
I was wondering the same thing.
Did you manage to run the runner with the rootless image, as mentioned in the ‘deployment examples’ link that you shared? Because I had some trouble getting that set-up and had to fall back to the ‘root’ image.
Luckily it’s just my private instance, and not a production environment, otherwise this wouldn’t really be acceptable.
I can’t answer that. I have the same use case and use the root image.
privileged: true
is a requirement for DIND, but it will not give special permissions to job container.