I’d like to propose a new runner for Drone that would obviate the need for docker-out-of-docker hacks that exist in the current docker runner, while still maintaining security.
The idea, in brief, is to use the sysbox container runtime:
- create a new runner that launches every pipeline inside of an isolated “system container”.
- each step in the pipeline runs as a separate container inside the system container
- each step is free to interact with the system container docker daemon without compromising host isolation
- pipeline steps can use regular docker commands! No need to use a special plugin when building docker images
- This means step 1 of a pipeline can build an image that is used to run tests in step 2 without the need to publish the untested image to a separate cache.
- this also means that steps can use e.g. docker-compose to orchestrate sidecar services, so teams can use the same config they use to develop locally to run their tests in CI.
Such a setup would also enable running kubernetes applications in CI/CD pipelines without needing to maintain a separate cluster.