For my Gitlab CI jobs I’m using Docker containers with a CVMFS client mounting my repository. This works fine as long as the container that runs the CI job is started with the usual set of docker options needed to make CVMFS work properly from inside the container, e.g.:
--device /dev/fuse --cap-add SYS_ADMIN --security-opt apparmor:unconfined
This requires to tweak the gitlab-runner config file by adding some options like:
cap_add = ["SYS_ADMIN"]
security_opt = ["apparmor:unconfined"]
devices = ["/dev/fuse"]
to the runner configuration.
All of the above pose no problem as long as one have access to the runner host and enough permissions to configure gitlab-runner, but falls short with e.g. shared runners. Is there any way to circumvent the problem, i.e. to mount CVMFS inside a container on a system where there’s no possibility to specify docker options? Needless to say, mounting CVMFS on the host and then bond-mounting inside the container is not an option.