πŸš€ Announcement: Privileged Mode Removal from General-purpose Runners

Technical Discussions Infrastructure
1

TL;DR

Docker privileged mode is being removed from all general-purpose runners (amd64/arm64) on 24 Nov 2025.
If your Gitlab CI job needs docker privileged access, switch to the extra-privileged or arm64-extra-privileged runner tags.

Hi Everyone,

General-purpose runners were temporarily enabled with Docker privileged mode to support jobs that required elevated operations. To improve security and isolation, these jobs should have been moved to dedicated extra-privileged runners specifically meant for such use cases. This allows us to safely remove privileged mode from general-purpose runners on the community GitLab runners.

This change will take effect on 24th Nov 2025.

Jobs that rely on Docker privileged mode β€” such as those using the Docker socket or Buildah β€” have already been migrated to our dedicated privileged runners:

  • extra-privileged (amd64)

  • arm64-extra-privileged (arm64)

General-purpose runner tags (privileged mode will be removed):

  • amd64

  • amd64-large

  • amd64-bigdisk

  • arm64

  • arm64-large

:wrench: What’s Changing

Starting 24th Nov 2025, privileged mode will be disabled from all general-purpose runners.

This means jobs will no longer have access to elevated capabilities normally provided by privileged mode.

:red_exclamation_mark: Why This Matters β€” What Privileged Mode Actually Does

When privileged = true, the job container essentially behaves like a lightweight VM with near-root access. It enables:

  • Full access to host devices (/dev/*)

  • Docker-in-Docker support (most common use case)

  • Ability to mount filesystems

  • Ability to run syscalls normally blocked by Docker

  • Broad Linux admin capabilities including:

    • CAP_SYS_ADMIN

    • CAP_NET_ADMIN

    • and many others providing host-level privileges

Removing privileged mode improves isolation and security, but jobs requiring these capabilities must use privileged runners.

:pushpin: Action Required

Please review your pipelines and check whether any jobs still require privileged mode beyond Docker-in-Docker (DinD) and Buildah.
Our team has already migrated all jobs using DinD and Buildah to the appropriate privileged runners.

If you have jobs that perform host-level operations inside the script β€” such as accessing /dev/*, mounting filesystems, or using Linux capabilities β€” you will need to update those jobs to use the privileged runner tags:

  • extra-privileged

  • arm64-extra-privileged

:information_source: All known DinD and Buildah jobs have already been moved, so no action is required for those. Only jobs needing additional host-level capabilities must be identified and updated by the respective teams.

If you encounter any CI job failures related to this change, please reply here with the CI job URL and we’ll investigate.

:blue_book: More Details

:backhand_index_pointing_right: Refer to the Elxr CI Runners Wiki for full documentation.

Thanks for your support as we continue improving Elxr’s CI experience!

β€” Elxr DevOps Team

2 Likes
2

Hi Everyone,

We have completed the activity. Privileged mode has now been fully removed from all general-purpose runners.

If you notice any unexpected CI job failures related to runner permissions, just share the job URL with us and we’ll take a look.

Thanks for your cooperation!

β€” Elxr DevOps Team