Commit 3f4051a2 authored by Kevin Daudt's avatar Kevin Daudt

register-runner: split the runner into two runners

In order to be able to run docker images inside docker, we mount the docker
socket inside the build container. This offer a security risk, as any CI job is
able interact with the docker engine the host.

To mitigate this, one runner is used to build docker images. This runner
should be limited to trusted projects.

The other runner can be shared, as it does not get the docker socket.
parent aa9ee7fe
Pipeline #1693 passed with stage
in 44 seconds
......@@ -11,8 +11,10 @@ There is a `docker-compose.yml` file included that starts up the runner. The
registration of the runner will be done automatically, but you need to modify
the file to specify some parameters:
* `<token>` - The gitlab registration token (you can find it in the admin pannel
* `<shared-token>` - The gitlab registration token (you can find it in the admin pannel
under runners)
* `<docker-token>` - The gitlab registration token for the dedicated docker
image runner. This token should come from a project or group.
* `<arch>` - The architecture for this runner (used as a description and tag).
Then run `docker-compose up -d` and the runner should be running.
......@@ -9,5 +9,6 @@ services:
- /srv/gitlab-runner/home:/home/gitlab-runner
- /var/run/docker.sock:/var/run/docker.sock
environment:
GITLAB_REGISTRATION_TOKEN: <token>
GITLAB_REGISTRATION_TOKEN_SHARED: <shared-token>
GITLAB_REGISTRATION_TOKEN_DOCKER: <docker-token>
ARCH: <arch>
#!/bin/sh
if [ ! -f /etc/gitlab-runner/config.toml ]; then
if [ -z "$GITLAB_REGISTRATION_TOKEN" ] || [ "$GITLAB_REGISTRATION_TOKEN" = '<token>' ]; then
if [ -z "$GITLAB_REGISTRATION_TOKEN_SHARED" ] || [ "$GITLAB_REGISTRATION_TOKEN_SHARED" = '<token>' ]; then
echo "Runner is not configured. Please provide 'GITLAB_REGISTRATION_TOKEN'"
exit 1
fi
......
......@@ -2,22 +2,39 @@
echo "-> Registering runner $ARCH"
success=1
gitlab-runner register \
--non-interactive \
--url "https://gitlab.alpinelinux.org/" \
--registration-token "$GITLAB_REGISTRATION_TOKEN" \
--registration-token "$GITLAB_REGISTRATION_TOKEN_SHARED" \
--executor "docker" \
--docker-image alpine:latest \
--description "docker-runner ($ARCH)" \
--tag-list "docker-alpine,$ARCH" \
--run-untagged="true" \
--tag-list "docker-alpine,$ARCH,ci-build" \
--run-untagged="false" \
--locked="false" \
--access-level="not_protected" \
--limit=2 \
--output-limit=102400 \
--docker-helper-image alpinelinux/gitlab-runner-helper:latest || success=0;
gitlab-runner register \
--non-interactive \
--url "https://gitlab.alpinelinux.org/" \
--registration-token "$GITLAB_REGISTRATION_TOKEN_DOCKER" \
--executor "docker" \
--docker-image alpine:latest \
--description "docker-runner-docker ($ARCH)" \
--tag-list "docker-alpine,$ARCH,ci-docker-image" \
--run-untagged="false" \
--locked="true" \
--access-level="not_protected" \
--limit=1 \
--docker-helper-image alpinelinux/gitlab-runner-helper:latest \
--docker-volumes /var/run/docker.sock:/var/run/docker.sock
--docker-volumes /var/run/docker.sock:/var/run/docker.sock || success=0;
status=$?
if [ $status -eq 0 ]; then
if [ $success -eq 1 ]; then
echo "-> Registration success"
else
echo "-> Something went wrong"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment