Gitlab Runner

    Add runner with self-signed certificate host

    SERVER=gitlab.society-lbl.com
    PORT=443
    CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt
    
    # Create the certificates hierarchy expected by gitlab
    sudo mkdir -p $(dirname "$CERTIFICATE")
    
    # Get the certificate in PEM format and store it
    openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null
    
    # Register your runner
    gitlab-runner register --tls-ca-file="$CERTIFICATE"
    

    Allow runner to run local docker images

    Add pull_policy = "if-not-present" in runner.docker. Of course, this is only for docker executor.

    /etc/gitlab-runner/config.toml:

    [[runners]]
      url = "https://gitlab.society-lbl.com"
      token = "xxx"
      executor = "docker"
      [runners.docker]
        image = "debian:latest"
        privileged = false
        pull_policy = "if-not-present"
    
    

    Workaround for docker require loop device and others

    One solution: https://gitlab.com/gitlab-com/support-forum/issues/3732

    Another solution (security risk if multiple projects on same machine/runner): /etc/gitlab-runner/config.toml:

    [[runners]]
      url = "https://gitlab.society-lbl.com"
      token = "xxx"
      executor = "docker"
      [runners.docker]
        image = "debian:latest"
        privileged = true
        volumes = ["/dev:/dev"]
    

    Note: Privileged is true

    Using Podman instead of Docker

    Apparently it is a Work in progress, but you can try with https://der-jd.de/blog/2021/04/16/Using-podman-instead-of-docker-for-your-gitlab-runner-as-docker-executor/

    /etc/gitlab-runner/config.toml:

    # NOTE https://docs.gitlab.com/runner/configuration/advanced-configuration.html
    [[runners]]
      ...
      [runners.docker]
        ...
        privileged = true # stink
        volumes = ["/cache", "/run/podman/podman.sock:/var/run/podman/podman.sock"]
        host = "unix:///var/run/podman/podman.sock"
    

    However it did not work for me to clone the project

    Issue with self signed certificate through LFS

    Git LFS relies on Go's crypto/x509 package to find certs, and extends it with support for some of Git's CA config values, specifically http.sslCAInfo/GIT_SSL_CAINFO and http.sslCAPath/GIT_SSL_CAPATH

    source

    posted issue