Gitlab Runner
Add runner with self-signed certificate host
SERVER=gitlab.society-lbl.com
PORT=443
CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt
# Create the certificates hierarchy expected by gitlab
sudo mkdir -p $(dirname "$CERTIFICATE")
# Get the certificate in PEM format and store it
openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null
# Register your runner
gitlab-runner register --tls-ca-file="$CERTIFICATE"
Allow runner to run local docker images
Add pull_policy = "if-not-present"
in runner.docker
. Of course, this is only for docker executor.
/etc/gitlab-runner/config.toml:
[[runners]]
url = "https://gitlab.society-lbl.com"
token = "xxx"
executor = "docker"
[runners.docker]
image = "debian:latest"
privileged = false
pull_policy = "if-not-present"
Workaround for docker require loop device and others
One solution: https://gitlab.com/gitlab-com/support-forum/issues/3732
Another solution (security risk if multiple projects on same machine/runner): /etc/gitlab-runner/config.toml:
[[runners]]
url = "https://gitlab.society-lbl.com"
token = "xxx"
executor = "docker"
[runners.docker]
image = "debian:latest"
privileged = true
volumes = ["/dev:/dev"]
Note: Privileged is true
Using Podman instead of Docker
Apparently it is a Work in progress, but you can try with https://der-jd.de/blog/2021/04/16/Using-podman-instead-of-docker-for-your-gitlab-runner-as-docker-executor/
/etc/gitlab-runner/config.toml:
# NOTE https://docs.gitlab.com/runner/configuration/advanced-configuration.html
[[runners]]
...
[runners.docker]
...
privileged = true # stink
volumes = ["/cache", "/run/podman/podman.sock:/var/run/podman/podman.sock"]
host = "unix:///var/run/podman/podman.sock"
However it did not work for me to clone the project
Issue with self signed certificate through LFS
Git LFS relies on Go's crypto/x509 package to find certs, and extends it with support for some of Git's CA config values, specifically http.sslCAInfo/GIT_SSL_CAINFO and http.sslCAPath/GIT_SSL_CAPATH