GitLab/Gitlab Runner/Shared Runners

From Wikitech
Jump to navigation Jump to search

Current Gitlab Runner setup (T287279)

We're currently relying on WMCS VPSs for shared runner capacity. There is a project named gitlab-runners in which to provision new instances, and a profile to help provision Docker based runners on those instances. Note that a standalone puppetmaster in the same project stores the runner registration token under /etc/puppet/secret, and Puppet autosigning is turned off to protect the token value.

Setting up a new shared runner

To set up a new shared runner, following these steps.

  1. Create a new WMCS VPS instance.
    1. Log in to and navigate to the gitlab-runners project.
    2. Launch a new Debian bullseye instance, following the runner-{nnnn} naming convention.
    3. Choose the g3.cores8.ram24.disk20.ephemeral40.4xiops flavor
  2. Wait until the new instance has fully provisioned and you can successfully ssh to the running instance using your authorized key and sudo as root. (This typically takes a few minutes.)
  3. Fully configure instance with volume, profile and project puppetmaster
    1. Add the following to the instance's Hiera Config under the Puppet Configuration tab in horizon.
      profile::gitlab::runner::docker_volume: true
    2. Add role::gitlab_runner to the instance's Puppet Classes under the Puppet Configuration tab.
  4. Do the little SSL dance that is required of instances that use a standalone puppetmaster.
    1. On the new runner (runner-{nnnn}
      1. Run sudo rm -rf /var/lib/puppet/ssl to remove the existing SSL certs used by the default puppetmaster.
      2. Run sudo -i puppet agent --test --verbose --server to have the puppet client generate a new SSL cert.
    2. On sign the new instance's SSL cert.
      1. Run sudo -i puppet cert list and find the new instance in the list.
      2. Run sudo -i puppet cert sign runner-{nnnn} to sign the client cert.
  5. Run sudo -i puppet agent --test --verbose --server on the runner to ensure it has fully provisioned the role::gitlab_runner role.
  6. Verify that the runner has successfully registered with our GitLab instance by viewing the runner list.