oam/knowledge base/gitlab/runner.md

Gitlab runner

TODO

1. TL;DR
2. Pull images from private AWS ECR registries
3. Autoscaling
   1. Docker Machine
4. Further readings
   1. Sources

TL;DR

Installation

brew install 'gitlab-runner'
dnf install 'gitlab-runner'
docker pull 'gitlab/gitlab-runner'
helm --namespace 'gitlab' upgrade --install --create-namespace --version '0.64.1' --repo 'https://charts.gitlab.io' \
  'gitlab-runner' -f 'values.gitlab-runner.yml' 'gitlab-runner'

Usage

docker run --rm --name 'runner' 'gitlab/gitlab-runner:alpine-v13.6.0' --version

# `gitlab-runner exec` is deprecated and has been removed in 17.0. ┌П┐(ಠ_ಠ) Gitlab.
# See https://docs.gitlab.com/16.11/runner/commands/#gitlab-runner-exec-deprecated.
gitlab-runner exec docker 'job-name'
gitlab-runner exec docker \
  --env 'AWS_ACCESS_KEY_ID=AKIA…' --env 'AWS_SECRET_ACCESS_KEY=F…s' --env 'AWS_REGION=eu-east-1' \
  --env 'DOCKER_AUTH_CONFIG={ "credsStore": "ecr-login" }' \
  --docker-volumes "$HOME/.aws/credentials:/root/.aws/credentials:ro"
  'job-requiring-ecr-access'

Pull images from private AWS ECR registries

1. Create an IAM Role in one's AWS account and attach it the arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly IAM policy.

2. Create and InstanceProfile using the above IAM Role.

3. Create an EC2 Instance.
   Make it use the above InstanceProfile.

4. Install the Docker Engine and the Gitlab runner on the EC2 Instance.

5. Install the Amazon ECR Docker Credential Helper.

6. Configure an AWS Region in /root/.aws/config:

   [default]
   region = eu-west-1
   

7. Create the /root/.docker/config.json file and add the following line to it:

    {
      …
   + "credsStore": "ecr-login"
    }
   

8. Configure the runner to use the docker or docker+machine executor.

   [[runners]]
   executor = "docker"   # or "docker+machine"
   

9. Configure the runner to use the ECR Credential Helper:

   [[runners]]
     [runners.docker]
     environment = [ 'DOCKER_AUTH_CONFIG={"credsStore":"ecr-login"}' ]
   

10. Configure jobs to use images saved in private AWS ECR registries:

    phpunit:
      stage: testing
      image:
        name: 123456789123.dkr.ecr.eu-west-1.amazonaws.com/php-gitlabrunner:latest
        entrypoint: [""]
      script:
        - php ./vendor/bin/phpunit --coverage-text --colors=never
    

Now your GitLab runner should automatically authenticate to one's private ECR registry.

Autoscaling

Docker Machine

Runner like any others, just configured to use the docker+machine executor.

Supported cloud providers.

Pitfalls:

• On AWS, the driver supports only one subnet.
  See AWS driver does not support multiple non default subnets and Docker Machine's AWS driver's options.

Further readings

• Gitlab
• Amazon ECR Docker Credential Helper
• Gitlab's docker machine fork
• Gitlab's gitlab-runner-operator for OpenShift and Kubernetes

Sources

• Install Gitlab runner
• Docker executor
• Authenticating your GitLab CI runner to an AWS ECR registry using Amazon ECR Docker Credential Helper
• Install and register GitLab Runner for autoscaling with Docker Machine
• AWS driver does not support multiple non default subnets
• GitLab Runner Helm Chart