Install gitlab runner

Once we have a gitlab server, we would like our pipelines to run in a local runner.
The easiest way is to use the gitlab provided image to run a gitlab runner on out docker instance.
Therefore follow the instructions below:

Log on to the docker machine.

Copy the certificate of the gitlab server to the trusted certificate store on the docker host.
The docker clients read the hosts certificates, so for the gitlab runner the certificate is valid.

Prepare image

First get the gitlab-runner image into our local registry, to be independent of the internet connection. 

docker pull gitlab/gitlab-runner
docker tag gitlab/gitlab-runner localhost:5000/gitlab-runner:latest
docker push localhost:5000/gitlab-runner:latest

Now we have a gitlab-runner image locally in our own registry.

Now let's create a directory structure to hold the mage definition in. 

.
|-- compose.yaml
`-- config
    |-- ansible.cfg
    |-- certs
    |   `-- ca.crt
    |-- config.toml
    |-- hosts
    `-- registry.conf

We will go over the files in here in detail.

compose.yaml

In this file, you will see a lots of things returning that we discussed in previous chapters. 

services:
  gitlab-runner-container:
    image: localhost:5000/gitlab-runner:latest
    container_name: gitlab-runner
    restart: always
    volumes:
      - ./config/:/etc/gitlab-runner/
      - /var/run/docker.sock:/var/run/docker.sock
      - ./config/registry.conf:/etc/containers/registries.conf.d/registry.conf

In the volumes section, we find the following entries: /var/run/docker.sock:/var/run/docker.sock

This volume mapping gives the runner access to the docker installation on the host, so it can start new containers to run pipelines in.

./config/hosts:/etc/hosts Add a hosts file to the gitlab runner to translate hostnames to ip addresses that are not in DNS.

./config/registry.conf:/etc/containers/registries.conf.d/registry.conf The configuration file for the local registry (unsecure), so you can pull images from your local registry on hostname.

config/ansible.cfg

As discussed in chapter 'create_docker_images', we map the ansible.cfg into the image though a hardlink, the source of this file is located in the ansible directory nest to this directory. 

[galaxy]
server_list = community_repo, rh-certified_repo,published_repo
validate_certs=false
ignore_certs=true
galaxy_ignore_certs=true

[galaxy_server.community_repo]
url=https://<rhaap_url>/api/galaxy/content/community
token=<token>

[galaxy_server.rh-certified_repo]
url=https://<rhaap_url>/api/galaxy/content/rh-certified
token=<token>

[galaxy_server.published_repo]
url=https://<rhaap_url>/api/galaxy
token=<token>

config/certs/ca.crt

This is the ca.crt file, that belongs to you own authority server.
Again, this is a hardlink, so we have only 1 instance of this file.

config/config.toml

This file tells the runner where gitlab is, what its security token is and how to behave on the local system. 

concurrent = 5
check_interval = 0
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "Global runner"
  url = "https://git-test.homelab/"
  id = 0
  token = "<gitlab-token>"
  token_obtained_at = 0001-01-01T00:00:00Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "docker"
  [runners.cache]
    MaxUploadedArchiveSize = 0
  [runners.docker]
    tls_verify = false
    image = "gitlab-runner-image:latest"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
    shm_size = 0
    network_mtu = 0

The gitlab token, must be generated on your gitlab server, go to the admin area and create a new instance runner to create a token to place in this file.
If there is no token, the runner cannot login to gitlab and will not function properly.

config/registry.conf

This file tells the gitlab runner that the (local)registry hosted on the docker host, is an unnsecure registry, so it must pull images with the http protocol.
this avoids a lot of unneeded configuration in a homelab. 

[[registry]]
location = "docker.homelab:5000"
insecure = true

To ensure the creation of containers with docker compose runs whithout problems do the same for docker itself. But now add the insecure registry to the docker instance: /etc/docker/daemon.json

{
    "insecure-registries" : [ "docker.homelab:5000" ],
    "min-api-version" : "1.43"
}

The line min-api-version fixes an api version mismatch for gitlab runner and support scripts.

certificate trust

To prevent certificate errors when running the gitlab runner(on self hosted installs of gitlab), you must add the gitlab certificate to the docker machine. To do this on redhat:

  • copy the gitlab certificate file (/etc/gitlab/ssl/.crt)
  • to the docker server (/etc/pki/ca-trust/source/anchors/)
  • run sudo update-ca-trust

Start your engines

As the file we created is a Compose.yml file, we need the docker compose command to build and start the runner.

docker compose up -d

This should start the runner, you can check in gitlab if the runner is online, or use the command:

docker logs gitlab-runner

in this logs you can find if the runner is started, and if the login succeeded, if not, the error is here too.

Then log in to your gitlab server and check in the admin area if the runner is online.

Issues

As outlined in the description of the docker lxc container, there can be an issue with the runner in this configuration. When the lxc container is created on a SDN network, you can come across the message: " error running container: did not get container start message from parent:" during an image build through the gitlab-runner pipeline. The fix for this is to change the network for the lxc from a SDN to a physical network.