riemers/ansible-gitlab-runner

Running Gitlab-Runner with a different user

coofercat opened this issue · 4 comments

coofercat commented

[This isn't so much an issue as it's documentation for anyone else stumbling over this problem]

In my use-case, I need to run the Gitlab Runner as a corporate user (instead of the more usual gitlab-runner user that is created by the installation package). I looked into the vars settings in the Ansible role, but this turns not to be the way to solve this (or at least, I don't think it is).

Instead, I created a gitlab-runner-post role, in which I make a Systemd directory if it doesn't exist, and then write in an alternative ExecStart= override 'stub' to run as my chosen user. I broadly speaking followed this advice: https://stackoverflow.com/a/54831977/917444

The Ansible is this:

- name: Make a systemd override directory
  file:
    path: /etc/systemd/system/gitlab-runner.service.d
    owner: root
    group: root
    mode: "0755"
    state: directory

- name: Tell Systemd to start the runner as the robouser
  template:
    src: gitlab-runner-service.j2
    dest: /etc/systemd/system/gitlab-runner.service.d/exec_start.conf
    owner: root
    group: root
    mode: "0644"
  notify:
    - daemon reload
    - restart gitlab-runner

The template I put into Systemd is:

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=
ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "/home/{{ gitlab-runner-user }}" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--user" "{{ gitlab-runner-user }}"

(I copied this from the actual systemd service unit file, but note that I added ExecStart=)

FWIW, my 'post' role also includes writing out some scripts for additional monitoring and whatnot, but the main thing here is that Gitlab's runner process starts as root, but the executors run as the corporate user instead of the default one.

riemers commented

If you want people to stumble upon it, you could just add a section to the readme / with link to stack. That way if this ticket auto closes it still remains 'documentated'

  • 👍1
github-actions commented

Seems this message did not get a lot of love. This does not mean it was not seen but time wise might not have made it to proper attention. This is just the clean up action ;)

guenhter commented

@coofercat Could you add this to the readme?

coofercat commented

Hmm... my method seems very much to be a workaround rather than a solution, but I've added a small section to the Readme as you suggest. #297