CODEWITHSUNDEEP
gitlabgitlab-cigitlab-ci-runner
PumpkinSeed
PumpkinSeed

Reputation: 3113

Change Gitlab CI Runner user

Currently when I start a build in GitlabCI it is running under gitlab-runner user. I want to change it the company's internal user. I didn't find any parameter to the /etc/gitlab-runner/config.toml which is solve that.

My current configuration: 

concurrent = 1
[[runners]]
  name = "deploy"
  url = ""
  token = ""
  executor = "shell"

Upvotes: 59

Views: 131023

Answers (8)

mvanle
mvanle

Reputation: 2005

You can try sudo workaround.

/etc/sudoers.d/gitlab-runner:

gitlab-runner  ALL=(my_user)  NOPASSWD: *

.gitlab-ci.yml:

my_job:
  stage: my_stage
  script: sudo -u my_user my_script

Upvotes: -1

Thomas Decaux
Thomas Decaux

Reputation: 22671

Running ps aux | grep gitlab you can see:

/usr/bin/gitlab-ci-multi-runner run --working-directory /home/gitlab-runner --config /etc/gitlab-runner/config.toml --service gitlab-runner --syslog --user gitlab-runner

Service is running with option --user.

So let's change this, it depends on what distro. you are running it. If systemd, there is a file:

/etc/systemd/system/gitlab-runner.service:

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/usr/bin/gitlab-ci-multi-runner "run" "--working-directory" "/home/gitlab-runner" "--config" "/etc/gitlab-runner/config.toml" "--se

Bingo, let's change this file now:

gitlab-runner uninstall

gitlab-runner install --working-directory /home/ubuntu --user ubuntu

reboot the machine or reload the service (i.e. systemctl daemon-reload), et voilà!

Upvotes: 99

allofmex
allofmex

Reputation: 597

Here example for docker gitlab-runner:

Build your own runner image based on Dockerfile with following content

FROM gitlab/gitlab-runner
# add new user (if needed)
RUN useradd -u 998 gitlab-www && mkdir /home/gitlab-www && \
    chown gitlab-www /home/gitlab-www && chmod u+rwx /home/gitlab-www
# need to replace entrypoint to force new created user over gitlab-runner
ENTRYPOINT /usr/bin/dumb-init /entrypoint run --user=gitlab-www --working-directory=/home/gitlab-www

(update -u 998 and gitlab-www as you need)

.gitlab-ci.yml scripts are running as user gitlab-www now. If this one has same uid as host mounts, you are also able to deploy directly to host folders.

Upvotes: 0

Jananath Banuka
Jananath Banuka

Reputation: 3873

Once the gitlab-runner is registered (yes, it will be installed under the user gitlab-runner and working directory /home/gitlab-runner ) you can execute the following to change the runner's user

gitlab-runner uninstall

gitlab-runner install --working-directory <existing-path> --user <any-existing-user>

# eg: gitlab-runner install --working-directory /home/ec2-user --user ec2-user

then restart the service

service gitlab-runner restart

NOTE: you don't need to edit /etc/systemd/system/gitlab-runner.service for this, as it is being updated once the service is restarted as above

to check if the configurations are reflecting, run

ps aux | grep gitlab

Upvotes: 13

abanman
abanman

Reputation: 1

For recent version of gitlab-runner you should modify the system arguments in the /etc/default/gitlab-runner file.

Upvotes: 0

PumpkinSeed
PumpkinSeed

Reputation: 3113

[DEPRECATED ANSWER]

I found a solution, which is not best pactrice but solved it. I need to use the ssh executer and ssh to localhost. It is require to add gitlab-runner id_rsa.pub to the user's authorized_keys what you want to use. There is my extended code:

concurrent = 1

[[runners]]
  name = "deploy"
  url = ""
  token = ""
  executor = "ssh"
  [runners.ssh]
    user = "user"
    host = "localhost"
    port = "22"
    identity_file = "/home/gitlab-runner/.ssh/id_rsa"

Upvotes: 2

rptmat57
rptmat57

Reputation: 3787

Note that when installing with a specific user (--user), whenever you update, it will revert back to the original systemd script and so, back to using gitlab-runner user.

in order to keep the user change across updates, using systemd overrides (centos7) you can use these steps (assuming service is at /etc/systemd/system/gitlab-runner.service):

  1. Create a /etc/systemd/system/gitlab-runner.service.d directory.

  2. Create a /etc/systemd/system/gitlab-runner.service.d/exec_start.conf file, with content:

    [Service]
ExecStart=
ExecStart=/usr/lib/gitlab-runner/gitlab-runner "run" "--working-directory" "/home/ubuntu" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--syslog" "--user" "ubuntu"

  3. Execute systemctl daemon-reload


Now to check this is working, you can do this:

  1. Reinstall GitLab Runner package gitlab-runner uninstall and then gitlab-runner install

  2. Check ps aux | grep gitlab and confirm the right user is being used

source: https://gitlab.com/gitlab-org/gitlab-runner/issues/3675

Upvotes: 18

SomeOne_01
SomeOne_01

Reputation: 1

Just for future reference, I was doing a test with a cloned version of my setup, if the domainname is not pointing to the server you are working with, gitlab might consider your runners offline. If you have another (copied) instance running at the ip the domain is pointing at and there is no firewall blocking, the gitlab-runner verify command will say your runners are alive.

a solution could be adding your domain pointing to 127.0.0.1 to your hosts file. you'll have to restart your gitlab instance and runners.

Upvotes: 0

Related Questions