You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

GitLab/Gitlab Runner/Trusted Runners: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Jelto
No edit summary
 
imported>Jelto
(add details about Trusted Runners)
Line 1: Line 1:
[[File:GitLab Runner permission model.png|thumb|409x409px]]
Trusted GitLab Runners offer CI with additional security and trust requirements. In contrast to the [[GitLab/Gitlab Runner/Shared Runners|Shared Runners]], which run in WMCS, Trusted Runners live inside WMF infrastructure. With this approach, SRE team has full control over the instance and who has access. Furthermore customization, like scaling, other disks and NICs can be done outside of the bounds of WMCS. Beside that, [[GitLab/Gitlab Runner/Shared Runners|Shared Runners]] and Trusted Runners use the same puppet code (<code>role(gitlab_runner)</code>) with slightly different hiera configuration.
 
The current Trusted Runner cluster consist of two Ganeti VMS:
 
* <code>gitlab-runner1001.eqiad.wmnet</code>
* <code>gitlab-runner2001.codfw.wmnet</code>
 
With increased usage this VMs may be replaced by hosts in the future.
 
==== Request access to Trusted Runners ====
[[File:GitLab Runner permission model.png|thumb|409x409px]]Access to this Runners is gated and restricted. No project has access to Trusted Runners by default. Access has to be requested on project basis. Please use the following Phabricator task template to create a access request: [https://phabricator.wikimedia.org Task Template]
 
Please make sure to check your project settings and especially who has maintainer permissions. You also must protect your main branch. As described in the [[GitLab/Gitlab Runner/Security Evaluation|Security Evaluation]] maintainer permissions ("merge", "+2") are needed to execute jobs on the Trusted Runners. Reversely this also means everyone with maintainer permissions can execute such jobs.
 
==== Using Trusted Runners ====
 
==== Monitoring ====
Trusted Runners export Prometheus metrics. Dashboards are available in Grafana: [https://grafana.wikimedia.org/d/Chb-gC07k/gitlab-ci-overview gitlab-ci-overview] and [https://grafana.wikimedia.org/d/H6fikj0nk/gitlab-runner-detail?orgId=1&refresh=30s gitlab-runner-detail]
 
==== Further Read ====
Related task: [[phab:T295481|T295481]]

Revision as of 10:12, 8 March 2022

Trusted GitLab Runners offer CI with additional security and trust requirements. In contrast to the Shared Runners, which run in WMCS, Trusted Runners live inside WMF infrastructure. With this approach, SRE team has full control over the instance and who has access. Furthermore customization, like scaling, other disks and NICs can be done outside of the bounds of WMCS. Beside that, Shared Runners and Trusted Runners use the same puppet code (role(gitlab_runner)) with slightly different hiera configuration.

The current Trusted Runner cluster consist of two Ganeti VMS:

  • gitlab-runner1001.eqiad.wmnet
  • gitlab-runner2001.codfw.wmnet

With increased usage this VMs may be replaced by hosts in the future.

Request access to Trusted Runners

Access to this Runners is gated and restricted. No project has access to Trusted Runners by default. Access has to be requested on project basis. Please use the following Phabricator task template to create a access request: Task Template

Please make sure to check your project settings and especially who has maintainer permissions. You also must protect your main branch. As described in the Security Evaluation maintainer permissions ("merge", "+2") are needed to execute jobs on the Trusted Runners. Reversely this also means everyone with maintainer permissions can execute such jobs.

Using Trusted Runners

Monitoring

Trusted Runners export Prometheus metrics. Dashboards are available in Grafana: gitlab-ci-overview and gitlab-runner-detail

Further Read

Related task: T295481