You are browsing a read-only backup copy of Wikitech. The primary site can be found at

GitLab/Gitlab Runner/Trusted Runners

From Wikitech-static
< GitLab‎ | Gitlab Runner
Revision as of 10:12, 8 March 2022 by imported>Jelto (add details about Trusted Runners)
Jump to navigation Jump to search

Trusted GitLab Runners offer CI with additional security and trust requirements. In contrast to the Shared Runners, which run in WMCS, Trusted Runners live inside WMF infrastructure. With this approach, SRE team has full control over the instance and who has access. Furthermore customization, like scaling, other disks and NICs can be done outside of the bounds of WMCS. Beside that, Shared Runners and Trusted Runners use the same puppet code (role(gitlab_runner)) with slightly different hiera configuration.

The current Trusted Runner cluster consist of two Ganeti VMS:

  • gitlab-runner1001.eqiad.wmnet
  • gitlab-runner2001.codfw.wmnet

With increased usage this VMs may be replaced by hosts in the future.

Request access to Trusted Runners

Access to this Runners is gated and restricted. No project has access to Trusted Runners by default. Access has to be requested on project basis. Please use the following Phabricator task template to create a access request: Task Template

Please make sure to check your project settings and especially who has maintainer permissions. You also must protect your main branch. As described in the Security Evaluation maintainer permissions ("merge", "+2") are needed to execute jobs on the Trusted Runners. Reversely this also means everyone with maintainer permissions can execute such jobs.

Using Trusted Runners


Trusted Runners export Prometheus metrics. Dashboards are available in Grafana: gitlab-ci-overview and gitlab-runner-detail

Further Read

Related task: T295481