1

I am trying to debug a job on a gitlab runner. From what I understand, I need to modify the gitlab runner config in order to enable the interactive web terminal.

My current config.toml looks like:

concurrent = 1
check_interval = 0

[[runners]]
  name = "XXX"
  url = "https://URL.TO.SELF.HOSTED.GITLAB.INSTANCE"
  token = "XXX"
  executor = "docker"
  builds_dir = "/build"
  cache_dir = "/cache"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    tls_verify = false
    image = "ubuntu:18.04"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0

I understood from the documentation that I need to add [session_server] section to the top level of the config:

[session_server]
  listen_address = "[::]:8093" #  listen on all available interfaces on port 8093
  advertise_address = "runner-host-name.tld:8093"
  session_timeout = 1800

There are 3 questions that I have:

  1. I do not understand what should I add instead of runner-host-name.tld? From the documentation, it is: "The URL that GitLab Runner will expose to GitLab to be used to access the session server". However, where can I find what URL is used?

  2. I saw here that I should specify IP address of the running machine, not host name. How is it different from specifying host name? Does it affect anyhow the security?

  3. In the documentation, it is also written: "The runner will create a TLS certificate automatically to have a secure connection". Should I make any additional step to secure the connection?

I would also highly appreciate if you could recommend me some books/materials to read on the topic.

Adam Marshall
  • 6,369
  • 1
  • 29
  • 45
desa
  • 1,240
  • 12
  • 31

1 Answers1

1

1/2: This can either be the host's IP address (can get with ifconfig on *nix systems), or the domain for the host. It might be the hostname (run hostname to retrieve), but there will need to be an A record for the domain. So if your host's name is my-prod-host and your company's domain is example.com, the URL could be my-prod-host.example.com. If an A record doesn't already exist and you can't easily add one for any reason, I'd go with the IP address. The functionality is the same for either option, the link your provided suggested you can use either. It really doesn't matter which you use.

3: The TLS cert will encrypt HTTP traffic between a client and the host, but the session_server creates a web terminal that has full shell access to the host your runner is on. You'll likely want to ensure a firewall only allows those who absolutely need access to the terminal and prevents anyone else from accessing that port. Since it doesn't look like the session_server accepts credentials, it looks like that's all you can do to secure it.

Rup
  • 33,765
  • 9
  • 83
  • 112
Adam Marshall
  • 6,369
  • 1
  • 29
  • 45
  • 1
    Who connects to the advertise_address URL? Executors (for example, docker containers within the docker executor, or separate machines within the docker+machine executor) or gitlab.com when trying to debug a job? – Alexander Pravdin Nov 30 '21 at 14:07