1

In AWS, Gitlab Autoscale runner with private IP, don't want to enable Public IP. Currently our Gitlab Autoscale runner is configured with public IP, hence the Runner Hub is connected via Public IP of autoscale runners. For that we are opening ALL TCP port in the security group. To avoid this scenario, can stop using Public IP and use private IP's to connect the Gitlab Hub and autoscale runners?

concurrent = 100
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "aws-abc-runner-autoscale"
  limit = 110
  url = "https://git.abc-example.in/"
  token = "xxxxxxxxxxxx"
  executor = "docker+machine"
  environment = ["DOCKER_AUTH_CONFIG={ \"auths\": { \"docker.dev.abc.com\": { \"auth\": \"################################################\" }, \"silicon.docker.dev.abc.com\": { \"auth\": \"################################################\" }, \"cde.dev.abc.com\": { \"auth\": \"################################################\" }, \"abcde.azurecr.io\": { \"auth\": \"##########################################\" }, \"efghijk.azurecr.io\": { \"auth\": \"###################################################\" } } }"]
  [runners.custom_build_dir]
    enabled = true
  [runners.cache]
    Type = "s3"
    Shared = true
    [runners.cache.s3]
      ServerAddress = "ip-172-31-11-12.eu-central-1.compute.internal:9005"
      AccessKey = "xxxxxxxxxx"
      SecretKey = "xxxxxxxxxx"
      BucketName = "runner-autoscale"
      Insecure = true
  [runners.docker]
    tls_verify = false
    image = "docker:latest"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/var/run/docker.sock:/var/run/docker.sock"]
    shm_size = 0
  [runners.machine]
    IdleCount = 4
    IdleTime = 300
    MachineDriver = "amazonec2"
    MachineName = "abcdev-runners-%s"
    MachineOptions = ["amazonec2-ami=ami-08a1a615784dd1c82f", "amazonec2-region=eu-central-1", "amazonec2-zone=b", "amazonec2-vpc-id=vpc-0f458d68", "amazonec2-subnet-id=subnet-c23438b8", "amazonec2-instance-type=t3.xlarge", "amazonec2-root-size=250", "amazonec2-volume-type=gp2", "amazonec2-use-private-address=true"]
    OffPeakTimezone = ""
    OffPeakIdleCount = 0
    OffPeakIdleTime = 0

Can someone provide how we can implement for the same.

praseeb kdas
  • 37
  • 8

2 Answers2

1

Your runners do not need to be network-reachable from your GitLab instance based on how you have it set up, so making them have a private IP would be as simple as changing the subnet you have set up in amazonec2-subnet-id to be one that doesn't assign a public IP. Note your private subnet will need to have a NAT gateway attached to get to your GitLab instance, or configured to use the intra-vpc network.

Patrick
  • 2,885
  • 1
  • 14
  • 20
0

use amazonec2-private-address-only, amazonec2-use-private-address doesn't enforce it to be a private instance

[[runners]]
  [runners.machine]
    MachineOptions: [
      "amazonec2-private-address-only=true"
    ]

Can look at all the available options here on the actual driver page

https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/blob/main/drivers/amazonec2/amazonec2.go

(Not the actual gitlab docker machine but they have actual docs)

https://github.com/Nordstrom/docker-machine/blob/master/docs/drivers/aws.md

robrob
  • 1
  • 1