Intermittent "su: must be suid to work properly" error during prepare environment

I am trying to use gitlab-runner as a non-root user, and I see an intermittent “su: must be suid to work properly” error during the prepare environment stage when running jobs on my Gitlab runner.

I am using Gitlab 14.1.0 and this is a shell executor. I have looked into “shell profile loading” part of the message but it does not seem relevant to this, as I do not have any suspicious content in bash dotfiles. The issue happens with varying frequency, but sometimes it is almost every time a job is run on the machine, thus completely preventing jobs from executing. I’ve looked into the configuration of Gitlab runner on the machine and here are some of the details:

  • “gitlab-runner register” was run as non-root, and the gitlab-runner processes which run jobs are running as the same non-root user. There are 3 such processes, and 3 runners have been registered in config.toml.
  • There is one gitlab-runner process on the machine which is running as root. I presume this to be the gitlab-runner service.
  • Any of the non-root gitlab-runner processes are immediately restarted when killed
  • I am unable to run any other gitlab-runner command besides “gitlab-runner run”. Note that I am running as the same non-root user that registered the gitlab-runners. I do not have root access on this machine. When I run any other command, such as “gitlab-runner status”, I see the error “FATAL: the --user is not supported for non-root users”:
    image
  • I ran “gitlab-runner --debug run” as non-root to try to obtain some logs. When the “must be suid to work properly” error occurs in a runner, no message is displayed here. It is as if the runner never picked up the job.

The only resource I have found regarding this specific issue has been: https://www.reddit.com/r/gitlab/comments/mcwp8l/su_must_be_suid_to_work_properly_when_using_shell/
I do not see any helpful information there. I suspect I have a configuration issue causing this. Should I be able to run jobs as non-root? How should the service be configured to support this?

Thanks!