My overall goal is to run an instance of gitlab-runner as a user other than the default gitlab-runner user. This instance should be completely separate from the normal instance that runs under the gitlab-runner user.
Basically, there are tasks I’d like to use gitlab-runner to run, and I want to make sure other gitlab-runner jobs have no chance of touching the files and information involved.
So, I’d have two instances of gitlab-runner running.
I thought I had figured out how to get this working. I configured a second .service file, and started the new service. Then registered new runners after su’ing into the alternate user. But ran into an error.
# systemctl status alternetuser-gitlab-runner.service
● alternetuser-gitlab-runner.service - alternetuser GitLab Runner
Loaded: loaded (/etc/systemd/system/alternetuser-gitlab-runner.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-07-19 13:09:56 PDT; 1 months 22 days ago
Main PID: 56607 (gitlab-runner)
Tasks: 8
Memory: 6.6M
CGroup: /system.slice/alternetuser-gitlab-runner.service
└─56607 /usr/bin/gitlab-runner run --working-directory /home/alternetuser --config /home/alternetuser/.gitlab-runner/config.toml --service alternetuser-gitlab-runner --syslog --user alternetuser
Sep 10 16:54:07 host1 su[96349]: FAILED SU (to alternetuser) alternetuser on none
Sep 10 16:54:08 host1 alternetuser-gitlab-runner[56607]: time="2018-09-10T16:54:08-07:00" level=warning msg="Job failed: exit status 1" job=2644 project=168 runner=7315c5cf
Sep 10 16:54:08 host1 gitlab-runner[56607]: time="2018-09-10T16:54:08-07:00" level=warning msg="Job failed: exit status 1" job=2644 project=168 runner=7315c5cf
Sep 10 16:56:35 host1 alternetuser-gitlab-runner[56607]: time="2018-09-10T16:56:35-07:00" level=info msg="Checking for jobs... received" job=2645 repo_url="https://git.example.org/group/project.git" runner=b4fb1d31
Sep 10 16:56:35 host1 gitlab-runner[56607]: time="2018-09-10T16:56:35-07:00" level=info msg="Checking for jobs... received" job=2645 repo_url="https://git.example.org/group/project.git" runner=b4fb1d31
Sep 10 16:56:36 host1 unix_chkpwd[96442]: password check failed for user (alternetuser)
Sep 10 16:56:36 host1 su[96439]: pam_unix(su:auth): authentication failure; logname= uid=NNNN euid=0 tty= ruser=alternetuser rhost= user=alternetuser
Sep 10 16:56:38 host1 su[96439]: FAILED SU (to alternetuser) alternetuser on none
Sep 10 16:56:39 host1 alternetuser-gitlab-runner[56607]: time="2018-09-10T16:56:39-07:00" level=warning msg="Job failed: exit status 1" job=2645 project=162 runner=b4fb1d31
Sep 10 16:56:39 host1 gitlab-runner[56607]: time="2018-09-10T16:56:39-07:00" level=warning msg="Job failed: exit status 1" job=2645 project=162 runner=b4fb1d31
After looking at that output, I think gitlab-runner is actually starting under the gitlab-runner user, then trying to su into the alternetuser user.
Is that how gitlab-runner uses the --user
flag?
Is it even possible to run a runner instance without involving the gitlab-runner user at all?