Question about running gitlab-runner runners as users other than gitlab-runner

My overall goal is to run an instance of gitlab-runner as a user other than the default gitlab-runner user. This instance should be completely separate from the normal instance that runs under the gitlab-runner user.

Basically, there are tasks I’d like to use gitlab-runner to run, and I want to make sure other gitlab-runner jobs have no chance of touching the files and information involved.

So, I’d have two instances of gitlab-runner running.

I thought I had figured out how to get this working. I configured a second .service file, and started the new service. Then registered new runners after su’ing into the alternate user. But ran into an error.

# systemctl status alternetuser-gitlab-runner.service
● alternetuser-gitlab-runner.service - alternetuser GitLab Runner
   Loaded: loaded (/etc/systemd/system/alternetuser-gitlab-runner.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-07-19 13:09:56 PDT; 1 months 22 days ago
 Main PID: 56607 (gitlab-runner)
    Tasks: 8
   Memory: 6.6M
   CGroup: /system.slice/alternetuser-gitlab-runner.service
           └─56607 /usr/bin/gitlab-runner run --working-directory /home/alternetuser --config /home/alternetuser/.gitlab-runner/config.toml --service alternetuser-gitlab-runner --syslog --user alternetuser

Sep 10 16:54:07 host1 su[96349]: FAILED SU (to alternetuser) alternetuser on none
Sep 10 16:54:08 host1 alternetuser-gitlab-runner[56607]: time="2018-09-10T16:54:08-07:00" level=warning msg="Job failed: exit status 1" job=2644 project=168 runner=7315c5cf
Sep 10 16:54:08 host1 gitlab-runner[56607]: time="2018-09-10T16:54:08-07:00" level=warning msg="Job failed: exit status 1" job=2644 project=168 runner=7315c5cf
Sep 10 16:56:35 host1 alternetuser-gitlab-runner[56607]: time="2018-09-10T16:56:35-07:00" level=info msg="Checking for jobs... received" job=2645 repo_url="https://git.example.org/group/project.git" runner=b4fb1d31
Sep 10 16:56:35 host1 gitlab-runner[56607]: time="2018-09-10T16:56:35-07:00" level=info msg="Checking for jobs... received" job=2645 repo_url="https://git.example.org/group/project.git" runner=b4fb1d31
Sep 10 16:56:36 host1 unix_chkpwd[96442]: password check failed for user (alternetuser)
Sep 10 16:56:36 host1 su[96439]: pam_unix(su:auth): authentication failure; logname= uid=NNNN euid=0 tty= ruser=alternetuser rhost=  user=alternetuser
Sep 10 16:56:38 host1 su[96439]: FAILED SU (to alternetuser) alternetuser on none
Sep 10 16:56:39 host1 alternetuser-gitlab-runner[56607]: time="2018-09-10T16:56:39-07:00" level=warning msg="Job failed: exit status 1" job=2645 project=162 runner=b4fb1d31
Sep 10 16:56:39 host1 gitlab-runner[56607]: time="2018-09-10T16:56:39-07:00" level=warning msg="Job failed: exit status 1" job=2645 project=162 runner=b4fb1d31

After looking at that output, I think gitlab-runner is actually starting under the gitlab-runner user, then trying to su into the alternetuser user.

Is that how gitlab-runner uses the --user flag?

Is it even possible to run a runner instance without involving the gitlab-runner user at all?

1 Like

I’m currently making sure that the host running the jobs I wanted run under another user only runs those jobs.

I’d still like to find some answers to my questions, though.

Anyone have any search fu that could help? Or just know the answers?