Restrict access to port 21 only for gitlab's pipeline

bgfr · June 8, 2023, 11:49am

Hi, please let me know which IP should I allow so that only gitlab’s pipeline can access port 21.
When I allow all sources all works fine.
When i allow the IP of the runner it does not work.
It seems I miss something…???

balonik · June 8, 2023, 12:17pm

Do you use GitLab shared Runners on gitlab.com? Do you use your own runners?
If you don’t know your GitLab runner IPs just allow all and use tcpdump on the server to see from what IPs it’s coming from.

bgfr · June 9, 2023, 8:56am

I created a new runner which is registered on the same server where apache is.
I chose shell executor. Now the job is successful, but the folder is not there.
Here is the log. i do not understand what is going on? Are the files copied in docker container?

Running with gitlab-runner 16.1.0~beta.5.gf131a6a2 (f131a6a2)
  on green-1.shared.runners-manager.gitlab.com/default JLgUopmM, system ID: s_b9608e9d087b
  feature flags: FF_USE_IMPROVED_URL_MASKING:true
Preparing the "docker+machine" executor
Using Docker executor with image ruby:3.1 ...
Pulling docker image ruby:3.1 ...
Using docker image sha256:0bc9d89ecf1b65c22b20cc0da4a22c3f515ee726
for ruby:3.1 with digest ruby@sha256:5bb1b8ce2f236cc264ae2f2664ec226603655b91 ...
Preparing environment 00:04
Running on runner-jlguopmm-project-46720377-concurrent-0 via runner-jlguopmm-shared-1686300380-81c218f9...
Getting source from Git repository 00:02
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/domains/example.com/.git/
Created fresh repository.
Checking out 46ec00d5 as detached HEAD (ref is main)...
Skipping Git submodules setup
$ git remote set-url origin "${CI_REPOSITORY_URL}"
Executing "step_script" stage of the job script 00:01
Using docker image sha256:0bc9d89ecf1b65c22b20cc0da4a22c3f515ee726 
for ruby:3.1 with digest ruby@sha256:5bb1b8ce2f236cc264ae2f2664ec226603655b91...
$ mkdir -p /var/www/$APACHE_DEPLOY_PATH
$ cp -Rv . /var/www/$APACHE_DEPLOY_PATH
'./.git' -> '/var/www/example.com/./.git'
Cleaning up project directory and file based variables 00:01
Job succeeded

balonik · June 9, 2023, 9:03am

That job was running on GitLab.com shared runners, not on your local Runner. Your runner should have a list of tags assigned and you have to use tags: in Job to specify which runner should run the job.

bgfr · June 9, 2023, 9:21am

Hi, so that is the tag of the local runner: ``` ec2-runner2

And that below is how i modified the .yml.
Now the job is with status “This job is in pending state and is waiting to be picked by a runner”
What do i miss?!?

deploy:
  script:
    - mkdir -p /var/www/$DEPLOY_PATH
    - cp -Rv . /var/www/$DEPLOY_PATH
  only:
    - main
  tags:
    - ec2-runner2

i manually added the tag on the config.toml
to look like this

concurrent = 1
check_interval = 0
shutdown_timeout = 0

[session_server]
session_timeout = 1800

[[runners]]
name = “ec2-runner”
url = “https://gitlab.com”
id = xxxxxx
token = “xxxxxxx”
token_obtained_at = 2023-06-09T08:43:02Z
token_expires_at = 0001-01-01T00:00:00Z
executor = “shell”
tags = [“ec2-runner2”]
[runners.cache]
MaxUploadedArchiveSize = 0

balonik · June 9, 2023, 11:15am

tags are propagated to GitLab only on runner registration. If you change tags in config.toml it is not reflected in GitLab. You need to go to GitLab UI and add the tag to the runner also there.