GitLab Runner Deployment and Installation Architectures

GitLab Runner serves as the critical execution engine for GitLab CI/CD, acting as the bridge between the definition of automated tasks in a .gitlab-ci.yml file and the actual hardware or virtualized infrastructure where those tasks are performed. When a developer pushes code to GitLab, the system identifies the defined pipeline tasks—which typically encompass software testing, application building, and environment deployment—and transmits these jobs to available runners. For the system administrator, the primary responsibility involves the strategic procurement and management of the infrastructure where these runners reside, ensuring that the installed applications are properly configured and possess the computational capacity required to sustain the organization's specific CI/CD workload.

The availability of GitLab Runner extends across all service tiers, including Free, Premium, and Ultimate, and is compatible with various offering models such as GitLab.com (the SaaS offering), GitLab Self-Managed, and GitLab Dedicated. This universality ensures that regardless of the organization's scale or hosting preference, the mechanism for executing automated pipelines remains consistent.

GNU/Linux Installation Methodologies

The deployment of GitLab Runner on GNU/Linux environments can be achieved through three distinct primary vectors: official repository installation, manual package installation (deb/rpm), and direct binary deployment. The choice of method often depends on the specific Linux distribution and the level of control required over the installation environment.

Official Repository Installation

The most streamlined method for installation is through the official GitLab repositories. This approach is recommended for standard distributions as it integrates the runner into the system's native package management lifecycle, allowing for easier updates and dependency resolution.

For Debian-based systems (such as Ubuntu), the process begins with the acquisition of the repository configuration script:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" -o script.deb.sh

Following the download, it is an expert requirement to inspect the script using less script.deb.sh to ensure the integrity of the execution logic before granting administrative privileges. The installation is finalized by running:

sudo bash script.deb.sh

Once the repository is configured, the runner is installed via the package manager:

sudo apt install gitlab-runner

For Red Hat-based systems (such as CentOS or RHEL), the process follows a similar logic with a different script:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" -o script.rpm.sh

After inspection with less script.rpm.sh, the script is executed:

sudo bash script.rpm.sh

The installation is then performed using either yum or dnf:

sudo yum install gitlab-runner or sudo dnf install gitlab-runner

It is important to note that a FIPS 140-2 compliant version of GitLab Runner is specifically available for RHEL distributions, catering to organizations with strict federal security requirements.

Manual Package Installation

Manual installation using .deb or .rpm packages is designated as a "last resort" strategy. This path is necessary when the official repository cannot be accessed or when the specific GNU/Linux OS is not officially supported by the repository scripts. This also applies to distributions that are derivatives of supported systems, such as Deepin (a Debian derivative), where the standard .deb package remains compatible.

To implement this, users must identify the latest filename and options from the official S3 download bucket located at https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/index.html.

For Debian or Ubuntu systems, the package is installed using the dpkg utility:

dpkg -i gitlab-runner_<arch>.deb

For CentOS or Red Hat Enterprise Linux, the dnf utility is utilized to install both the runner and the helper images:

dnf install -y gitlab-runner-helper-images.rpm gitlab-runner_<arch>.rpm

Binary Installation and Manual Deployment

Direct binary installation is used for maximum flexibility or when working with architectures and distributions that lack package support. This method involves downloading the executable directly to a system directory.

The following commands demonstrate the binary download for various architectures:

  • Linux x86-64: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-amd64"
  • Linux x86: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-386"
  • Linux arm: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-arm"
  • Linux arm64: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-arm64"
  • Linux s390x: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-s390x"
  • Linux ppc64le: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-ppc64le"
  • Linux riscv64: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-riscv64"

While /usr/local/bin/ is the standard destination, the binary can be placed in alternative locations such as /usr/bin/.

A critical operational detail regarding binary installation is that the runner binary does not include pre-built helper images. This requires the system to handle these dependencies separately. However, manual installation is not required for architectures not included in the gitlab-runner-helper-images package, as the system can automatically download these to support additional architectures like loong64.

Windows Installation and Configuration

Installing GitLab Runner on Windows requires a specific set of environmental prerequisites to ensure stability and prevent encoding failures.

Prerequisites for Windows

Before proceeding with the installation, the following requirements must be met:

  • Installation of Git from the official website.
  • A user account password, which is mandatory if the runner is intended to operate under a specific user account rather than the Built-in System Account.
  • The system locale must be set specifically to English (United States). This is a critical requirement to avoid character encoding issues, as documented in issue 38702.

Installation Steps on Windows

The installation process on Windows is manual and follows these specific steps:

  1. Create a dedicated directory for the application, such as C:\GitLab-Runner.
  2. Download the appropriate binary based on the system architecture: x86 64-bit, ARM 64-bit, or x86 32-bit.
  3. Place the binary into the created folder and rename it to gitlab-runner.exe.
  4. Restrict the Write permissions on both the directory and the executable. This is a vital security measure; without these restrictions, regular users could replace the executable with a malicious one to execute arbitrary code with elevated privileges.
  5. Open an elevated command prompt to install the runner as a service.

Administrators can choose between running the service under the Built-in System Account (which is the recommended approach) or a specific user account. It is important to note that Windows services do not provide interactive desktop sessions, which limits the types of jobs that can be run if they require a GUI.

Operational Lifecycle and Maintenance

Once the installation is complete, the runner must be maintained through a regular cycle of updates and registrations.

The Registration Process

Installation is only the first step. After the binary or package is placed on the system, the administrator must register the runner. Registration links the local runner instance to the specific GitLab project or instance, allowing it to begin polling for jobs.

Upgrade Procedures

The method for upgrading GitLab Runner depends entirely on the initial installation path chosen.

For those using the official repository:

  • Debian/Ubuntu: sudo apt update followed by sudo apt install gitlab-runner
  • Red Hat/CentOS: sudo yum update followed by sudo yum install gitlab-runner

For those using binary installations:

  1. Stop the existing service using an elevated prompt: sudo gitlab-runner stop
  2. Download the latest binary to replace the existing one: sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-amd64"
  3. Ensure the new binary is executable: sudo chmod +x /usr/local/bin/gitlab-runner
  4. Restart the service: sudo gitlab-runner start

Security and Integrity

GitLab employs GPG signatures to ensure the integrity of package installations. This is handled through repository metadata signing. When a user executes a command like apt-get update, the package manager verifies the metadata signatures. If the signature is invalid, the package manager rejects the metadata, preventing the installation of potentially corrupted or malicious packages. GPG public keys are installed automatically during the first installation when using the official scripts.

Technical Specifications and Architectural Summary

The following table outlines the supported installation vectors and their primary characteristics.

Feature Repository Method Manual Package (deb/rpm) Binary Method Windows Installation
Primary Use Case Standard distributions Unsupported/Derivative OS Maximum flexibility Windows Environments
Update Path Package Manager Manual Re-install Manual Binary Swap Manual Binary Swap
Support Tiers All (Free, Prem, Ult) All (Free, Prem, Ult) All (Free, Prem, Ult) All (Free, Prem, Ult)
Key Requirement Repository Script S3 Bucket Access curl / chmod Git / US English Locale
Security Focus GPG Metadata Signing File Integrity File Permissions Write Permission Restriction

Infrastructure Considerations

When deploying the runner, administrators must account for the executor model. If the Docker executor is planned for use, Docker must be installed on the host system prior to the installation of GitLab Runner.

Furthermore, there is a nuanced interaction between the service user and the job user. When gitlab-runner is installed and run as a service, it typically operates as the root user. However, it executes the actual CI/CD jobs as a specific user defined during the install command. Because certain job functions, such as cache management and artifact handling, require the execution of the /usr/local/bin/gitlab-runner command, the user account designated to run the jobs must have explicit access to that executable.

Conclusion

The deployment of GitLab Runner is a multifaceted process that requires a precise alignment between the operating system, the hardware architecture, and the security requirements of the organization. From the automated ease of repository scripts on Linux to the manual precision required for Windows installations, the system is designed to be agnostic of the underlying infrastructure. The critical path to a successful deployment involves not only the installation of the binary but the rigorous application of security permissions—specifically the restriction of write access on Windows and the verification of GPG signatures on Linux. By adhering to these protocols, administrators ensure that the CI/CD pipeline remains a secure and scalable conduit for software delivery across all GitLab tiers and offerings.

Sources

  1. Install GitLab Runner manually on GNU/Linux
  2. Install GitLab Runner on Windows
  3. Install GitLab Runner - Linux Repository
  4. GitLab Runner Overview

Related Posts