The deployment of GitLab Runner within a CentOS 7 ecosystem represents a critical junction in the Continuous Integration and Continuous Deployment (CI/CD) pipeline. As an orchestration component, the GitLab Runner is responsible for executing the jobs defined in the .gitlab-ci.yml configuration file, thereby bridging the gap between source code commits and automated testing or deployment. In a CentOS 7 environment, which is characterized by its stability and enterprise-grade reliability, the installation process requires precise handling of package managers, user permissions, and security configurations, particularly when TLS (Transport Layer Security) is integrated for secure communications.
The runner operates as a lightweight agent that communicates with the GitLab server. While the legacy GitLab CI Multi Runner project has been deprecated in favor of the modern Go-based GitLab Runner, the functional requirement remains the same: providing a scalable execution environment for automated tasks. For users operating within CentOS 7, RHEL, or Fedora, the installation can be achieved through official repository integration, specific RPM package management, or direct binary execution. This article provides a granular breakdown of these methodologies, ranging from standard repository installations to complex TLS-secured configurations for Docker-based executors.
Repository Integration and Package Management
The most efficient way to maintain a GitLab Runner on a CentOS 7 system is to integrate the official GitLab repositories. This ensures that the system can pull updates, security patches, and specific version increments through the standard yum package manager.
To initiate the repository setup, a shell script provided by GitLab must be executed with administrative privileges. This script configures the necessary Yum repository files to allow the system to recognize the GitLab package ecosystem.
bash
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
Once the repository is added, the user has several paths for installation depending on whether they require the bleeding-edge version or a specific, stable iteration required for legacy compatibility.
Standard and Version-Specific Installations
For most standard deployments, the latest version available in the repository is preferred. This is achieved through the following command:
bash
sudo yum install gitlab-runner
In enterprise environments where testing cycles require specific versions (such as version 10.0.0), the user must first query the available versions within the repository to identify the exact string required for the installation.
bash
yum list gitlab-runner --showduplicates | sort -r
After identifying the target version, the installation can be targeted specifically:
bash
sudo yum install gitlab-runner-10.0.0-1
Binary-Based Deployment for Manual Control
When repository management is not desired or when the environment requires a specific architecture not easily serviced by the RPM repository, manual binary deployment is a viable alternative. This method involves downloading the specific binary for the host's CPU architecture and placing it in a directory within the system's PATH, typically /usr/local/bin/.
The following table provides the specific download commands for various architectures:
| Architecture | Command |
|---|---|
| Linux x86-64 | sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-amd64" |
| Linux x86 | sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-386" |
| Linux arm | sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-arm" |
| Linux arm64 | sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-arm64" |
| Linux s390x | sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-s390x" |
| Linux ppc64le | sudo curl -L --output /usr/local/bin/gitlab-runner "https://s3.dualstack.us-east-1.amazonaws.com/gitlab-runner-downloads/latest/binaries/gitlab-runner-linux-ppc64le" |
| Linux riscv64 | sudo curl -L --output /usr/local/bin/gitlab-runner |
Service Management and User Permissions
After the installation of the GitLab Runner package, the system creates a dedicated system user named gitlab-runner. This user facilitates the execution of the runner service under a non-privileged account, adhering to the principle of least privilege.
Verifying Service Status and Control
The runner operates as a background service. Users must be able to verify its operational state and manipulate its lifecycle (start, stop, restart) to ensure continuous availability for CI/CD jobs.
To check the current version of the installed runner:
bash
sudo gitlab-runner -version
To check if the service is currently active and running:
bash
sudo gitlab-runner status
The following commands are used to manage the service state:
sudo gitlab-runner startsudo gitlab-runner stopsudo gitlab-runner restart
Granting Sudo Privileges to the Runner User
In many CI/CD workflows, the runner needs to execute commands that require elevated privileges, such as managing Docker containers or modifying system configurations. To allow the gitlab-runner user to execute these commands without manual intervention, it must be granted sudo permissions via the visudo utility.
Open the sudoers file:
bash sudo visudoAppend the following lines to the file to allow the user to execute commands with
NOPASSWD:
text gitlab-runner ALL=(ALL:ALL) ALL gitlab-runner ALL=(ALL) NOPASSWD: ALL
This configuration ensures that the runner can perform administrative tasks necessary for containerized builds without the overhead of a password prompt, which would otherwise hang the automated job.
Advanced Configuration: TLS-Enabled Deployment on CentOS 7
For high-security environments, deploying a GitLab Runner version 14.0.0 with TLS enabled is a specialized procedure. This is particularly relevant when the runner interacts with Docker via encrypted channels. This process involves preparing the local environment, setting up OpenSSL configurations, and handling the directory structures required for secure communication.
Environment Preparation and Package Installation
The deployment starts with the manual acquisition of the specific RPM package and the verification of its digital signature to ensure integrity.
bash
wget 'https://packages.gitlab.com/runner/gitlab-runner/packages/el/7/gitlab-runner-14.0.0-1.x86_64.rpm/download.rpm'
mv download.rpm gitlab-runner-14.0.0-1.x86_64.rpm
rpm --checksig gitlab-runner-14.0.0-1.x86_64.rpm
yum install -y gitlab-runner-14.0.0-1.x86_64.rpm
Docker Group Integration and Directory Setup
Since the runner will likely utilize the Docker executor, the gitlab-runner user must be a member of the docker group to interact with the Docker daemon. Furthermore, necessary directories for Docker and OpenSSL must be established.
bash
usermod -aG docker gitlab-runner
mkdir -p ~/.docker
mkdir -p /etc/docker
OpenSSL Configuration for Client and Server
To facilitate TLS, custom OpenSSL configuration files must be generated. This involves defining request extensions, distinguished names, and key usage parameters.
The client-side configuration is applied to the gitlab-runner user's home directory:
bash
touch ~/.docker/openssl.cnf
cat <<EOF > /root/.docker/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF
The server-side configuration requires additional parameters, specifically the Subject Alternative Name (SAN), to ensure the certificate is valid for the specific IP addresses of the host. The script dynamically captures the host's IP address to populate these fields.
bash
IP_address=$(hostname -I | head -c 11)
touch /etc/docker/openssl.cnf
cat <<EOF > /etc/docker/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
IP.1=127.0.0.1
IP.2=$IP_address
EOF
Registration and Lifecycle Management
Once the software is installed and configured, the runner must be registered with the GitLab instance to begin receiving jobs.
The Registration Process
Registration connects the runner to a specific GitLab project or instance using a URL and a unique registration token. This can be done through an interactive session or via a non-interactive command for automated setups.
For a standard registration, use:
bash
sudo gitlab-runner register
For a non-interactive registration utilizing a Docker executor, the command is more comprehensive:
bash
sudo gitlab-runner register \
--non-interactive \
--url "GITLAB_SERVER_URL" \
--registration-token "REGISTRATION_TOKEN" \
--description "docker-runner" \
--executor "docker" \
--docker-image centos:latest
Troubleshooting Job Execution
A common issue encountered during registration is the "stuck job" error. This typically occurs when a runner is registered with specific tags, but the CI/CD job defined in the project does not include matching tags.
To resolve this, navigate to the GitLab Web UI:
- Go to the project's Settings.
- Select CI/CD.
- Expand the Runners section.
- Ensure the option "Indicates whether this runner can pick up jobs without tags" is checked.
Uninstallation and System Cleanup
If a complete removal of the GitLab Runner is required, several steps must be taken to ensure all binaries, configurations, and processes are purged from the CentOS system.
Uninstall the RPM package:
bash sudo yum uninstall gitlab-runner-10.0.0-1Remove the GitLab directory:
bash sudo rm -rf /var/opt/gitlabTerminate all active GitLab processes:
bash pkill -f gitlabRemove all installation-related directories:
bash sudo rm -rf /opt/gitlab sudo rm -rf /etc/gitlab sudo rm -rf /var/opt/gitlab
Analysis of Deployment Methodologies
The deployment of GitLab Runner on CentOS 7 presents a spectrum of complexity, ranging from the streamlined yum installation to the highly manual TLS-secured configuration. The choice of method is dictated by the security requirements of the organization and the specific executor being utilized.
While the standard repository method is ideal for general-purpose runners, the binary-based installation offers superior flexibility for heterogeneous environments. The integration of TLS-based configurations is a necessity for modern DevSecOps practices, ensuring that the communication between the runner and the containerized environments is protected against interception.
Crucially, the management of user permissions through the sudoers file remains a pivot point for both security and functionality. Over-provisioning permissions can introduce vulnerabilities, while under-provisioning can lead to the aforementioned "stuck jobs" or failed build processes. Therefore, a successful deployment requires a balanced approach to identity and access management (IAM) within the Linux subsystem, ensuring that the gitlab-runner user has exactly the level of access required to facilitate the CI/CD lifecycle without compromising the integrity of the host CentOS 7 server.