Change Gitlab CI Runner user

Question

Currently when I start a build in GitlabCI it is running under gitlab-runner user. I want to change it the company's internal user. I didn't find any parameter to the /etc/gitlab-runner/config.toml which is solve that.

My current configuration:

concurrent = 1
[[runners]]
  name = "deploy"
  url = ""
  token = ""
  executor = "shell"

The gitlab-runner run command takes a ----user option allowing to specify the user. — Hui Wang, May 27 '16 at 08:47

score 92 · Accepted Answer · edited Aug 05 '22 at 15:02

92

Running ps aux | grep gitlab you can see:

/usr/bin/gitlab-ci-multi-runner run --working-directory /home/gitlab-runner --config /etc/gitlab-runner/config.toml --service gitlab-runner --syslog --user gitlab-runner

Service is running with option --user.

So let's change this, it depends on what distro. you are running it. If systemd, there is a file:

/etc/systemd/system/gitlab-runner.service:

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/usr/bin/gitlab-ci-multi-runner "run" "--working-directory" "/home/gitlab-runner" "--config" "/etc/gitlab-runner/config.toml" "--se

Bingo, let's change this file now:

gitlab-runner uninstall

gitlab-runner install --working-directory /home/ubuntu --user ubuntu

reboot the machine or reload the service (i.e. systemctl daemon-reload), et voilà!

edited Aug 05 '22 at 15:02

hamaronooo

471
4
20

answered Nov 20 '16 at 11:04

Thomas Decaux

21,738
2
113
124

I think these kind of cli is new, because I looked for something similar, but the cli didn't support it yet. Thank you and nice answer. – PumpkinSeed Jan 29 '17 at 09:05
Yeah GitlabCI is moving very fast, they add new features but sometimes new bugs, so always upgrade with caution! – Thomas Decaux Jan 30 '17 at 13:09
2

This returns - `FATAL: flag provided but not defined: -user` – letsc Oct 02 '17 at 01:12
1

@letsc try `--user` – Osman Dec 06 '17 at 14:36
4

@letsc It will not report this '-user' error when `sudo gitlab-runner install` – lk_vc Jan 29 '19 at 07:02
On ubuntu 18.04 I used `service gitlab-runner restart` to reload the service – John Doe Mar 16 '20 at 15:29
After changed user "Error: Job Failed: prepare environment: exit status 1...." – CH06 Sep 30 '21 at 08:58

score 14 · Answer 2 · answered Feb 22 '19 at 17:06

Note that when installing with a specific user (--user), whenever you update, it will revert back to the original systemd script and so, back to using gitlab-runner user.

in order to keep the user change across updates, using systemd overrides (centos7) you can use these steps (assuming service is at /etc/systemd/system/gitlab-runner.service):

Create a /etc/systemd/system/gitlab-runner.service.d directory.

Create a /etc/systemd/system/gitlab-runner.service.d/exec_start.conf file, with content:

[Service]
ExecStart=
ExecStart=/usr/lib/gitlab-runner/gitlab-runner "run" "--working-directory" "/home/ubuntu" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--syslog" "--user" "ubuntu"

Execute systemctl daemon-reload

Now to check this is working, you can do this:

Reinstall GitLab Runner package gitlab-runner uninstall and then gitlab-runner install
Check ps aux | grep gitlab and confirm the right user is being used

source: https://gitlab.com/gitlab-org/gitlab-runner/issues/3675

Upvote! Thank you for adding the helpful bit about making it persistent. — TryTryAgain, May 01 '19 at 04:41
I had to do `systemctl restart gitlab-runner` as well in order the system service command to be launched with the new user. — Akronix, Feb 17 '23 at 17:26

score 9 · Answer 3 · answered Jul 03 '20 at 20:58

Once the gitlab-runner is registered (yes, it will be installed under the user gitlab-runner and working directory /home/gitlab-runner ) you can execute the following to change the runner's user

gitlab-runner uninstall

gitlab-runner install --working-directory <existing-path> --user <any-existing-user>

# eg: gitlab-runner install --working-directory /home/ec2-user --user ec2-user

then restart the service

service gitlab-runner restart

NOTE: you don't need to edit /etc/systemd/system/gitlab-runner.service for this, as it is being updated once the service is restarted as above

to check if the configurations are reflecting, run

ps aux | grep gitlab

PumpkinSeed · Answer 4 · 2019-03-13T14:23:41.657

2

[DEPRECATED ANSWER]

I found a solution, which is not best pactrice but solved it. I need to use the ssh executer and ssh to localhost. It is require to add gitlab-runner id_rsa.pub to the user's authorized_keys what you want to use. There is my extended code:

concurrent = 1

[[runners]]
  name = "deploy"
  url = ""
  token = ""
  executor = "ssh"
  [runners.ssh]
    user = "user"
    host = "localhost"
    port = "22"
    identity_file = "/home/gitlab-runner/.ssh/id_rsa"

edited Mar 13 '19 at 14:23

answered May 12 '16 at 18:33

PumpkinSeed

2,945
9
36
62

Why do you consider this not "best practice"? Unless you're prepared to use a VM or container solution, this looks like your only option. – Auspex Dec 08 '21 at 17:42
@Auspex this is nearly 5 years old, Gitlab changed a lot since then. – PumpkinSeed Dec 12 '21 at 16:11
Nevertheless, I don't see another way to run commands as a different user. I'm not prepared to implement docker runners for a single repository. – Auspex Dec 13 '21 at 11:21

score 0 · Answer 5 · answered Apr 09 '18 at 09:24

Just for future reference, I was doing a test with a cloned version of my setup, if the domainname is not pointing to the server you are working with, gitlab might consider your runners offline. If you have another (copied) instance running at the ip the domain is pointing at and there is no firewall blocking, the gitlab-runner verify command will say your runners are alive.

a solution could be adding your domain pointing to 127.0.0.1 to your hosts file. you'll have to restart your gitlab instance and runners.

score 0 · Answer 6 · answered Apr 27 '20 at 23:59

0

For recent version of gitlab-runner you should modify the system arguments in the /etc/default/gitlab-runner file.

answered Apr 27 '20 at 23:59

abanman

1

allofmex · Answer 7 · 2020-12-23T19:48:50.353

Here example for docker gitlab-runner:

Build your own runner image based on Dockerfile with following content

FROM gitlab/gitlab-runner
# add new user (if needed)
RUN useradd -u 998 gitlab-www && mkdir /home/gitlab-www && \
    chown gitlab-www /home/gitlab-www && chmod u+rwx /home/gitlab-www
# need to replace entrypoint to force new created user over gitlab-runner
ENTRYPOINT /usr/bin/dumb-init /entrypoint run --user=gitlab-www --working-directory=/home/gitlab-www

(update -u 998 and gitlab-www as you need)

.gitlab-ci.yml scripts are running as user gitlab-www now. If this one has same uid as host mounts, you are also able to deploy directly to host folders.

The `useradd` in `gitlab/gitlab-runner` doesn't have `--create-home`? I'd have thought : `RUN useradd --create-home -u 998 gitlab-www` — Auspex, Mar 07 '22 at 09:22

Change Gitlab CI Runner user

7 Answers7

Linked