[libre-riscv-dev] [Bug 190] New: Setup Gitlab CI Runner for Kazan on a computer

bugzilla-daemon at libre-riscv.org bugzilla-daemon at libre-riscv.org
Wed Feb 26 17:15:41 GMT 2020 

http://bugs.libre-riscv.org/show_bug.cgi?id=190

            Bug ID: 190
           Summary: Setup Gitlab CI Runner for Kazan on a computer
           Product: Libre-RISC-V Website
           Version: unspecified
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: enhancement
          Priority: ---
         Component: website
          Assignee: lkcl at lkcl.net
          Reporter: colepoirier at gmail.com
                CC: libre-riscv-dev at lists.libre-riscv.org
   NLnet milestone: ---

Task: Figure out how to set up GitLab CI runner on a computer:

> Jacob: "I have an old 8-core AMD FX computer with 20GB of ram and a small SSD
that I'm not currently using, I've been wanting to set it up as our
own CI runner for Kazan-team on Debian Salsa, since Debian apparently
doesn't have that many spare CI runners and since CI builds will
require building LLVM (once I re-enable it) which is a really long
process."

I have a Ryzen 2600X 6 core, 12 thread, 32 GB memory, 
500 GB ssd, rx 570 4GB desktop that I use to do some 
work on the evenings and weekends. I’d be happy to set 
this up on there if you want to use your old rig for other 
Debian CI.

> Jacob: "I can install Debian on it and give you a user account if I can get
your public SSH key."

Sounds good. Should I email the key to you, or put it on here? Additionally, is
all that is needed to run "ssh-keygen -o" and complete the interactive steps?
(Following the process here: https://www.keycdn.com/support/create-ssh-key).

> Jacob: "You would have to connect to the server using SSH over Tor, since I
don't have a publicly accessible IP address."

>> Luke: "I have openvpn installed and a braindead script for manually joining new devices. I can set that up very quickly, it may be easier than tor?"

Jacob and Luke, which option is preferable? SSH over tor or openvpn?

> Jacob: "One requirement is to have GitLab set up such that we have to give
people explicit permission before they can run anything on it, since
I'm running it on my home network and I don't want to deal with abuse."

So to be clear, we will be using ssh over (see above) as well as an explicit
request-permission grant system, for the actual running of tests/submission of
jobs? Perhaps this permissions functionality for running CI jobs already exists
in gitlab? I will find out once I read the installation docs.

> Jacob: "We can check with Luke what he thinks about how much money should be
assigned to this task, since this is more of a nice-to-have rather
than a requirement. I'm thinking maybe EUR 100 at most, and if it
looks like it's going to take longer than that, we should just give
up, since it's not that important."

I am interested in doing this nice to have. I don’t think a budget should be
assigned to it, I’m happy to do this to help out and learn.

Jacob: "Since this is more of a sys-admin job rather than a Rust programming
job, it may not be quite what you were hoping for. There will
definitely be Rust programming jobs later."

Perfectly okay, I'm here to help in any way I can. Looking forward to doing
some rust when the time comes :-)

Jacob: "Some additional requirements: Docker should be used as the backend
runner."

Does it have to be docker, or can we use podman? Am I correct in my
understanding that podman is the linux container utility?

Jacob: "It should be set up to block outgoing connections from the runners to
any local addresses (192.168.x.x, 10.x.x.x, etc.) Don't forget IPv6. If
possible, can you build a bash script that will install and set everything up
from a fresh install of Debian, that way, it will be easier to recover from a
corrupted system, install it on more computers, and publicly document the
setup. Installation instructions here:
https://docs.gitlab.com/12.8/runner/install/".

Yes, setting this up as a bash script sounds like an excellent idea, will be
great for when something goes bad. With regard to all of the security and
network configuration, it will most likely take me many tries to get right, so
I'll be posting here for feedback on my configuration from time to time. And I
assume both you and Luke will do a review to make sure I've set everything up
so we don't get abused.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the libre-riscv-dev mailing list