[libre-riscv-dev] [Bug 190] Setup Gitlab CI Runner for Kazan on a computer

bugzilla-daemon at libre-riscv.org bugzilla-daemon at libre-riscv.org
Fri Feb 28 23:39:36 GMT 2020


--- Comment #3 from Jacob Lifshay <programmerjake at gmail.com> ---
(In reply to Cole Poirier from comment #0)
> > Jacob: "I can install Debian on it and give you a user account if I can get
> your public SSH key."
> Sounds good. Should I email the key to you, or put it on here?

email it to me. Make sure you send me the id_rsa.pub and NOT the id_rsa, since
id_rsa is the private key which allows anyone who has it to impersonate you.

> Additionally,
> is all that is needed to run "ssh-keygen -o" and complete the interactive
> steps? (Following the process here:
> https://www.keycdn.com/support/create-ssh-key).

All you need is to run "ssh-keygen -o" and follow the prompts.
You should use a non-blank passphrase when you setup your SSH key, since that
makes it harder for someone who somehow obtained your private key to
impersonate you, since they then have to guess your passphrase before they can
use it.

> > Jacob: "You would have to connect to the server using SSH over Tor, since I
> don't have a publicly accessible IP address."
> >> Luke: "I have openvpn installed and a braindead script for manually joining new devices. I can set that up very quickly, it may be easier than tor?"
> Jacob and Luke, which option is preferable? SSH over tor or openvpn?

OpenVPN is preferred, I just have to research how to set that up first.

> > Jacob: "One requirement is to have GitLab set up such that we have to give
> people explicit permission before they can run anything on it, since
> I'm running it on my home network and I don't want to deal with abuse."
> So to be clear, we will be using ssh over (see above) as well as an explicit
> request-permission grant system, for the actual running of tests/submission
> of jobs? Perhaps this permissions functionality for running CI jobs already
> exists in gitlab? I will find out once I read the installation docs.

SSH is used for you to run commands on the computer in order to do initial
setup. GitLab has a different system that will run automatically once it's set

The permission system is totally separate -- on Debian Salsa itself -- probably
the Developer permission.

> > Jacob: "We can check with Luke what he thinks about how much money should be
> assigned to this task, since this is more of a nice-to-have rather
> than a requirement. I'm thinking maybe EUR 100 at most, and if it
> looks like it's going to take longer than that, we should just give
> up, since it's not that important."
> I am interested in doing this nice to have. I don’t think a budget should be
> assigned to it, I’m happy to do this to help out and learn.


> Jacob: "Since this is more of a sys-admin job rather than a Rust programming
> job, it may not be quite what you were hoping for. There will
> definitely be Rust programming jobs later."
> Perfectly okay, I'm here to help in any way I can. Looking forward to doing
> some rust when the time comes :-)
> Jacob: "Some additional requirements: Docker should be used as the backend
> runner."
> Does it have to be docker, or can we use podman? Am I correct in my
> understanding that podman is the linux container utility?

I'm not familiar with podman, I just know that Docker is supported as a backend
and is what I'm currently using to run CI jobs on GitHub Actions. Also, Docker
has some degree of isolation to make it harder to intentionally/accidentally
mess up the server whereas some of the other GitLab Runner backends may not.

> Jacob: "It should be set up to block outgoing connections from the runners to
> any local addresses (192.168.x.x, 10.x.x.x, etc.) Don't forget IPv6. If
> possible, can you build a bash script that will install and set everything
> up from a fresh install of Debian, that way, it will be easier to recover
> from a corrupted system, install it on more computers, and publicly document
> the setup. Installation instructions here:
> https://docs.gitlab.com/12.8/runner/install/".
> Yes, setting this up as a bash script sounds like an excellent idea, will be
> great for when something goes bad. With regard to all of the security and
> network configuration, it will most likely take me many tries to get right,
> so I'll be posting here for feedback on my configuration from time to time.
> And I assume both you and Luke will do a review to make sure I've set
> everything up so we don't get abused.

I will try my best :)

You are receiving this mail because:
You are on the CC list for the bug.

More information about the libre-riscv-dev mailing list