Skip to content

Get secure GitLab runner

We want to eventually be able to make secure deployments via GitLab CI. In order to do that, we'll need a secure GitLab CI runner in our control. The idea is this:

Have runner1.archlinux.org and runner2.archlinux.org be insecure runners. That is they run any and all code from outside contributors. They are therefore inherently unsafe even despite running in Docker. What if someone found a redpill exploit? Also, runner1.archlinux.org is hosted by PIA and runner2.archlinux.org is hosted by packet.net and we consider both to be outside of our direct control.

The need for a secure-runner1.archlinux.org therefore arises. We want a bare-metal box for this as we want the possibility to build KVM images for instance which need direct hardware support.

Plan:

  1. Order need medium-sized box from Hetzner.
  2. Put Arch on it.
  3. Put GitLab runner on it.
  4. Add this runner to our GitLab.
  5. DO NOT configure the runner to be a publicly available runner. Instead, tag it with "secure" and only allow it to be run on certain hand-picked branches and projects. The DevOps team is responsible for handpicking these trusted projects.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information