[tor-project] GitLab Runner updates
Antoine Beaupré
anarcat at torproject.org
Thu Jun 16 13:55:35 UTC 2022
Hello!
We're making changes to the GitLab CI infrastructure you should know
about. TL;DR: new OSUOSL runners, tags are now lowercase, clarification
on the "tpa" tag.
First, we're adopting a few CI runners provided by the good people at
OSUOSL. Two new amd64 runners are joining the fleet and will be
executing untagged jobs across our instance. This should help relieve
the pressure on our existing runners, specifically related to delays in
job processing when large simulations would run.
In addition, we also gain three new runners running on arm64, ppc64le
and s390x architectures, again from OSUOSL.
Secondly, we've updated the tags on our existing runners in order for
both TPA and OSUOSL runners to improve consistency. In short, we've
lower-cased the former "Linux" and "TPA" tags, which are now "linux" and
"tpa". If you have CI jobs with the old uppercase tags, please make sure
to update your .gitlab-ci.yml files. Also refer to the CI documentation
for further details on the available tags:
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ci#runner-tags
Finally, note that the OSUOSL runners are *not* marked "tpa", because we
do not manage the underlying virtual machines. In that sense they are
slightly less "trusted" because we do not control the runner's
configuration, so if you want to limit certain jobs to those "trusted"
runners, be sure to limit your jobs to the `tpa` tag.
In general, you shouldn't really *trust* GitLab or GitLab CI for
anything else than running tests. Builds should be verified out of band
with reproducible builds. You can reproduce a local GitLab CI
environment by installing gitlab-runner and executing jobs locally,
without having to trust the entire GitLab installation or foreign
runners. As a reminder, it is your responsibility to ensure the
integrity of your code and artifacts, see those links for a further
discussion:
https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#git-repository-integrity-solutions
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git#security-concerns
This work was done as part of this ticket:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/40780
Feedback is welcome there, but new issues should probably be reported in
a new ticket. In any case, let us know if anything seems off.
A.
PS: Note that those runners are not *yet* online, but we expect them to
become live within a few days. The above ticket will be updated when
that happens.
--
Antoine Beaupré
torproject.org system administration
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20220616/b33693d6/attachment.sig>
More information about the tor-project
mailing list