gitlab
gitlab-runner
, gitlab-runner
的作用便是基本gitlab
仓库相关的配置来运行单元测试(包含但Not limited to) and feedback the results of the unit test to gitlab
.
So if the environment in which we run the unit test is macos
, we need to install gitlab-runner
on a macos
host; if we run the unit test in the environment ubuntu
, you need to install ---c59369a09e3c612c503f003a15cd0f31 ubuntu
on a host of gitlab-runner
.
gitlab-runner
After the installation is complete, you need to register it in gitlab
, so that gitlab
will initiate a remote call to it. The registration command is as follows:
sudo gitlab-runner register --url https://yourGitLab.ServerDomainName.com --registration-token yourGitLabToken
But for some security reasons, if our gitlab
server's certificate is not within the valid verification range of the host to be running the unit test, an error will be reported as follows:
This solves the x509: certificate signed by unknown authority problem when registering a runner.
At this point, we need to manually specify a valid certificate for it when running the registration command.
solution
The gitlab official website specifically explains this issue. It probably means that we need to manually specify the relevant certificate for each pre-registered site.
During the access process of https
, the browser will automatically download the certificate for us and use the CA certificate for verification, but gitlab-runner
will not, so we need to manually help it .
Although the official gitlab has given several solutions, experiments have proved that it is the easiest solution to register the downloaded certificate on the operating system.
Proceed as follows:
Get a certificate
If you applied for the certificate of the website running the gitlab service, then you have a crt
certificate, you can skip this step and continue to look down.
If we do not know the certificate of the current site, we can use openssl
to obtain the server's crt certificate. This operation can be performed on the test machine running gitlab-runner
, or on our own On the computer:
openssl s_client -showcerts -connect gitlab.example.com:443(修改为你自己的域名及端口) < /dev/null 2>/dev/null | openssl x509 -outform PEM > ~/gitlab.example.com.crt(修改为自己的名字)
If you don't want to type commands, you can also get it with the help of a browser. Take macos as an example:
At this point we got a file in cer format, and then we will convert it to pem format.
Double-click the certificate file to add to the keychain:
Find it in the keychain, right click and export:
format selection pem
Finally, change the extension .pem directly to .crt.
Anyway, what we need is a crt
certificate installed on the gitlab
site.
Certificate of Registration
Suppose we obtained the certificate of the relevant site according to the operation in the previous step, and uploaded it to the machine running gitlab-runner
.
ubuntu
Below, we take the ubuntu
operating system as an example to introduce how to globally install this certificate into the operating system.
$ sudo apt-get install -y ca-certificates
$ sudo cp gitlab.example.com.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificates
The full log is as follows:
yunzhi@yunzhi-virtual-machine:/etc/ca-certificates$ sudo apt-get install -y ca-certificates
[sudo] password for yunzhi:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20210119~20.04.2).
0 upgraded, 0 newly installed, 0 to remove and 160 not upgraded.
yunzhi@yunzhi-virtual-machine:~$ sudo cp gitlab.example.com.crt /usr/local/share/ca-certificates/
yunzhi@yunzhi-virtual-machine:/usr/local/share/ca-certificates$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping DigiCert-Global-Root-CA.pem,it does not contain exactly one certificate or CRL
1🥰 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
🥰
is the key, indicating that 1 certificate has been added successfully.
freebsd
The freebsd registration certificate is relatively simple, just move the crt
file to /usr/local/share/certs/
:
root@freebsd-jdk8:/home/panjie # cp yourdomain.crt /usr/local/share/certs/
register runner
After the certificate is added, the registration can be completed automatically using the certificate:
yunzhi@yunzhi-virtual-machine:~$ sudo gitlab-runner register
Runtime platform arch=amd64 os=linux pid=813430 revision=f188edd7 version=14.9.1
Running in system-mode.
Enter the GitLab instance URL (for example, https://gitlab.com/):
https://gitlab.example.com:8888/
Enter the registration token:
yourGitLabTokenHere
Enter a description for the runner:
[yunzhi-virtual-machine]: ubuntu
Enter tags for the runner (comma-separated):
Enter optional maintenance note for the runner:
Registering runner... succeeded runner=GR134894
Enter an executor: docker-ssh+machine, kubernetes, custom, docker, parallels, ssh, docker-ssh, shell, virtualbox, docker+machine:
So far gitlab-runner x509:
the error has been successfully resolved.
After registration, don't forget to run gitlab-runner start
🙂 .
git clone
gitlab-runner
When running unit tests, we must first perform the git clone https://xxx
operation. When our certificate is not recognized (internal host), the following error will occur:
fatal: unable to access ' https://xxxxx.xxx.xxx/yunzhiclub/smart-community.git/ ': Problem with the SSL CA cert (path? access rights?)
fatal: unable to access ' https://xxx.xxx.xxx/yunzhiclub/smart-community.git/ ': error setting certificate verify locations: CAfile: /home/gitlab-runner/builds/c_SqAx1t/0/yunzhiclub/smart -community.tmp/CI_SERVER_TLS_CA_FILE CApath: none
At this point, you can disable the ssl check in the git clone process by setting the environment variable
GIT_SSL_NO_VERIFY
to the value true
. HTTPS principle and communication process
gitlab official website: Self-signed certificates or custom Certification Authorities
Ubuntu official: Installing a root CA certificate in the trust store
Disable git's ssl checksum
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。