| Property | Value |
|---|---|
| Host VM | VM-SL-41 |
| Compose path | — (no compose; long-running docker run started at 2026-01-14, restart=always) |
| Image | ``gitlab/gitlab-runner:latest (a866609c6e56, pulled ~3 months ago) |
| Container name(s) | gitlab-runner |
| External URL | <— (no UI; long-poll outbound to https://git.blackreset.com)> |
| Networks | Default Docker bridge. Outbound only — no host port published. |
| DB / state | Anonymous Docker volume 6d789f21… mounted as /etc/gitlab-runner/ (holds config.toml runtime copy + runner-system-id). The authoritative copy is at /opt/gitlab-runner/config/config.toml on the host (bind-mounted into the container). |
| Auth | Runner registration token in config.toml (runner ID 6, token expires never — 0001-01-01T00:00:00Z). No interactive UI auth. |
| Backup | PBS image-level via VM-SL-41 (covers /opt/gitlab-runner/config/). |
Executes pipelines for all GitLab projects under https://git.blackreset.com that target a Home runner. Historic project IDs that ran here (visible from cached volume names): 11, 58, 75, 117, 118, 133, 134, 135, 136, 137, 138, 140, 141 — i.e. the website/, dummy/, alexanderkorff/, io/, ink/ groups in reg.git.blackreset.com:443.
Single docker-executor runner, concurrent = 1 — one job at a time. Each job spawns a new container from image: alpine:latest (or whatever the .gitlab-ci.yml requests; allowed_images = ["*:*"]), with pull_policy = "if-not-present", cpus = 2, memory = 4g, memory_swap = 4g, image_pull_timeout = 3600. The job container is started with privileged = true and bind-mounts /var/run/docker.sock from the host — so any pipeline step can spawn sibling containers (DinD pattern). On completion the job container is removed; the runner cache volume runner-<token>-project-<id>-concurrent-0-cache-<hash> is reused on subsequent runs of the same project.
/opt/gitlab-runner/config/config.toml (excerpt):
concurrent = 1
check_interval = 0
shutdown_timeout = 0
[[runners]]
name = "VM-SL-41"
url = "https://git.blackreset.com"
id = 6
token = <REDACTED — see .secrets/credentials.env>
token_obtained_at = 2024-09-16T14:25:26Z
executor = "docker"
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = true
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
pull_policy = "if-not-present"
cpus = "2"
memory = "4g"
memory_swap = "4g"
allowed_images = ["*:*"]
No certs in [[runners.docker]] — tls_verify = false is acceptable because the runner only talks to https://git.blackreset.com (own CA-signed cert) and to the local Docker socket.
No host port published. Outbound HTTPS long-poll to https://git.blackreset.com over the site-to-site VPN to RZ. Inbound only via SSH for ops.
Pipeline steps inherit GitLab CI variables (which include CI_REGISTRY_USER / CI_REGISTRY_PASSWORD for pulling from reg.git.blackreset.com:443). No additional runner-level auth.
/opt/gitlab-runner/config/config.toml — runner registration/opt/gitlab-runner/config/.runner_system_id — durable runner identity/opt/gitlab-runner/config/certs/ — empty (no custom CA bundle in use)6d789f21… — /etc/gitlab-runner/ runtime copyrunner-*-cache-* volumes (≈ 837 MB) — leftover CI caches from expired runner tokens (8 volumes from 4 old tokens) + stale project IDs (26 volumes); listed in the SL-41 protocol P-03 for per-volume cleanup confirmation.PBS image-level via VM-SL-41 covers /opt/gitlab-runner/config/. Cache volumes are not state — they are regenerated by the next pipeline run. The runner registration token in config.toml cannot be regenerated without re-registering the runner on git.blackreset.com → Admin → CI/CD → Runners (which changes the runner ID and invalidates the cached volume names).
docker logs --tail 50 gitlab-runnerdocker restart gitlab-runner (config picked up automatically)sudoedit /opt/gitlab-runner/config/config.toml then docker restart gitlab-runner — the runner long-polling will resumegit.blackreset.com → Admin → Runners, then docker exec -it gitlab-runner gitlab-runner registerdocker volume ls --filter name=runner-privileged = true + /var/run/docker.sock bind-mount: any CI job can root the host. Acceptable for a single-tenant homelab CI but should be explicitly noted (P-09 on VM-SL-41).:latest for gitlab/gitlab-runner — should be pinned to a major.minor for reproducibility.MaxUploadedArchiveSize = 0 — unbounded archive uploads to GitLab. A misbehaving job could fill /var/lib/docker quickly./etc/docker/daemon.json log-rotation policy on the host — verbose CI stdout would refill the disk on a long pipeline (P-02 on VM-SL-41, lesson learned from VM-SL-40).runner-*-cache-* Docker volumes from old tokens / stale project IDs (≈ 837 MB) accumulating because cache cleanup is not wired up in CI (P-03 on VM-SL-41).git.blackreset.comRunner ID 6 auf vm-sl-41 → re-tagged: home, stage, docker, vm-sl-41, legacy.
Neuer HM-Runner (geplant): vm-hm-app-prod-01 — Token in .secrets/credentials.env::GITLAB_RUNNER__VM_HM_APP_PROD_01.
RZ-Runners (siehe services/gitlab-runners-rz):
rz, prod, docker, vm-rz-app-prod-01, heavy)rz, stage, docker, vm-rz-app-stage-01, builder)