• Prerequisites
• Installing GitLab Runner
  • APT pinning
• Upgrade GitLab Runner
• GPG signatures for package installation
  • Repository metadata signing
  • Packages signing
    • RPM-based distributions
    • DEB-based distributions
    • Current GPG public key
    • Previous GPG public keys
• Manually download packages
• Disable skel

Install GitLab Runner using the official GitLab repositories

We provide packages for the following supported versions of Linux distributions with packagecloud. New runner deb or rpm packages for new OS distribution releases are added automatically when supported by packagecloud. Depending on your setup, other deb or rpm based distributions may also be supported. This refers to distributions that are derivative of a supported GitLab Runner distribution and that have compatible package repositories. For example, Deepin is a Debian derivative, so the runner Debian package should install and run on Deepin. You may also be able to install GitLab Runner as a binary on other Linux distributions.

Prerequisites

If you want to use the Docker executor, make sure to install Docker before using GitLab Runner. Read how to install Docker for your distribution.

Installing GitLab Runner

To install GitLab Runner:

1. Add the official GitLab repository:

   For Debian/Ubuntu/Mint:

   curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
   

   For RHEL/CentOS/Fedora:

   curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
   

   Debian users should use APT pinning.

2. Install the latest version of GitLab Runner, or skip to the next step to install a specific version:

   Starting with GitLab Runner 14.0 the skel directory usage is disabled by default to prevent No such file or directory job failures

   For Debian/Ubuntu/Mint:

   sudo apt-get install gitlab-runner
   

   For RHEL/CentOS/Fedora:

   sudo yum install gitlab-runner
   

   A FIPS 140-2 compliant version of GitLab Runner is available for RHEL distributions. You can install this version by using gitlab-runner-fips as the package name, instead of gitlab-runner.

3. To install a specific version of GitLab Runner:

   For DEB based systems:

   apt-cache madison gitlab-runner
   sudo apt-get install gitlab-runner=16.5.0
   

   For RPM based systems:

   yum list gitlab-runner --showduplicates | sort -r
   sudo yum install gitlab-runner-16.5.0-1
   

4. Register a runner.

After completing the step above, a runner should be started and be ready to be used by your projects!

Make sure that you read the FAQ section which describes some of the most common problems with GitLab Runner.

APT pinning

A native package called gitlab-ci-multi-runner is available in Debian Stretch. By default, when installing gitlab-runner, that package from the official repositories will have a higher priority.

If you want to use our package, you should manually set the source of the package. The best way is to add the pinning configuration file.

If you do this, the next update of the GitLab Runner package - whether it will be done manually or automatically - will be done using the same source:

cat <<EOF | sudo tee /etc/apt/preferences.d/pin-gitlab-runner.pref
Explanation: Prefer GitLab provided packages over the Debian native ones
Package: gitlab-runner
Pin: origin packages.gitlab.com
Pin-Priority: 1001
EOF

Upgrade GitLab Runner

To install the latest version of GitLab Runner:

For Debian/Ubuntu/Mint:

sudo apt-get update
sudo apt-get install gitlab-runner

For RHEL/CentOS/Fedora:

sudo yum update
sudo yum install gitlab-runner

GPG signatures for package installation

To increase user’s confidence about installed software, the GitLab Runner project provides two types of GPG signatures for the package installation method: repository metadata signing and package signing.

Repository metadata signing

To verify that the package information downloaded from the remote repository can be trusted, the package manager uses repository metadata signing.

The signature is verified when you use a command like apt-get update, so the information about available packages is updated before any package is downloaded and installed. Verification failure should also cause the package manager to reject the metadata. This means that you cannot download and install any package from the repository until the problem that caused the signature mismatch is found and resolved.

GPG public keys used for package metadata signature verification are installed automatically on first installation done with the instructions above. For key updates in the future, existing users need to manually download and install the new keys.

We use one key for all our projects hosted under https://packages.gitlab.com. You can find the details about the currently used key and technical description of how to update the key when needed in the Linux package documentation. This documentation page lists also all keys used in the past.

Packages signing

Repository metadata signing proves that the downloaded version information originates at https://packages.gitlab.com. It does not prove the integrity of the packages themselves. Whatever was uploaded to https://packages.gitlab.com - authorized or not - will be properly verified until the metadata transfer from repository to the user was not affected.

This is where packages signing comes in.

With package signing, each package is signed when it’s built. So until you can trust the build environment and the secrecy of the used GPG key, the valid signature on the package will prove that its origin is authenticated and its integrity was not violated.

Packages signing verification is enabled by default only in some of the DEB/RPM based distributions, so users wanting to have this kind of verification may need to adjust the configuration.

GPG keys used for packages signature verification can be different for each of the repositories hosted at https://packages.gitlab.com. The GitLab Runner project uses its own key pair for this type of the signature.

RPM-based distributions

The RPM format contains a full implementation of GPG signing functionality, and thus is fully integrated with the package management systems based upon that format.

You can find the technical description of how to configure package signature verification for RPM-based distributions in the Linux package documentation. The GitLab Runner differences are:

• The public key package that should be installed is named gpg-pubkey-35dfa027-60ba0235.

• The repository file for RPM based distributions will be named /etc/yum.repos.d/runner_gitlab-runner.repo (for the stable release) or /etc/yum.repos.d/runner_unstable.repo (for the unstable releases).

• The package signing public key can be imported from https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg.

DEB-based distributions

The DEB format does not officially contain a default and included method for signing packages. The GitLab Runner project uses dpkg-sig tool for signing and verifying signatures on packages. This method supports only manual verification of packages.

1. Install dpkg-sig

    apt-get update && apt-get install dpkg-sig
   

2. Download and import the package signing public key

    curl -JLO "https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg"
    gpg --import runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg
   

3. Verify downloaded package with dpkg-sig

    dpkg-sig --verify gitlab-runner_amd64.deb
    Processing gitlab-runner_amd64.deb...
    GOODSIG _gpgbuilder 931DA69CFA3AFEBBC97DAA8C6C57C29C6BA75A4E 1623755049
   

   Verification of package with invalid signature or signed with an invalid key (for example a revoked one) will generate an output similar to:

    dpkg-sig --verify gitlab-runner_amd64.deb
    Processing gitlab-runner_amd64.deb...
    BADSIG _gpgbuilder
   

   If the key is not present in the user’s keyring, the output will be similar to:

    dpkg-sig --verify gitlab-runner_amd64.v13.1.0.deb
    Processing gitlab-runner_amd64.v13.1.0.deb...
    UNKNOWNSIG _gpgbuilder 880721D4
   

Current GPG public key

The current public GPG key used for packages signing can be downloaded from https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg.

Previous GPG public keys

Keys used in the past can be found in the table below.

For keys that were revoked it’s highly recommended to remove them from package signing verification configuration.

Signatures made by these keys should not be trusted anymore.

Manually download packages

You can manually download and install the packages if necessary.

Disable skel

Sometimes the default skeleton (skel) directory causes issues for GitLab Runner, and it fails to run a job.

In GitLab Runner 12.10 we’ve added support for a special variable - GITLAB_RUNNER_DISABLE_SKEL - that when set to true is preventing usage of skel when creating the $HOME directory of the newly created user.

Starting with GitLab Runner 14.0 GITLAB_RUNNER_DISABLE_SKEL is being set to true by default.

If for any reason it’s needed that skel directory will be used to populate the newly created $HOME directory, the GITLAB_RUNNER_DISABLE_SKEL variable should be set explicitly to false before package installation. For example:

For Debian/Ubuntu/Mint:

export GITLAB_RUNNER_DISABLE_SKEL=false; sudo -E apt-get install gitlab-runner

For RHEL/CentOS/Fedora:

export GITLAB_RUNNER_DISABLE_SKEL=false; sudo -E yum install gitlab-runner