CI runner on same server of GitLab?
-
03-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm setting up a GitLab server in my company and now I'm adding GitLab CI to it.
Before start this task I'd like to understand if there are any disadvantages running my runners on the same server used by GitLab and GitLab CI.
I've read that there are security concerns but we use it only internally so I don't think this could be a problem.
Am I missing something?
Solution
Imagine the following situations:
An internal developer wants to harm the company (because considers being underpaid, because his boss sleeps with his wife; the reason doesn't matter) He commits a unit test which, when ran, instead of testing the application, searches for GitLab repository and erases it. At the next commit, surprise, all source code of the project is lost (but you do backups and you tested them, right?)
Or the same developer notices that backups of the repository are configured on the same machine. He changes this configuration through a unit test, so that the backup contains now a different repository, and waits for a month—the time the backups are kept. Now that all the backups are corrupted, he can commit his unit test which wipes out the source code from the server.
Or an intern wants to sell the source code to the competition. You've carefully configured the access, limiting it to only what he needs for his work. At the same time, he has unlimited access to the repository itself through the unit tests, being able to do the complete dump.
Unless unit tests are run in a context of limited permissions and can't access anything beyond the directories and files they need for the tests, mixing CI server with the server which keeps your repository is indeed dangerous.
Another issue is that version control server is expected to be fast. CI server installed on the same machine may slow the commits.
OTHER TIPS
Given that there is no central “all knowing” server for git this is not a bad as it would be with some other source code control systems.
Provided there is an automatic syk of the git server off-site to anther git server (that is tested) I would not be concerned about this setup in a small company.
Ideally I would like to see the developers push their changes to the offset server git server, then the CI server to pull the charges from the offset server – that way the offsite server is tested when every check in is done.
If the developers then always did their pull from the onsite server to save time, that is not an issue.
