Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / GitLab Group Kickoffs - Verify:Runner / 17 Nov 2020
GitLab / GitLab Group Kickoffs - Verify:Runner / 17 Nov 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab 13.7 Kickoff - Verify:Runner

Description

Kickoff video for GitLab Runner 13.7

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27188
https://about.gitlab.com/direction/verify/runner/

A

Hey everyone darren eastman growth manager for gitlab runner, hey so today, I'm just going to cover what's on deck, for gitlab runner for 13.7, so my screen, I'm currently sharing the 397 runner team iteration plan, which this is a mechanism for us to kind of show you what's kind of our key focus areas as we get into the food net. Seven development um iteration milestone.

A

um As always. This is sort of a quick sort of recap of quick aside. If you're interested in the broader vision, the broader long-term strategy for gitlab runner, I suggest you take a look at our category direction, page for the runner, which is at above.github.com forward slash direction, power, slash, verify forward, slash runner, and here you can see we were talking about some of the visionary items, some of the long-term picture items um that we have in mind for evolving, get lab runner and things related and get that on the product.

A

um But for today we're focused on what's on deck, specifically for 13.7. So the first thing I want to kind of focus on are the items that we are working on. So a few key items that we're working on for the runner core, which is the core, get lab runner binary.

A

The thing that executes your ci jobs and the first item you want to get over the hump in 397 and ship is the gitlab runner for red hat open shift, the mvc, which is what we're going to call mvc or beta version, and this is like one of the iterations, the first steps in iteration and it's related to our goal of shipping, a ga version of a certified gitlab runner for red hat openshift um as early as january of 2021..

A

um What we're working on right now with food note 7? Is this mvc, so just kind of just a quick step back and sort of say grounding where we're at so. Over the past year we've been working alongside the red hat engineering team um on an operator that will deploy gitlab run on openshift and we'll work, also, of course in kubernetes.

A

So the first version of of the operator was done roughly in the june time frame, um however, was very restrictive um due to any id restrictions, and we can get into some of the details on that on a later video or you can you can ping me directly in the issue if you have any questions about what that means, but what we're working on in 397 is we're working on finalizing, adding deductible files with the required permissions to run with our new id on openshift.

A

With this work complete, we can officially announce a beta version of the github run on autoship on openshift and one that's fully supported by gitlab. I think again, it's kind of one of the iterations on our way to offering a fully supported first-class um experience of get lab runner on openshift in ga by the january 2021 time frame now specific to 397 and the work that we have on deck.

A

We do have a few engineering challenges um that will potentially implement or introduce some delivery risk to us getting this over the over the fence and 13.7, and this is due to some core os dependencies in our ci workflows. So hopefully we can work through this and get the um the beta version of the runner for right at open shift out and the net seven the next issue. I want to call your attention to that.

A

We're working on for runner core in philippines, seven is to remove usage of umass zero, zero um issued or to remove usage of new masters or to be specific to be secure like default issue, and let me see if I can explain a bit what that means and what this is all about. So at a high level today, in our code base, there is a command umass, zero, zero, zero. I believe it will see what the command is called and that command runs before the cloning process.

A

Inside of the github on a helper image right, um this command was introduced to basically solve a permission problem for container images that do not have the root user. Yes, and we do recognize that having not using a root user for your container images is a security best practice.

A

However, this command as implemented today changes the permissions on the chrome directories, so directories that are referenced in our gitlab runner. Environment variables, sci underscore project underscore dir or ci underscore bills underscore dirt. Those directories are able to be read, written or executed by any user because of the implementation of the current humanities: zero zero command um if the containing image there. So the proposal on day for 15.7 is to implement logic that before running the user script we'll check to see if the container image will run as a rule or not.

A

If the container image does not known as root, then we'll retrieve the uid or good of the user and change the owner of the corresponding directory. So now, on the surface, I'm just saying backup really fast for those folks that are interested in the actual details of that proposal. We're implementing it's it's covered here and there's a nice little workflow that the engineers added to this issue that describes the logic that we're in that we'll be implementing in 397..

A

So on the surface, this doesn't seem like a complex um or very interesting new feature, but actually in actuality.

A

This is a um somewhat of a complex change and so there's a significant amount of testing that we have to do to ensure that we're not introducing any regressions um to this core functionality of doruna when we introduce this just change to the to the codebase, and so you can see here in the issue under the implementation section, there are some additional details that are called down here that are meant to help us mitigate the risk of introducing a regression again, um one that would be detrimental to the core functionality of run if we could actually amend the regression here.

A

So this is the do you removing the usage of umass zero, zero, zero zero, so that we have it in a much more secure fashion. So that's the second issue. I want to pull your attention to for thirteen seven.

A

The third thing we are looking at uh in 397 um that I want to call your attention to for, for ronald call. Is this issue around creating a pull policy that can fall back on local cash, um just gonna, just kind of step back and give a bit more context about this particular issue?

A

So since docker announced restrictions on the use of docker hub for image polls, I think it's fair to say that there's been considerable discussion in the global development community. Regarding the impact of that change, I mean certainly for ci cd.

A

As we all know, the use of container images stored in docker hub or any container registry is typically an integral part of these workflows right and so, as you can imagine here, in gitlab, we've had quite a few discussions and internal conversations regarding not only the impact of that daca hub change, but also, as we get relates to resiliency in general, for this critical component of ci, which is obviously you know, using a container image, that's stored in the container registry as part of your ci workflows.

A

So one of the features we're working on or investigating for 397 um is. This is related to resiliency and mitigating the risk of connection failures to any kind of continuity that you're using in your ci workflows.

A

So today, if you look at both kubernetes, which, on the screen, I'm just going to pop over here to the kubernetes definition as well as our gitlab runner docs, you will see that the default policies that are currently implemented in both code bases, don't necessarily have a mechanism that allows you to fall back to the local cache due to a network connection time period due to an inability to connect to the target registry.

A

And so this is what this feature proposal is really about again in introducing a new pro policy that says hey if, during the connection to the target container registry, that connection fails and failed, then fall back to a local, locally cached copy of the container image. If that one is available, so at a high level, I just wanted to say that there continues to be internally here.

A

We get live a lot of in-depth technical discussions um with all of the teams that are involved on this as to as it relates to the effectiveness of this feature, as well as the potential security implications of introducing such a feature, um so that you know so we'll continue. Looking at this.

A

As we get into seven and and if you're interested in this feature and the progress as we go through the thinner, seven iteration cycle, I do suggest that you follow along here um with this features two six, five, five, five, eight or add any comments to it. um So it's a key capability that um we have heard from a few customers that they think will be super helpful in helping them with mitigating the risk of those connection failures.

A

We do want to call out that there are some potential challenges and some potential potential risks to delivering 3.7.

A

So again, if you're interested in this feature, please follow along add comments here, but it's certainly one of the key features that we're hoping to work through and the ship and run a call for filternet 7., so switching gears for a moment in terms of runner cloud, we don't have anything on deck, that's shipping and running cloud that will be consumable right away by our user community and just a step back today for our mac os build cloud we are currently in closed beta.

A

We have a significant number of customers already participating in the closed beta of the macpos build out, and we certainly understand- and I've heard from a number of customers that their needs for um mobile development has accelerated in the past year. A lot more firms are developing only to accelerate development of features and functionalities for their mobile applications. So we understand that folks that are really needing us to to add this capability to our gitlab.com, offering so I said right now we're in closed beta.

A

We have a number of folks testing out the current solution in our closed beta um as part of the closed beta and what we're working on and uh to enable us to move to the open beta, which right now is roughly targeted at the um to do to be ready by filming that one zero is this work on the auto scaler and um again with the auto scale.

A

It will enable us to go to open beta, because we have the ability to create the mac, os, build environments on demand, and certainly something that's critical for us to be able to support the number of users and customers on dot com.

A

Right so with 397, we'll be working on getting making the iterative um steps required to get the auto scaler done so that we can transition to the mac, os, open, beta and finally, in terms of the other bucket um in terms of the three pillars um as it relates to the running product development strategy. Under the enterprise management bucket, we don't have anything planned to ship and fit in that seven.

A

Our cable for fitness, seven is making progress on the ui design um around an automated recent reset of instant, wide mono registration tokens and just to step back and get a step back. A bit running. Enterprise management is really our bucket. That captures things related to to managing runner's enterprise scale, as well as features and capabilities in the gitlab ui, as it relates to the running ui as it relates to the user experience in the ui and also management capabilities in the ui.

A

So it's really that bucket around all things runner to the ui or managing of runners on at scale, whether you're managing those runners in a public cloud or on-premise in environments like vmware, openshift, kubernetes on time and so on.

A

And when we talk about runners at scale, recyclable environments or cost environments where customers may have tens to hundreds of development teams, hundreds and thousands of projects and, of course, the direct visited very large-scale run running environments to support that sort of like very intense cicd built infrastructure.

A

And so we recognize that a core component is simplifying, not only the user experience in the ui, but also ensuring that we can manage the experience and enterprise scale so again for 307. Nothing planned um to ship that around the enterprise management theme. But we want to make progress on some ui designs again. Iterative improvements and those designs will, as it's part, of our long-term strategy in terms of simplifying the enterprise management, experience for gitlab runner and plus making it easy for you for folks to manage, runs at scale.

A

So, roughly speaking, it's kind of to recap: fitness 7, runacore, we're working on the red hat, openshift, nvc or beta, and that's critical for us and looking forward to getting that out the door and food not seven, so that we can just transition, hopefully um to a ga product as early as january of next year, um we're working on a key security feature for the poor owner product, which is the the umass zero zero zero feature that I talked about earlier and then the other thing that is key for us as well and critical.

A

Is this. This new poll policy that I talked about talked about earlier again related to entry, introducing some resiliency to the way um docker images are pulled and, of course those images are critical to you to your ci workflows.

A

So that's the focus series for runner. The key focus here for the gitlab one or two things, not seven. If you have any questions about things in our broader um strategic strategic direction, forget lamb, runner or things that are currently in around our backlog, on our kanban board and simply curious in terms of where those things stand and how quickly you might get to them and so on feel free to print me as always directly on the issue or drop me an email, the eastman gets live.com anyway.

A

um This is going to be our last um kickoff before the the us thanksgiving holidays, I'll be back again in december for another kickoff. So for those folks in the us and happy thanksgiving and look forward to seeing you soon.

A

Cheers.