search

cirruslabs / gitlab-tart-executor

GitLab Runner executor to run jobs in Tart VMs
MIT License
60 stars 5 forks source link

Correct usage for TART_EXECUTOR_INSECURE_PULL #72

Closed gitperr closed 7 months ago

gitperr commented 7 months ago

Hello there,

We are trying to use a tart executor in our GitLab CI pipelines, with OCI registry configured for Tart VM images. The OCI registry in question is not using HTTPS yet, so we wanted to try using TART_EXECUTOR_INSECURE_PULL=true to see if it would pull the image. Because otherwise it would error out like that: tart command returned non-zero exit code: "Error: Could not connect to the server."

We tried: 1- Putting the said env variable into gitlab runner's config.toml like that:

[[runners]]
  name = "runner-name-here"
  limit = 1
  url = "git-url"
  environment = ["TART_EXECUTOR_INSECURE_PULL=true"]
  id = 100
  token = "some-token"
  token_obtained_at = datetime
  token_expires_at = datetime
  executor = "custom"
... continues

2- Putting it into the plist file gitlab runner creates:

        <key>EnvironmentVariables</key>
        <dict>
            <key>TART_EXECUTOR_INSECURE_PULL</key>
            <string>true</string>
        </dict>

3- Feed it through GitLab CI pipeline definition directly, in .gitlab-ci.yml job variables:

  variables:
    TART_EXECUTOR_INSECURE_PULL: "true"

So far none of the options seemed to have work, what other things are there to try? I would appreciate some tips on how to continue troubleshooting.

PS: When I manually test the mac the executor is running on with tart pull --insecure, it works just fine. When --insecure option is removed, the same error is shown.

fkorotkov commented 7 months ago

Could you please share your .gitlab-ci.yml for option 3? variables is way to go to set insecure pull.

gitperr commented 7 months ago

Omitted sensitive stuff

include:
  - project: "project-name"
    ref: branch-name
    file: "upstream/.gitlab-ci.yml"
    inputs:
      some stuff

workflows:
  some workflows here...

variables:
  "top level variables here"

job_name:
  image: image
  stage: some-stage
  needs: [preps]
  tags:
    - tart
  script:
    - "irrelevant stuff that does not interact with variables set below"
  rules:
    - if: $BUILD_IOS == "true"
  artifacts:
    paths:
      - "some-artifact"
  variables:
    TART_EXECUTOR_HOST_DIR: "false"
    TART_EXECUTOR_INSECURE_PULL: "true"
  environment:
    name: $env-name
  interruptible: true

This is the job in question, and there are no overrides that interact with the variables set here. I could add another variable here and echo it with no problem.

edigaryev commented 7 months ago

Could you please check that the tart pull --insecure actually works on its own on that GitLab Runner machine?

fkorotkov commented 7 months ago

And could you please also check gitlab-tart-executor --version on the host that it's 1.10.0+.

gitperr commented 7 months ago

tart pull --insecure works yep.

I think @fkorotkov is on point though, I may have an older version that doesn't have the support for it.

% gitlab-tart-executor --version
executor version 1.8.0-787e918
gitperr commented 7 months ago

Thanks a lot for the quick help!

I'll add HTTPS support as well now anyway, and others who experience the same issue should update to 1.10.0+ and test again.