In an effort to automate the configuration of OpenBSD, this post will describe the basic setup of GitLab Runner to leverage GitLab CI/CD.
Tested on OpenBSD 7.1
1: GitLab Repository
Create a new blank project with
Visibility Level=Private. A private repository is recommended since it will contain scripts to configure the target system. Likely not something we want public.
Create this file in the root of the above repository. The following is an example file for use as a proof of concept.
3: Runner Registration Token
Open your project from Prerequisite Step #1 (above). Then go to:
Settings > CI/CD > Runners
Make note of the
registration token as it will be needed later.
Fresh Install of OpenBSD 7.1
While logged in as
root, run the following commands:
1: Download Setup Script
ftp -4 -o glrunner-setup.sh https://gitlab.com/-/snippets/2337354/raw/main/glrunner-setup.sh
2: Set Script as Executable
chmod +x ./glrunner-setup.sh
3: Include Registration Token
The registration token, from prerequisite step 3, can be included as a script parameter or by updating the
GLTOKEN variable in the script.
4: Launch Script
The script will install prerequisite packages and create a
glrunner daemon. Once finished, it will run
tail -f /var/log/glrunner.
5: Run Pipeline
At this point,
glrunner daemon should be polling your repository for any jobs to run. To run the pipeline, open the project on
gitlab.com then goto:
CI/CD > Pipelines
Run pipeline (top right corner)
Run pipeline (bottom left)
Now click on
clean-job to view the output.
Now you have a basic proof-of-concept for how to use GitLab for storing configurations and having it launch scripts on a target host. This could be extended to include configuration files where the pipeline will overwrite existing files and restart the service.
One of the best explanations of this process I’ve heard is that it’s a form of remote code execution. With that understanding, it it critical to secure your GitLab account. Require two-factor for all logins and force merge requests for any changes. Further, don’t allow merge requests to be auto-approved. Consider using a different account for approving merge requests.