Image by wdreblow0 from Pixabay.

OpenBSD GitLab Runner Setup

phbits
2 min readMay 31, 2022

--

In an effort to automate the configuration of OpenBSD, this post will describe the basic setup of GitLab Runner to leverage GitLab CI/CD.

Tested on OpenBSD 7.1

Prerequisites

1: GitLab Repository

Create a new blank project with Visibility Level=Private. A private repository is recommended since it will contain scripts to configure the target system. Likely not something we want public.

2: .gitlab-ci.yml

Create this file in the root of the above repository. The following is an example file for use as a proof of concept.

https://gitlab.com/-/snippets/2337398/raw/main/.gitlab-ci.yml

3: Runner Registration Token

Open your project from Prerequisite Step #1 (above). Then go to:

Settings > CI/CD > Runners

Make note of the registration token as it will be needed later.

Fresh Install of OpenBSD 7.1

While logged in as root, run the following commands:

1: Download Setup Script

ftp -4 -o glrunner-setup.sh https://gitlab.com/-/snippets/2337354/raw/main/glrunner-setup.sh

2: Set Script as Executable

chmod +x ./glrunner-setup.sh

3: Include Registration Token

The registration token, from prerequisite step 3, can be included as a script parameter or by updating the GLTOKEN variable in the script.

4: Launch Script

The script will install prerequisite packages and create a glrunner daemon. Once finished, it will run tail -f /var/log/glrunner.

./glrunner-setup.sh

5: Run Pipeline

At this point, glrunner daemon should be polling your repository for any jobs to run. To run the pipeline, open the project on gitlab.com then goto:

CI/CD > Pipelines

Click Run pipeline (top right corner)

Click Run pipeline (bottom left)

Now click on deploy-job and/or clean-job to view the output.

Closing

Now you have a basic proof-of-concept for how to use GitLab for storing configurations and having it launch scripts on a target host. This could be extended to include configuration files where the pipeline will overwrite existing files and restart the service.

One of the best explanations of this process I’ve heard is that it’s a form of remote code execution. With that understanding, it it critical to secure your GitLab account. Require two-factor for all logins and force merge requests for any changes. Further, don’t allow merge requests to be auto-approved. Consider using a different account for approving merge requests.

References

https://worrbase.com/blog/gitlab-openbsd/

--

--