top | item 11529566

(no title)

explosion | 10 years ago

In the shared runner settings, I see this:

"GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X."

Seems like a very strong reason to use one's own paid DigitalOcean instances for runners instead of using the free shared runners, at least for commercial projects. I was wondering if anyone from GitLab could expand further on this?

discuss

sytse|10 years ago

This warning is outdated for the shared runners on GitLab.com since we do not reuse runners there at all. All runners are destroyed after a since build. Please see https://gitlab.com/gitlab-org/gitlab-ce/issues/14732 for more background and our effort to update this message.

explosion|10 years ago

That's great to hear. Thanks.

mordocai|10 years ago

We'd need an answer from gitlab, but that statement was there with the old infrastructure for shared runners.

It is possible that this issue is fixed with the new ones?

sytse|10 years ago

You're correct, we fixed this issue, the new warning will be: "Shared runners execute code of different projects on the same Runner unless you configure GitLab Runner Autoscale with MaxBuilds 1 (which it is on GitLab.com)."