Every time, we handle small stories that do not come out even if you google. This article is my personal opinion and has nothing to do with any organization to which I belong.

0. Introduction

The GitLab server was automatically updated every day, and the Ubuntu OS was also automatically updated, but GitLab Runner was not automatically updated, so I tried to support it. Since I update the GitLab Runner server from time to time, I could have done it manually, but since there were many units and there were no problems since it became 13 series, I decided to use automatic update. (But the two cars are not automatically updated)

1. Prerequisites

OS unattended-upgrade is set

Since it uses the unattended-upgrade mechanism, it will not work unless this is set.

173rd PolicyKit settings to update without waiting for administrator operation ・ unattended-upgrade: Ubuntu Weekly Recipe ｜ gihyo.jp… Technical Review Company https://gihyo.jp/admin/serial/01/ubuntu-recipe/0173

2. Find Origin and Suite for GitLab Runner

See below to find out that you need the package Origin and Suite Upgrading External Packages with unattended-upgrade - Linux Audit https://linux-audit.com/upgrading-external-packages-with-unattended-upgrade/

2-1. Find package details

From the following directory /var/lib/apt/lists/ Find files about GitLab Runner

# ls -la /var/lib/apt/lists/  | grep gitlab
-rw-r--r--1 root root 23433 October 20 21:52 packages.gitlab.com_runner_gitlab-runner_ubuntu_dists_bionic_InRelease
-rw-r--r--1 root root 60718 October 20 21:52 packages.gitlab.com_runner_gitlab-runner_ubuntu_dists_bionic_main_binary-amd64_Packages
-rw-r--r--1 root root 60574 October 20 21:52 packages.gitlab.com_runner_gitlab-runner_ubuntu_dists_bionic_main_binary-i386_Packages

Browse files ending in In Release

less /var/lib/apt/lists/packages.gitlab.com_runner_gitlab-runner_ubuntu_dists_bionic_InRelease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Origin: packages.gitlab.com/runner/gitlab-runner
Label: gitlab-runner
Date: Tue, 20 Oct 2020 12:52:32 +0000
Suite: bionic
Codename: bionic
----The following is omitted----

Originはpackages.gitlab.com/runner/gitlab-runnerで、 Suite is like bionic

3. Modify the 50unattended-upgrades file

/etc/apt/apt.conf.d/50unattended-upgrades file Unattended-Upgrade :: Allowed-Origins { Add the following line to

        "packages.gitlab.com/runner/gitlab-runner:${distro_codename}";

Should be like this

4. Test


$ sudo unattended-upgrade --dry-run -v -d
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESMApps,a=bionic-apps-security, o=UbuntuESM,a=bionic-infra-security, o=Ubuntu,a=bionic-updates, o=packages.gitlab.com/runner/gitlab-runner,a=bionic
----Omitted for Kernel----
Checking: gitlab-runner ([<Origin component:'main' archive:'bionic' origin:'packages.gitlab.com/runner/gitlab-runner' label:'gitlab-runner' site:'packages.gitlab.com' isTrusted:True>])
pkgs that look like they should be upgraded: gitlab-runner
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 59789620 DestFile:'/var/cache/apt/archives/gitlab-runner_13.5.0_amd64.deb' DescURI:'https://packages.gitlab.com/runner/gitlab-runner/ubuntu/pool/bionic/main/g/gitlab-runner/gitlab-runner_13.5.0_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt(/var/cache/apt/archives/gitlab-runner_13.5.0_amd64.deb)
found pkg: gitlab-runner
No conffiles in deb /var/cache/apt/archives/gitlab-runner_13.5.0_amd64.deb (There is no member named 'conffiles')
blacklist: []
whitelist: []
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: gitlab-runner
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
applying set ['gitlab-runner']
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/gitlab-runner_13.5.0_amd64.deb
/usr/bin/dpkg --status-fd 11 --configure --pending
left to upgrade set()
All upgrades installed
InstCount=0 DelCount=0 BrokenCount=0

It looks good, so remove --dry-run (Dry-run and changed part)

Packages that will be upgraded: gitlab-runner
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
applying set ['gitlab-runner']
(Loading database...Currently 105088 files and directories are installed.)
.../gitlab-runner_13.5.0_amd64.Preparing to deploy deb...
gitlab-runner (13.5.0)so(13.4.To 1)Overwrite expansion...
gitlab-runner (13.5.0)Is set...
GitLab Runner: detected user gitlab-runner
WARNING: gitlab-runner belongs to group docker which is insecure, because allows to have root access to host
Runtime platform                                    arch=amd64 os=linux pid=24526 revision=ece86343 version=13.5.0
gitlab-runner: Service is not running.
Runtime platform                                    arch=amd64 os=linux pid=24537 revision=ece86343 version=13.5.0
gitlab-ci-multi-runner: Service is not running.
Runtime platform                                    arch=amd64 os=linux pid=24572 revision=ece86343 version=13.5.0
Runtime platform                                    arch=amd64 os=linux pid=24652 revision=ece86343 version=13.5.0
Clearing docker cache...
left to upgrade set()
All upgrades installed
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2020-10-26 11:41:04

5. Summary

This will make you not always have to worry about it Note: We will not be aware of anything if all Runners are automatically updated, so that's what we mean.

6. Reference

Upgrading External Packages with unattended-upgrade - Linux Audit https://linux-audit.com/upgrading-external-packages-with-unattended-upgrade/

Unattended-upgrade automatically updates third-party repositories | https://tech.matchy.net/archives/1281

Update gitlab-runner with Ubuntu automatic update