五.遇到的问题
1. cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
报错信息:ERROR: Registering runner... failed runner=xxxxxxx status=couldn't execute POST against https://x.x.x.x/api/v4/runners: Post https://x.x.x.x/api/v4/runners: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
原因:gitlab使用自签名证书时,注册时需要使用对应的ca根证书验证。
解决方案:注册时,使用"--tls-ca-file"参数,指定自签名的ca根证书。
2. certificate signed by unknown authority
报错信息:Post https://x.x.x.x/api/v4/runners: x509: certificate signed by unknown authority
原因:注册runner时,如果设置了"--tag-list",则"--run-untagged"默认为"false",同时间.gitlab-ci.yml中的job未指定tag触发此报错。
解决方案:注册时,"--run-untagged"参数设置为"true";或者在已注册的runner中修改勾选" Indicates whether this runner can pick jobs without tags";或者.gitlab-ci.yml中的job指定tag。
3. Peer's Certificate issuer is not recognized.
报错信息:fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.x.com/root/cmop.git/': Peer's Certificate issuer is not recognized.
原因:gitlab-runner拉取代码时,使用https协议访问gitlab,需要验证。
解决方案:
# 参考:https://www.jianshu.com/p/fa71d97dcde0 # 因runner运行时的执行者是gitlab-runner账户,需要在gitlab-runner账号下设置访问https类网站时,免验证 [root@gitlab-runner ~]# su - gitlab-runner [gitlab-runner@gitlab-runner ~]$ git config --global http."sslVerify" false # 查看 [gitlab-runner@gitlab-runner ~]$ cat /home/gitlab-runner/.gitconfig [http] sslVerify = false
4. dial unix /var/run/docker.sock: connect: permission denied
报错信息:Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/info: dial unix /var/run/docker.sock: connect: permission denied
原因:gitlab-runner账号权限不足,不能访问/var/run/docker.sock。
解决方案:
# 将gitlab-runner用户加入docker组 [root@gitlab-runner ~]# usermod -aG docker gitlab-runner # 查看 [root@gitlab-runner ~]# groups gitlab-runner
5. Couldn't resolve host 'gitlab.x.com'
报错信息:fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.cmop.chinamcloud.com/root/cmop.git/': Couldn't resolve host 'gitlab.x.com'
原因:executor = "docker"时,执行环境是1个容器,由于验证用的gitlab域名不能被dns解析,导致无法连接。
解决方案:
- 在注册时使用"--docker-volumes /etc/hosts:/etc/hosts",将运行gitlab-runner服务主机的hosts文件映射到执行容器内;
-
注册时还可使用参数"--clone-url https://x.x.x.x",ip地址覆盖域名,执行容器使用ip地址直接访问gitlab。参考:https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-clone_url-works
PS:使用ip覆盖域名时,可能会带来其他问题,如果使用的是自签名的证书,需要明确ip地址是否也被自签名的ca机构认证。
6. SSL certificate problem: unable to get local issuer certificate
报错信息:fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@100.64.135.200/root/cmop.git/': SSL certificate problem: unable to get local issuer certificate
原因:注册时,为使执行容器可访问不能被dns解析的gitlab域名,使用了参数"--clone-url https://x.x.x.x"覆盖了原域名,但ca机构(自签名的ca证书)只对域名做了认证,导致使用ip访问时不能认证。
解决方案:注册时,将运行gitlab-runner服务主机的hosts映射到执行容器内,使其可通过被ca机构认证的域名访问gitlab,而非ip地址。参考:https://gitlab.com/gitlab-org/gitlab-runner/issues/3477