1--- 2stage: Verify 3group: Runner 4info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments 5--- 6 7# Install GitLab Runner using the official GitLab repositories 8 9We provide packages for the currently supported versions of Debian, Ubuntu, Mint, RHEL, Fedora, and CentOS. You may be able to [install GitLab Runner as a binary](linux-manually.md#using-binary-file) on other Linux distributions. 10 11| Distribution | Version | End of Life date | 12|--------------|----------------------------|-----------------------| 13| Debian | stretch | [June 2022](https://wiki.debian.org/LTS) | 14| Debian | buster | [June 2024](https://wiki.debian.org/LTS) | 15| Ubuntu | xenial | [April 2021](https://wiki.ubuntu.com/Releases) | 16| Ubuntu | bionic | [April 2023](https://wiki.ubuntu.com/Releases) | 17| Ubuntu | focal | [April 2025](https://wiki.ubuntu.com/Releases) | 18| Mint | sarah, serena, sonya, sylvia| [April 2021](https://www.linuxmint.com/download_all.php) | 19| Mint | tara, tessa, tina, tricia | [April 2023](https://www.linuxmint.com/download_all.php) | 20| Mint | ulyana, ulyssa | [April 2025](https://www.linuxmint.com/download_all.php) | 21| RHEL/CentOS | 7 | [June 2024](https://wiki.centos.org/About/Product) | 22| CentOS | 8 | [December 2021](https://wiki.centos.org/About/Product) | 23| RHEL | 8 | [May 2029](https://access.redhat.com/product-life-cycles?product=Red%20Hat%20Enterprise%20Linux) | 24| Fedora | 32 | approx. May 2021 | 25| Fedora | 33 | approx. Nov 2021 | 26 27## Prerequisites 28 29If you want to use the [Docker executor](../executors/docker.md), make sure to install Docker before 30using GitLab Runner. [Read how to install Docker for your distribution](https://docs.docker.com/engine/installation/). 31 32## Installing GitLab Runner 33 34NOTE: 35If you are using or upgrading from a version prior to GitLab Runner 10, read how 36to [upgrade to the new version](#upgrading-to-gitlab-runner-10). If you want 37to install a version prior to GitLab Runner 10, [visit the old docs](old.md). 38 39To install GitLab Runner: 40 411. Add the official GitLab repository: 42 43 ```shell 44 # For Debian/Ubuntu/Mint 45 curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash 46 47 # For RHEL/CentOS/Fedora 48 curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash 49 ``` 50 51 NOTE: 52 Debian users should use [APT pinning](#apt-pinning). 53 541. Install the latest version of GitLab Runner, or skip to the next step to 55 install a specific version: 56 57 NOTE: 58 [Starting with GitLab Runner 14.0](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4845) 59 the `skel` directory usage is [disabled](#disable-skel) by default to prevent 60 [`No such file or directory` job failures](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/1379) 61 62 ```shell 63 # For Debian/Ubuntu/Mint 64 sudo apt-get install gitlab-runner 65 66 # For RHEL/CentOS/Fedora 67 sudo yum install gitlab-runner 68 ``` 69 701. To install a specific version of GitLab Runner: 71 72 ```shell 73 # for DEB based systems 74 apt-cache madison gitlab-runner 75 sudo apt-get install gitlab-runner=10.0.0 76 77 # for RPM based systems 78 yum list gitlab-runner --showduplicates | sort -r 79 sudo yum install gitlab-runner-10.0.0-1 80 ``` 81 821. [Register a runner](../register/index.md) 83 84After completing the step above, a runner should be started and be 85ready to be used by your projects! 86 87Make sure that you read the [FAQ](../faq/index.md) section which describes 88some of the most common problems with GitLab Runner. 89 90### APT pinning 91 92A native package called `gitlab-ci-multi-runner` is available in 93Debian Stretch. By default, when installing `gitlab-runner`, that package 94from the official repositories will have a higher priority. 95 96If you want to use our package, you should manually set the source of 97the package. The best way is to add the pinning configuration file. 98 99If you do this, the next update of the GitLab Runner package - whether it will 100be done manually or automatically - will be done using the same source: 101 102```shell 103cat <<EOF | sudo tee /etc/apt/preferences.d/pin-gitlab-runner.pref 104Explanation: Prefer GitLab provided packages over the Debian native ones 105Package: gitlab-runner 106Pin: origin packages.gitlab.com 107Pin-Priority: 1001 108EOF 109``` 110 111## Updating GitLab Runner 112 113Simply execute to install latest version: 114 115```shell 116# For Debian/Ubuntu/Mint 117sudo apt-get update 118sudo apt-get install gitlab-runner 119 120# For RHEL/CentOS/Fedora 121sudo yum update 122sudo yum install gitlab-runner 123``` 124 125## GPG signatures for package installation 126 127To increase user's confidence about installed software, the GitLab Runner project provides 128two types of GPG signatures for the package installation method: repository metadata 129signing and package signing. 130 131### Repository metadata signing 132 133To verify that the package information downloaded from the remote repository can be trusted, 134the package manager uses repository metadata signing. 135 136The signature is verified when you use a command like `apt-get update`, so the 137information about available packages is updated **before any package is downloaded and 138installed**. Verification failure should also cause the package manager to reject the 139metadata. This means that you cannot download and install any package from the repository 140until the problem that caused the signature mismatch is found and resolved. 141 142GPG public keys used for package metadata signature verification are installed automatically 143on first installation done with the instructions above. For key updates in the future, 144existing users need to manually download and install the new keys. 145 146We use one key for all our projects hosted under <https://packages.gitlab.com>. You can find 147the details about the currently used key and technical description of how to update the key when 148needed [in Omnibus GitLab documentation](https://docs.gitlab.com/omnibus/update/package_signatures#package-repository-metadata-signing-keys). 149This documentation page lists also 150[all keys used in the past](https://docs.gitlab.com/omnibus/update/package_signatures#previous-keys). 151 152### Packages signing 153 154Repository metadata signing proves that the downloaded version information originates 155at <https://packages.gitlab.com>. It does not prove the integrity of the packages themselves. 156Whatever was uploaded to <https://packages.gitlab.com> - authorized or not - will be properly 157verified until the metadata transfer from repository to the user was not affected. 158 159This is where packages signing comes in. 160 161With package signing, each package is signed when it's built. So until you can trust 162the build environment and the secrecy of the used GPG key, the valid signature on the package 163will prove that its origin is authenticated and its integrity was not violated. 164 165Packages signing verification is enabled by default only in some of the DEB/RPM based distributions, 166so users wanting to have this kind of verification may need to adjust the configuration. 167 168GPG keys used for packages signature verification can be different for each of the repositories 169hosted at <https://packages.gitlab.com>. The GitLab Runner project uses its own key pair for this 170type of the signature. 171 172#### RPM-based distributions 173 174The RPM format contains a full implementation of GPG signing functionality, and thus is fully 175integrated with the package management systems based upon that format. 176 177You can find the technical description of how to configure package signature 178verification for RPM-based distributions in [the Omnibus GitLab documentation](https://docs.gitlab.com/omnibus/update/package_signatures#rpm-based-distributions). 179The GitLab Runner differences are: 180 181- The public key package that should be installed is named `gpg-pubkey-35dfa027-60ba0235`. 182 183- The repository file for RPM based distributions will be named `/etc/yum.repos.d/runner_gitlab-runner.repo` 184 (for the stable release) or `/etc/yum.repos.d/runner_unstable.repo` (for the unstable releases). 185 186- The [package signing public key](#current-gpg-public-key) can be imported from 187 <https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg>. 188 189#### DEB-based distributions 190 191The DEB format does not officially contain a default and included method for signing packages. 192The GitLab Runner project uses `dpkg-sig` tool for signing and verifying signatures on packages. This 193method supports only manual verification of packages. 194 1951. Install `dpkg-sig` 196 197 ```shell 198 apt-get update && apt-get install dpkg-sig 199 ``` 200 2011. Download and import the [package signing public key](#current-gpg-public-key) 202 203 ```shell 204 curl -JLO "https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg" 205 gpg --import runner-gitlab-runner-4C80FB51394521E9.pub.gpg 206 ``` 207 2081. Verify downloaded package with `dpkg-sig` 209 210 ```shell 211 dpkg-sig --verify gitlab-runner_amd64.deb 212 Processing gitlab-runner_amd64.deb... 213 GOODSIG _gpgbuilder 09E57083F34CCA94D541BC58A674BF8135DFA027 1623755049 214 ``` 215 216 Verification of package with invalid signature or signed with an invalid key (for example 217 a revoked one) will generate an output similar to: 218 219 ```shell 220 dpkg-sig --verify gitlab-runner_amd64.deb 221 Processing gitlab-runner_amd64.deb... 222 BADSIG _gpgbuilder 223 ``` 224 225 If the key is not present in the user's keyring, the output will be similar to: 226 227 ```shell 228 dpkg-sig --verify gitlab-runner_amd64.v13.1.0.deb 229 Processing gitlab-runner_amd64.v13.1.0.deb... 230 UNKNOWNSIG _gpgbuilder 880721D4 231 ``` 232 233#### Current GPG public key 234 235The current public GPG key used for packages signing can be downloaded from 236<https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg>. 237 238| Key Attribute | Value | 239|---------------|------------------------------------------------------| 240| Name | `GitLab, Inc.` | 241| EMail | `support@gitlab.com` | 242| Fingerprint | `09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027` | 243| Expiry | `2023-06-04` | 244 245NOTE: 246The same key is used by the GitLab Runner project to sign `release.sha256` files for the S3 releases 247available in the <https://gitlab-runner-downloads.s3.amazonaws.com/> bucket. 248 249#### Previous GPG public keys 250 251Keys used in the past can be found in the table below. 252 253For keys that were revoked it's highly recommended to remove them from package signing 254verification configuration. 255 256Signatures made by these keys should not be trusted anymore. 257 258| Sl. No. | Key Fingerprint | Status | Expiry Date | Download (revoked keys only) | 259|---------|------------------------------------------------------|-----------|--------------|--------------------------------------------------| 260| 1 | `3018 3AC2 C4E2 3A40 9EFB E705 9CE4 5ABC 8807 21D4` | `revoked` | `2021-06-08` | [revoked key](gpg-keys/9CE45ABC880721D4.pub.gpg) | 261 262## Manually download packages 263 264You can [manually download and install the 265packages](linux-manually.md#using-debrpm-package) if necessary. 266 267## Disable `skel` 268 269> - [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/1379) in GitLab Runner 12.10. 270> - [Set to `true` by default](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4845) in GitLab Runner 14.0. 271 272Sometimes the default [skeleton (`skel`) directory](https://www.thegeekdiary.com/understanding-the-etc-skel-directory-in-linux/) 273causes [issues for GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4449), 274and it fails to run a job. 275 276In GitLab Runner 12.10 we've added support for a special 277variable - `GITLAB_RUNNER_DISABLE_SKEL` - that when set to `true` is preventing usage of `skel` 278when creating the `$HOME` directory of the newly created user. 279 280Starting with GitLab Runner 14.0 `GITLAB_RUNNER_DISABLE_SKEL` is being set to `true` by default. 281 282If for any reason it's needed that `skel` directory will be used to populate the newly 283created `$HOME` directory, the `GITLAB_RUNNER_DISABLE_SKEL` variable should be set explicitly 284to `false` before package installation. For example: 285 286```shell 287# For Debian/Ubuntu/Mint 288export GITLAB_RUNNER_DISABLE_SKEL=false; sudo -E apt-get install gitlab-runner 289 290# For RHEL/CentOS/Fedora 291export GITLAB_RUNNER_DISABLE_SKEL=false; sudo -E yum install gitlab-runner 292``` 293 294Please note, that shell configuration added to the `$HOME` directory with the usage of `skel` may 295interfere with the job execution and introduce unexpected problems like the ones mentioned above. 296 297## Upgrading to GitLab Runner 10 298 299To upgrade GitLab Runner from a version prior to 10.0: 300 3011. Remove the old repository: 302 303 ```shell 304 # For Debian/Ubuntu/Mint 305 sudo rm /etc/apt/sources.list.d/runner_gitlab-ci-multi-runner.list 306 307 # For RHEL/CentOS/Fedora 308 sudo rm /etc/yum.repos.d/runner_gitlab-ci-multi-runner.repo 309 ``` 310 3111. Follow the same steps when [installing GitLab Runner](#installing-gitlab-runner), 312 **without registering it** and using the new repository. 313 3141. For RHEL/CentOS/Fedora, run: 315 316 ```shell 317 sudo /usr/share/gitlab-runner/post-install 318 ``` 319 320 WARNING: 321 If you don't run the above command, you will be left 322 with no service file. Follow [issue #2786](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2786) 323 for more information. 324