Saving system ID state file: access denied
Timeline
-
The generate global system ID MR merged in 15.7. This MR introduced the issue with Runner 15.7 where the service would not start with the
saving system ID state file
error. (2022-12-01) -
The fix, allow runner to start when the config directory is not writeable, merged in 15.9.
-
We plan to reintroduce the behavior from %15.7 in %17.0, meaning that
gitlab-runner
will not start if a.runner_system_id
file is missing. The file is generated any time thatgitlab-runner
is executed, including when running theregister
command.
Summary
After upgrading from 15.1.0 to 15.7.1 on Windows, the GitLab Runner service fails to start. This is because it is trying to write to its own directory, which is not writable for security reasons.
Steps to reproduce
Upgrade GitLab Runner service in a directory the service account cannot write to, as per documentation recommendations. Upgrade version must be any that came after !3758 (merged).
Try to start the service.
Actual behavior
Error in event log (not entirely verbatim because clipboard access not possible):
FATAL: Service run failed
loading system ID file: saving system ID state file: writing runner system ID: Open C:\GitLab-Runner\.runner_system_id: Zugriff verweigert
„Zugriff verweigert“ translates to “access denied”.
Expected behavior
GitLab Runner service should not attempt to write to its config folder.
Relevant logs and/or screenshots
See above
Environment description
OS: Windows 10 Professional x64
GitLab: self-hosted open source
Executor: Shell
config.toml contents
(Again, manually typed)
concurrent = 1
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "vm-win10"
url = "https://gitlab.example.com/"
token = "the-token"
executor = "shell"
builds_dir = "C:/GitLab-Work/Builds"
cache_dir = "C:/GitLab-Work/Cache"
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
Used GitLab Runner version
Version 15.7.1 Revision 6d480948 amd64
Possible fixes
- Writing
.runner_system_id
could be done out-of-band (during register or preferably using a separate verb)- This would have to be documented as a required upgrade step
-
.runner_system_id
could be placed elsewhere - Documentation could be updated, mentioning Runner service must write to its config folder on Windows
- Documentation could be updated, mentioning Runner service cannot use limited account on Windows
- Not preferable