Enable interactive web terminal for GitLab.com
Problem to solve
We have support for docker executor for web terminals and we should enable it on GitLab.com since it's a core feature.
This will add the ability to use interactive web terminals on .com, giving many users the ability to take advantage of this feature. We have to be careful before enabling this feature, however, since it can have an impact on production performance and security characteristics. This issue represents the due diligence from an engineering side to do this investigation and, once complete (assuming no hurdles), enable the feature on .com.
Currently, shared runners are using the docker executor, which is partially supported, there are talks to use kubernetes since we have better support for it. From a security perspective both. There are also plans to migrate to kubernets for our runner managers but that will not affect the proposal below or vice versa.
- Interactive web terminal documentation
- Web terminal for WebIDE
- Architecture overview
- Tecnical Doucmentation
This issue picks up after the gitlab-ce~3011727 work (steps 1-5) in https://gitlab.com/gitlab-org/gitlab-ce/issues/52611 has been completed. Please see that issue for those steps.
6. Start using
private-runners-manager-5.gitlab.com for CI jobs
Given all previous steps have been successful especially step 4 & 5 we can start using the runner manager for running some tests. We can do this in two ways:
- Set specific jobs with the correct tags (
gitlab-org) inside of the
- Configure the group runner to pick up untagged jobs
It might also be ideal to do both of them, reason being the runner manager will pick up more jobs and still have predictability on which jobs we can find the interactive web terminal for debugging a running job
- SRE/~Verify GitLab.com admin to configure runner to pick up untagged jobs
- ~Verify to add the correct tags to
.gitlab-ci.ymlif we want specific jobs to run them
7. Roll out other runner managers
Rolling this out to the other runners, following the order below. All of the steps require us to update the respective role inside of https://ops.gitlab.net/gitlab-cookbooks/chef-repo and a period of 3-5 days each to monitor the situation.
- Update all the private runner manages by updating the
- Update gitlab shared runner managers by updating
- Update the final shared runner manages by updating
- ~Verify To add the necessary configuration
private-runners-manager-5.gitlab.com served its purpose and can be removed since there is no benefit of having another manager.
- ~Verify to update chef configurtion and remove the box.
What does success look like, and how can we measure that?
- Users can use the web terminal on their jobs when they are GitLab.com user and for the Web IDE.
- Easy to maintain for SREs.
- Doesn't affect any uptime for CI.
- Performance of each runner manager is not effected by a large amount.