Building a Hardened, Containerized CI/CD Pipeline - 2

Phase 2: Registering the Runner and Configuring Target Architecture Tags

Posted by yuanhang on June 02, 2026

With the runner infrastructure running, it must safely authenticate with our GitLab instance and be configured to exclusively intercept jobs matching our cross-compilation workloads.

Registration Execution

Generate a modern Runner Authentication Token from your GitLab Web UI under Admin Area > CI/CD > Runners. Once acquired, execute the interactive registration wrapper inside the active runner container:

docker exec -it gitlab-runner gitlab-runner register

 

Configuration Prompt Parameters

During the interactive wizard, input the details exactly as configured below:

  • GitLab Instance URL: https://gitlab-tae.zofre.de

  • Registration Token: [Your_Generated_Secure_Admin_Token]

  • Executor: docker

  • Default Docker Image: alpine:latest (Serves as a lightweight fallback environment)

Verification of config.toml

The registration script mutates /srv/gitlab-runner/config/config.toml. Open it to verify that the vital Docker socket configuration is correctly mounted for target child containers:

concurrent = 5
check_interval = 0
shutdown_timeout = 0
[session_server]
  session_timeout = 1800
[[runners]]
  name = "renesas-synergy"
  url = "https://gitlab-tae.zofre.de"
  id = 3
  token = "glrt-qmf9LWyUgteaK8nYgLvV6286MQp0OjEKdToxCw.01.1212nt19p"
  token_obtained_at = 2026-02-25T12:04:04Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "docker"
  request_concurrency = 5
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    tls_verify = true
    ca_file = "/etc/gitlab-runner/certs/gitlab-tae.zofre.de.crt"
    # Fallback image if no image is specified in .gitlab-ci.yml
    image = "alpine:latest"
    privileged = false
    pull_policy = ["if-not-present"]
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    # Resolve Gitlab-Server domain directly to the host Ubuntu server's IP.
    # This enable the worker container to access Gitlab server via local network,
    # without routing through the public internet.
    extra_hosts = ["gitlab-tae.zofre.de:host-gateway"]
    #very important: cache and Docker mount
    volumes = ["/srv/gitlab-runner/cache:/cache","/var/run/docker.sock:/var/run/docker.sock"]
    shm_size = 0
    network_mtu = 0

Security & Operations Warning

Ensure you explicitly add the routing tags in the GitLab Web UI or via the prompt. For this architecture, we tag the runner with renesas-project. This prevents the runner from processing unrelated generic web app pipelines, dedicating its computing resource entirely to firmware compilation.