Zum Inhalt

_

_

GitLab CI/CD Cheatsheet

• Installation

GitLab Runner Installation

Platform Command
Ubuntu/Debian INLINE_CODE_12
CentOS/RHEL INLINE_CODE_13
macOS INLINE_CODE_14
Windows INLINE_CODE_15
Docker INLINE_CODE_16
Kubernetes (Helm) INLINE_CODE_17
_
### Verifikation
Command Description
INLINE_CODE_18 Check installed GitLab Runner version
INLINE_CODE_19 Verify runner can connect to GitLab
_
--

oder Grundlegende Befehle

Runner Management

Command Description
INLINE_CODE_20 Register a new runner interactively
INLINE_CODE_21 List all registered runners
INLINE_CODE_22 Start the runner service
INLINE_CODE_23 Stop the runner service
INLINE_CODE_24 Restart the runner service
INLINE_CODE_25 Check current runner status
INLINE_CODE_26 Unregister a specific runner
INLINE_CODE_27 Unregister all runners
INLINE_CODE_28 Run runner in foreground for debugging
INLINE_CODE_29 Execute a single job locally for testing
_
### Pipeline Operationen (GitLab CLI)
Command Description
INLINE_CODE_30 Validate INLINE_CODE_31 syntax locally
INLINE_CODE_32 View CI/CD configuration for current project
INLINE_CODE_33 View real-time logs for a specific job
INLINE_CODE_34 List all pipelines for current project
INLINE_CODE_35 Retry a failed pipeline
INLINE_CODE_36 Cancel a running pipeline

API-basierte Pipeline Trigger

Command Description
INLINE_CODE_37 Trigger pipeline via API
INLINE_CODE_38 Trigger pipeline with variables
INLINE_CODE_39 Get pipeline status via API
_
--

/ Fortgeschrittene Nutzung

Advanced Runner Registrierung

Command Description
INLINE_CODE_40 Register runner with inline parameters
INLINE_CODE_41 Register Docker-in-Docker (DinD) runner
INLINE_CODE_42 Configure runner with S3 cache
INLINE_CODE_43 Register Kubernetes executor
INLINE_CODE_44 Configure runner with specific Docker network
INLINE_CODE_45 Register runner with specific tags

Advanced Pipeline Operations

Command Description
INLINE_CODE_46 Download job artifacts via API
INLINE_CODE_47 Create pipeline schedule via API
INLINE_CODE_48 Trigger multi-project pipeline
INLINE_CODE_49 Test runner executor locally

Monitoring und Debugging

Command Description
INLINE_CODE_50 View runner logs in real-time (Linux)
INLINE_CODE_51 Run runner with verbose debug logging
INLINE_CODE_52 Access runner Prometheus metrics
INLINE_CODE_53 View Docker runner logs
INLINE_CODE_54 View Kubernetes runner logs
_
### Konfigurationsmanagement
Command Description
INLINE_CODE_55 Edit runner configuration file (Linux)
INLINE_CODE_56 Remove invalid runners from config
INLINE_CODE_57 Run a single job without registration
_
--

Konfiguration

Basic .gitlab-ci.yml Struktur

# Define pipeline stages
stages:
  - build
  - test
  - deploy

# Global variables
variables:
  DOCKER_DRIVER: overlay2
  DATABASE_URL: "postgres://localhost/db"

# Global scripts executed before each job
before_script:
  - echo "Pipeline started at $(date)"
  - export PATH=$PATH:/custom/bin

# Global scripts executed after each job
after_script:
  - echo "Cleaning up..."

# Basic job definition
build_app:
  stage: build
  image: node:16-alpine
  script:
    - npm install
    - npm run build
  artifacts:
    paths:
      - dist/
    expire_in: 1 week
  cache:
    key: ${CI_COMMIT_REF_SLUG}
    paths:
      - node_modules/
  only:
    - main
    - merge_requests
  tags:
    - docker

Advanced Pipeline Configuration

# Include external configurations
include:
  - project: 'my-group/ci-templates'
    ref: main
    file: '/templates/.gitlab-ci-template.yml'
  - remote: 'https://example.com/ci-template.yml'
  - local: '/templates/security-scan.yml'
  - template: Security/SAST.gitlab-ci.yml

# Workflow rules for pipeline execution
workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == "main"'
    - if: '$CI_COMMIT_TAG'
    - when: never

# Job with complex rules
deploy_production:
  stage: deploy
  script:
    - ./deploy.sh production
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'
      when: manual
    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
      when: on_success
  environment:
    name: production
    url: https://prod.example.com
    on_stop: stop_production

Parallel und Matrix Jobs

# Parallel execution
test:
  stage: test
  parallel: 5
  script:
    - bundle exec rspec

# Matrix builds
test_matrix:
  parallel:
    matrix:
      - NODE_VERSION: ['14', '16', '18']
        OS: ['linux', 'windows']
  image: node:${NODE_VERSION}
  script:
    - npm test

Artefakte und Cache Konfiguration

build:
  stage: build
  script:
    - make build
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME"
    paths:
      - binaries/
      - build/
    exclude:
      - binaries/**/*.tmp
    reports:
      junit: test-results.xml
      coverage_report:
        coverage_format: cobertura
        path: coverage/cobertura-coverage.xml
    expire_in: 30 days
    when: on_success
  cache:
    key:
      files:
        - package-lock.json
    paths:
      - node_modules/
    policy: pull-push

Docker and Services Configuration

build_docker:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  variables:
    DOCKER_TLS_CERTDIR: "/certs"
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

Dynamic Child Pipelines

generate_config:
  stage: build
  script:
    - ./generate-ci-config.sh > generated-config.yml
  artifacts:
    paths:
      - generated-config.yml

trigger_child:
  stage: deploy
  trigger:
    include:
      - artifact: generated-config.yml
        job: generate_config
    strategy: depend

Runner Konfigurationsdatei (config.toml)

concurrent = 10
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "docker-runner"
  url = "https://gitlab.com/"
  token = "TOKEN"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.cache]
    Type = "s3"
    Path = "cache"
    Shared = true
    [runners.cache.s3]
      ServerAddress = "s3.amazonaws.com"
      BucketName = "runner-cache"
      BucketLocation = "us-east-1"
  [runners.docker]
    tls_verify = false
    image = "alpine:latest"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock"]
    shm_size = 0

--

Häufige Anwendungsfälle

Use Case 1: Build and Test Node.js Application

stages:
  - build
  - test
  - deploy

variables:
  NODE_ENV: production

build:
  stage: build
  image: node:16-alpine
  script:
    - npm ci
    - npm run build
  artifacts:
    paths:
      - dist/
      - node_modules/
    expire_in: 1 hour
  cache:
    key: ${CI_COMMIT_REF_SLUG}
    paths:
      - .npm/

test:unit:
  stage: test
  image: node:16-alpine
  dependencies:
    - build
  script:
    - npm run test:unit
  coverage: '/Lines\s*:\s*(\d+\.\d+)%/'
  artifacts:
    reports:
      junit: junit.xml
      coverage_report:
        coverage_format: cobertura
        path: coverage/cobertura-coverage.xml

test:integration:
  stage: test
  image: node:16-alpine
  services:
    - postgres:13
  variables:
    POSTGRES_DB: test_db
    POSTGRES_USER: test_user
    POSTGRES_PASSWORD: test_password
  script:
    - npm run test:integration

Use Case 2: Docker Build and Push to Registry

stages:
  - build
  - scan
  - deploy

variables:
  DOCKER_DRIVER: overlay2
  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA

build_image:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $IMAGE_TAG .
    - docker tag $IMAGE_TAG $CI_REGISTRY_IMAGE:latest
    - docker push $IMAGE_TAG
    - docker push $CI_REGISTRY_IMAGE:latest
  only:
    - main
    - tags

scan_image:
  stage: scan
  image: aquasec/trivy:latest
  script:
    - trivy image --severity HIGH,CRITICAL $IMAGE_TAG
  allow_failure: true

deploy_k8s:
  stage: deploy
  image: bitnami/kubectl:latest
  script:
    - kubectl config use-context $KUBE_CONTEXT
    - kubectl set image deployment/myapp myapp=$IMAGE_TAG
    - kubectl rollout status deployment/myapp
  environment:
    name: production
    url: https://myapp.example.com
  only:
    - main

Use Case 3: Multi-Environment Einsatz mit manueller Genehmigung

stages:
  - build
  - deploy_staging
  - deploy_production

build:
  stage: build
  script:
    - ./build.sh
  artifacts:
    paths:
      - build/

deploy_staging:
  stage: deploy_staging
  script:
    - ./deploy.sh staging
  environment:
    name: staging
    url: https://staging.example.com
    on_stop: stop_staging
  only:
    - main

stop_staging:
  stage: deploy_staging
  script:
    - ./cleanup.sh staging
  environment:
    name: staging
    action: stop
  when: manual

deploy_production:
  stage: deploy_production
  script:
    - ./deploy.sh production
  environment:
    name: production
    url: https://www.example.com
  when: manual
  only:
    - main
  needs:
    - deploy_staging

Use Case 4: Terraform Infrastructure Deployment

stages:
  - validate
  - plan
  - apply

variables:
  TF_ROOT: ${CI_PROJECT_DIR}/terraform
  TF_STATE_NAME: default

.terraform:
  image: hashicorp/terraform:latest
  before_script:
    - cd ${TF_ROOT}
    - terraform init -backend-config="address=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${TF_STATE_NAME}"

validate:
  extends: .terraform
  stage: validate
  script:
    - terraform validate
    - terraform fmt -check

plan:
  extends: .terraform
  stage: plan
  script:
    - terraform plan -out=plan.tfplan
  artifacts:
    paths:
      - ${TF_ROOT}/plan.tfplan
    expire_in: 1 day

apply:
  extends: .terraform
  stage: apply
  script:
    - terraform apply -auto-approve plan.tfplan
  dependencies:
    - plan
  when: manual
  only:
    - main
  environment:
    name: production

Use Case 5: Monorepo mit Selective Job Execution

workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == "main"'

variables:
  FRONTEND_PATH: "apps/frontend"
  BACKEND_PATH: "apps/backend"

.changes_frontend: &changes_frontend
  changes:
    - "${FRONTEND_PATH}/**/*"
    - "package.json"
    - ".gitlab-ci.yml"

.changes_backend: &changes_backend
  changes:
    - "${BACKEND_PATH}/**/*"
    - "requirements.txt"
    - ".gitlab-ci.yml"

build_frontend:
  stage: build
  image: node:16
  script:
    - cd $FRONTEND_PATH
    - npm ci
    - npm run build
  rules:
    - <<: *changes_frontend

build_backend:
  stage: build
  image: python:3.9
  script:
    - cd $BACKEND_PATH
    - pip install -r requirements.txt
    - python -m pytest
  rules:
    - <<: *changes_backend

deploy_all:
  stage: deploy
  script:
    - ./deploy-all.sh
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'
      changes:
        - "${FRONTEND_PATH}/**/*"
        - "${BACKEND_PATH}/**/*"

--

oder Best Practices

  • **Use cache für Abhängigkeiten und artifacts für Bauausgänge*: Cache beschleunigt nachfolgende Pipeline-Läufe durch die Speicherung von Abhängigkeiten wie __INLINE_CODE_60_, während Artefakte Bauausgänge zwischen den Stufen passieren. Bauen Sie nie Artefakte.

  • **Implementieren Sie die richtigen Workflow-Regeln, um unnötige Pipeline-Läufe zu vermeiden*: Verwenden Sie workflow:rules, um zu kontrollieren, wann Rohrleitungen ausgeführt werden, Abfall auf Entwürfen von MRs verhindern oder nur Dokumentationsänderungen vornehmen. Dies spart Ressourcen und senkt Kosten.

  • **Tag Läufer und Jobs entsprechend*: Verwenden Sie bestimmte Tags (docker, kubernetes, gpu), um Aufträge an entsprechende Läufer zu leiten. Dadurch wird sichergestellt, dass Arbeitsplätze auf Infrastruktur mit erforderlichen Fähigkeiten laufen und Ressourceninhalte verhindern.

**Use needs Schlüsselwort für DAG-Pipelines*: Anstelle von sequentiellen Stufen, verwenden Sie needs:, um gerichtete azyklische Graphen (DAGs) zu erstellen, die Jobs ausführen, sobald Abhängigkeiten abgeschlossen sind und die gesamte Pipelinezeit erheblich reduzieren.

  • ** Speichern sensible Daten in CI/CD-Variablen, nie im Code**: Verwenden Sie geschützte und maskierte Variablen für Geheimnisse wie API-Tasten, Passwörter und Token. Schutz nur für geschützte Zweige/Tags.

  • Implementieren Sie das Sicherheitsscannen früh in der Pipeline: Fügen Sie SAST, Abhängigkeitsabtastung und Containerabtastung in frühen Stadien ein. Verwenden Sie allow_failure: true zunächst, um die Entwicklung zu verhindern, während Teams Ergebnisse ansprechen.

  • **Use only:changes oder rules:changes_ für monorepos*: Trigger Jobs nur, wenn relevante Dateien ändern, verhindern unnötige Builds und Tests. Dies ist für große Monorepos mit mehreren Anwendungen kritisch.

  • ** Setzen Sie geeignete Artefakte Ablaufzeiten*: Default Artefakte zu kurzen Ablauf (1-7 Tage) um Speicherkosten zu sparen. Verwenden Sie expire_in: never nur, um Artefakte freizugeben, die eine dauerhafte Retention benötigen.

  • Leverage enthält und Vorlagen für DRY-Konfiguration: Erstellen Sie wiederverwendbare Vorlagen in separaten Repositories und schließen Sie diese mit __INLINE_CODE_71_ oder __INLINE_CODE_72_ ein. Dies gewährleistet Konsistenz über Projekte.

  • Monitor-Läuferkapazität und Skalierung entsprechend Track Runner Wartezeiten und Job Wartezeiten. Konfigurieren concurrent in __INLINE_CODE_74_ basierend auf verfügbaren Ressourcen, und skalieren Sie Läufer horizontal während der Spitzenzeiten.

--

Fehlerbehebung

Issue Solution
Runner not picking up jobs Verify runner is active: INLINE_CODE_75. Check runner tags match job tags. Ensure runner isn't paused in GitLab UI. Check INLINE_CODE_76 setting in INLINE_CODE_77.
"This job is stuck" error No runner available with matching tags. Either add tags to job, register runner with those tags, or enable INLINE_CODE_78 in runner config.
Docker-in-Docker (DinD) permission errors Add INLINE_CODE_79 to runner config or use Docker socket binding: INLINE_CODE_80. Ensure runner has proper permissions.
Cache not working between jobs Verify cache key is consistent: use INLINE_CODE_81 or file-based keys. Check cache storage configuration (S3, GCS, etc.). Ensure INLINE_CODE_82 is set correctly (INLINE_CODE_83 for read/write).
Pipeline fails with "yaml invalid" Validate syntax with INLINE_CODE_84 or GitLab's CI Lint tool (CI/CD > Pipelines > CI Lint). Check indentation (use spaces, not tabs). Verify all required fields are present.
Artifacts not available in downstream jobs Use INLINE_CODE_85 or INLINE_CODE_86 to explicitly declare artifact dependencies. Check artifact paths are correct. Verify artifacts haven't expired (INLINE_CODE_87).
Jobs timing out Increase timeout in job definition: INLINE_CODE_88. Check for hanging processes. Review runner's INLINE_CODE_89 setting if system resources are exhausted.
"Cannot connect to Docker daemon" error Ensure Docker service is running on runner host. For Docker executor, add INLINE_CODE_90. For DinD, use INLINE_CODE_91 service.
Kubernetes runner pods failing to start Check namespace exists and runner has permissions. Verify resource requests/limits. Review pod logs: INLINE_CODE_92. Check image pull secrets for private registries.
Variables not being passed to jobs Check variable scope (project, group, instance). Ensure variables aren't masked when trying to print them. For protected variables, job must run on protected branch/tag. Use INLINE_CODE_93 prefix: INLINE_CODE_94.
Runner registration token invalid Token may have expired or been revoked. Get new token from GitLab UI: Settings > CI/CD > Runners. For project runners, use project-specific token. For group/instance runners, use appropriate token.
High runner CPU/memory usage Reduce INLINE_CODE_95 value in INLINE_CODE_96. Implement job resource limits. Use INLINE_CODE_97 to reduce redundant downloads. Consider distributing load across multiple runners.
SSL certificate verification failures Add INLINE_CODE_98 to runner config (not recommended for production). Install proper CA certificates. Use INLINE_CODE_99 variable to specify CA bundle.
_
--

Wichtige CI/CD Variablen

Variable Description
INLINE_CODE_100 Full commit SHA that triggered the pipeline
INLINE_CODE_101 First 8 characters of commit SHA
INLINE_CODE_102 Branch or tag name
INLINE_CODE_103 Lowercase branch/tag name, suitable for URLs
INLINE_CODE_104 Unique project ID in GitLab
INLINE_CODE_105 Project name
INLINE_CODE_106 Project namespace with project name
INLINE_CODE_107 Unique pipeline ID
INLINE_CODE_108 Unique job ID
INLINE_CODE_109 Token for authenticating with GitLab API
INLINE_CODE_110 GitLab Container Registry address
INLINE_CODE_111 Full image path for project's container registry
INLINE_CODE_112 Username for container registry authentication
INLINE_CODE_113 Password for container registry authentication
_ CI_ENVIRONMENT_NAME