- 25 Jun 2024
- 7 Minutes to read
- Print
- PDF
Runners
- Updated on 25 Jun 2024
- 7 Minutes to read
- Print
- PDF
Runners are nothing but Traceable CLI installed on your server as a service. You can download and install a runner either through the Traceable Platform or as a service using the install.sh
script available on Traceable's download site or by using Helm chart. Traceable also allows you to set up custom certificates for runners according to your requirements. For more information, see Set up custom certificates for runners.
The following table compares Traceable CLI and runner on various parameters along with their use case and recommendations:
Parameters | Traceable CLI | Traceable Runner |
---|---|---|
Integration | It is designed to integrate with CI systems when the job needs to be triggered and run on a CI runner. It is a quick way to run scans from local or remote hosts. | It is designed to integrate with job schedulers and CI/CD systems when CI pipeline needs to trigger the scan and delegate actual running to the Traceable runner. |
Execution | It executes synchronously, running tests immediately as they are invoked. | It executes asynchronously, consuming the job queue. |
Configuration | It is usually a part of the script setup. | It requires a runner pool, which is usually done using Helm charts or similar deployment tools. |
Use Case | It is ideal for pre-commit hooks, pre-deploy checks, and other stages in the development pipeline where immediate feedback is required. | It is ideal for scheduling regular security scans, batch jobs, or handling multiple requests asynchronously. |
Recommendation | It is recommended for use in small to medium projects requiring immediate results on simple security tests. | It is recommended for use in either of the following scenarios:
|
Before you begin
Make a note of the following before proceeding with setting up Runner:
A runner needs at least 2 CPUs and 4 GB of memory. This number may increase with an increase in the number of tests. Contact Traceable support for exact sizing by sending an email to support@traceable.ai.
Ensure that the machine where you are installing the Runner can communicate with the APIs and Traceable Platform.
DAST does not need an app to be instrumented, but an environment still needs to be created for DAST scan to create a default service and list APIs under it.
Runners are not scoped by the environment. They are available for all environments.
Ensure you are assigned the Security admin or Account Owner role to start a runner. For more information about different roles, see Teams and roles - RBAC.
Option 1 — Download runner from UI
Navigate to Testing → Settings → Runners to start the runner configuration. Provide a name for the runner and the token. The binary CLI command and docker option are displayed. You can use either of the options to configure the runner on your server.
Copy the binary CLI command or the docker command to configure the runner.
By default, the binary command runs in the background. The Docker command given in the UI runs in the foreground in an interactive way. If you wish to run the Docker command in the background, use the following command. Replace the runner's name with the name of your runner:
docker run --rm -d -v ~/.traceable_docker:/app/userdata traceableai/traceable-cli:latest runner start --traceable-server api.traceable.ai --runner-name newrunner --token ****
Following is an explanation of the Docker command:
docker run
is the command to run a Docker container.--rm
removes the container automatically after it exits.-d
runs the container in detached mode.-v ~/.traceable_docker:/app/userdata
mounts the local directory~/.traceable_docker
to the/app/userdata
directory inside the container. This allows the container to access and modify files in the local directory.traceableai/traceable-cli:latest
specifies the image to use for the container.runner start
runs thestart
command of the Traceable Runner program within the container.--traceable-server api.traceable.ai
specifies the URL of the Traceable Server to connect to.--runner-name newrunner
sets the name of the runner to “newrunner”.--token ****
sets the authorization token required to connect to the Traceable Server.
Option 2 — Download and install Runner as a service
You can configure the runner as a systemd
service. Download the installation script from Traceable's download site to configure Runner as a service. Navigate to cli → release → latest → install.sh to download the installation script.
Note
The
install.sh
script is supported on a Linux machine.
Run the script's help
( install.sh --help
) command to know the various options.
You can run more than one runner on the same machine for both option 1 and option 2. For more information on how to run more than one runner on a single machine, contact Traceable support at support@traceable.ai.
Option 3 — Install runner using Helm chart
Complete the following steps to install runner using Helm chart:
Enter the following command to add the repo:
helm repo add traceableai https://helm.traceable.ai
Enter the following command to update the repo:
helm repo update
Create values.yml file
Create a values.yml
file based on the sample provided below. Make sure to add the correct values for traceableToken
and traceableServer
in the file.
replicaCount: 1
resources:
limits:
cpu: 2.0
memory: 4Gi
requests:
cpu: 2.0
memory: 4Gi
astRunnerArgs:
name: traceable-runner-helm # Name of the runner
traceableServer: api.traceable.ai # Traceable Server
traceableToken: "" # Replace this with actual token value
maxRetries: 1 # Number of Request Retries
idleTimeout: 10 # Idle Timeout before aborting a scan
requestDelay: 0 # Request delay delay between requests
threads: 20 # Number of threads to run on
logfile: stdout # Log file name
loglevel: INFO # Set log level
Enter the following command:
helm install <deployment_name> traceableai/traceable-runner -f values.yaml
Set up custom certificates for runners
You can set up custom certificates for runners according to your requirements. These certificates are useful when you need private certificate authority (CA) files or to verify the client’s identity.
Note
All custom certificate files should be in PEM format.
Following are the custom SSL/TLS configurations for the Traceable runner:
Custom internal certificate authority (CA)
The Traceable runner CLI allows you to configure a custom root CA file if your organization uses a private CA file to sign server certificates. Adding the custom CA file ensures secure communication between the runner and both the Traceable platform and your organization’s servers. This security is achieved using the certificates signed by the private CA file.
To set up a custom CA file, you must set the TRACEABLE_ROOT_CA_FILE
environment variable with the path to the CA public certificate file in the instance where the Traceable runner is installed.
Mutual TLS configuration
The Traceable runner CLI allows you to use environment variables to set the path to the custom certificate files. This is useful for verifying the client’s identity when calling your organization’s servers. You can set the following environment variables:
TRACEABLE_CLI_CERT_FILE
— Set the path to the client’s certificate file for authenticating the client to the server.TRACEABLE_CLI_KEY_FILE
— Set the path to the certificate’s private key.
Uninstall a Runner
You can uninstall a runner from your terminal; however, the steps to do this depend on the option you choose while installing it:
Runner installed using install.sh
Option 1 - As a systemd
service
Complete the following steps:
Enter the following command to stop the service if it is currently running:
systemctl stop traceable-runner.service
Enter the following command to check the status of the service:
systemctl status traceable-runner.service
The above command and recent log entries show whether the service is active, inactive, or has failed.
Enter the following command to disable the service:
systemctl disable traceable-runner.service
The above command prevents the service from starting automatically at boot time.
Enter the following command to remove the service unit file from your custom location:
rm /etc/systemd/system/traceable-runner.service
The above command removes the file from the
/etc/systemd/system
directory. This directory usually contains thesystemd
service files created or customized by the system administrator.Enter the following command to remove the service unit file from the standard location:
rm /user/lib/systemd/system/traceable-runner.service
The above command removes the file from the
/user/lib/systemd/system/
directory. This directory usually containssystemd
service files provided by installation packages.Enter the following command to reload the
systemd
manager configuration:systemctl daemon-reload
The above command reloads the manager configuration. You must run this command to ensure that
systemd
is aware of the above steps.
Option 2 - Not as a service
Complete the following steps:
Enter the following command to stop the runner:
traceable runner stop <runner_name>
Ensure that the Traceable runner process is currently not running:
ps -ef | grep traceable
Enter the following command to remove the Traceable CLI installation:
delete $HOME/.local/traceable directory
Runner installed using a Helm chart
Enter the following command to uninstall the runner:
helm uninstall <deployment_name>