Runners
  • 14 Nov 2024
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Runners

  • Dark
    Light
  • PDF

Article summary

Runners are nothing but Traceable CLI installed on your server as a service. You can download and install a runner using either of the following methods:

  • Through the Traceable platform

  • As a service using the install.sh script available on Traceable's download site

  • Using Helm chart

  • On AWS ECS using CloudFormation or Terraform

Traceable also allows you to set up custom certificates for runners according to your requirements. For more information, see Set up custom certificates for runners.

The following table compares Traceable CLI and runner on various parameters along with their use case and recommendations:

Parameters

Traceable CLI

Traceable Runner

Integration

It is designed to integrate with CI systems when the job needs to be triggered and run on a CI runner. It is a quick way to run scans from local or remote hosts.

It is designed to integrate with job schedulers and CI/CD systems when CI pipeline needs to trigger the scan and delegate actual running to the Traceable runner.

Execution

It executes synchronously, running tests immediately as they are invoked.

It executes asynchronously, consuming the job queue.

Configuration

It is usually a part of the script setup.

It requires a runner pool, which is usually done using Helm charts or similar deployment tools.

Use Case

It is ideal for pre-commit hooks, pre-deploy checks, and other stages in the development pipeline where immediate feedback is required.

It is ideal for scheduling regular security scans, batch jobs, or handling multiple requests asynchronously.

Recommendation

It is recommended for use in small to medium projects requiring immediate results on simple security tests.

It is recommended for use in either of the following scenarios:

  • When working with large projects requiring complex security testing, most attack coverage and tests run for longer durations.

  • When you want to run periodic exhaustive tests as daily/weekly scheduled jobs.


Before you begin

Make a note of the following before proceeding with setting up Runner:

  • A runner needs at least 2 CPUs and 4 GB of memory. This number may increase with an increase in the number of tests. Contact Traceable support for exact sizing by sending an email to support@traceable.ai.

  • Ensure that the machine where you are installing the Runner can communicate with the APIs and Traceable Platform.

  • DAST does not need an app to be instrumented, but an environment still needs to be created for DAST scan to create a default service and list APIs under it.

  • Runners are not scoped by the environment. They are available for all environments.

  • Ensure you are assigned the Security admin or Account Owner role to start a runner. For more information about different roles, see Teams and roles - RBAC.


Option 1 — Download runner from UI

Navigate to Testing → Settings → Runners to start the runner configuration. Provide a name for the runner and the token. The binary CLI command and docker option are displayed. You can use either of the options to configure the runner on your server.

Configure new runner

By default, the binary command runs in the background. The Docker command given in the UI interactively runs in the foreground. If you wish to run the Docker command in the background, use the following command. Replace the runner's name with the name of your runner:

docker run --rm -d -v ~/.traceable_docker:/app/userdata traceableai/traceable-cli:latest runner start --traceable-server api.traceable.ai --runner-name newrunner --token **** 

Following is an explanation of the Docker command:

  • docker run is the command to run a Docker container.

  • --rm removes the container automatically after it exits.

  • -d runs the container in detached mode.

  • -v ~/.traceable_docker:/app/userdata mounts the local directory ~/.traceable_docker to the /app/userdata directory inside the container. This allows the container to access and modify files in the local directory.

  • traceableai/traceable-cli:latest specifies the image to use for the container.

  • runner start runs the start command of the Traceable Runner program within the container.

  • --traceable-server api.traceable.ai specifies the URL of the Traceable Server to connect to.

  • --runner-name newrunner sets the name of the runner to “newrunner”.

  • --token **** sets the authorization token required to connect to the Traceable Server.


Option 2 — Download and install Runner as a service

You can configure the runner as a systemd service. Download the installation script from Traceable's download site to configure Runner as a service. Navigate to cli → release → latest → install.sh to download the installation script.

Note

The install.sh script is supported on a Linux machine.

Run the script's help ( install.sh --help) command to know the various options.

You can run more than one runner on the same machine for both option 1 and option 2. For more information on how to run more than one runner on a single machine, contact Traceable support at support@traceable.ai.


Option 3 — Install runner using Helm chart

Complete the following steps to install runner using Helm chart:

  1. Enter the following command to add the repo:

    helm repo add traceableai https://helm.traceable.ai
  2. Enter the following command to update the repo:

    helm repo update

Create values.yml file

Create a values.yml file based on the sample provided below. Make sure to add the correct values for traceableToken and traceableServer in the file.

replicaCount: 1

resources:
  limits:
    cpu: 2.0
    memory: 4Gi
  requests:
    cpu: 2.0
    memory: 4Gi

astRunnerArgs:
  name: traceable-runner-helm   # Name of the runner
  traceableServer: api.traceable.ai   # Traceable Server
  traceableToken: ""   # Replace this with actual token value
  maxRetries: 1   # Number of Request Retries
  idleTimeout: 10   # Idle Timeout before aborting a scan
  requestDelay: 0   # Request delay delay between requests
  threads: 20   # Number of threads to run on
  logfile: stdout   # Log file name
  loglevel: INFO   # Set log level

Enter the following command:

helm install <deployment_name>  traceableai/traceable-runner -f values.yaml

Option 4 — Installation on AWS ECS using CloudFormation

You can configure runners on AWS ECS (Elastic Container Service) using CloudFormation. Download the template file by contacting Traceable support and install the runner in your AWS console. For the steps to do this, see Installation using CloudFormation.


Option 5 — Installation on AWS ECS using Terraform

You can configure runners on AWS ECS (Elastic Container Service) using Terraform. Download the Terraform file by contacting Traceable support and install the runner in your shell. For the steps to do this, see Installation using Terraform.


Set up custom certificates for runners

You can set up custom certificates for runners according to your requirements. These certificates are useful when you need private certificate authority (CA) files or to verify the client’s identity.

Note

All custom certificate files should be in PEM format.

Following are the custom SSL/TLS configurations for the Traceable runner:

Custom internal certificate authority (CA)

The Traceable runner CLI allows you to configure a custom root CA file if your organization uses a private CA file to sign server certificates. Adding the custom CA file ensures secure communication between the runner and both the Traceable platform and your organization’s servers. This security is achieved using the certificates signed by the private CA file.

To set up a custom CA file, you must set the TRACEABLE_ROOT_CA_FILE environment variable with the path to the CA public certificate file in the instance where the Traceable runner is installed.

Mutual TLS configuration

The Traceable runner CLI allows you to use environment variables to set the path to the custom certificate files. This is useful for verifying the client’s identity when calling your organization’s servers. You can set the following environment variables:

  • TRACEABLE_CLI_CERT_FILE — Set the path to the client’s certificate file for authenticating the client to the server.

  • TRACEABLE_CLI_KEY_FILE — Set the path to the certificate’s private key.


Runner View

Traceable shows all configured runners on the Runners page. This includes runners configured across environments. The page also shows the following columns:

Runner View

  • Runner — The name you used while configuring the runner. For example, SampleRunner in the above screenshot.

  • Runner ID — A unique identifier for the runner instance.

  • Host — The host (server or URL) that the runner is targeting.

  • Traceable CLI Version — The CLI version associated with the runner.

  • Status — The current status of the runner. For example, Idle or Busy.

  • Last Heartbeat — The time at which the runner was last active. For example, 2024-11-12 01:32:34 PM.

You can also hover over a column and the corresponding row value and click the Copy () icon to copy the value for use in the Traceable CLI.


Uninstall a Runner

You can uninstall a runner from your terminal; however, the steps to do this depend on the option you choose while installing it:

Runner installed using install.sh

Option 1 - As a systemd service

Complete the following steps:

  1. Enter the following command to stop the service if it is currently running:

    systemctl stop traceable-runner.service
  2. Enter the following command to check the status of the service:

    systemctl status traceable-runner.service

    The above command and recent log entries show whether the service is active, inactive, or has failed.

  3. Enter the following command to disable the service:

    systemctl disable traceable-runner.service

    The above command prevents the service from starting automatically at boot time.

  4. Enter the following command to remove the service unit file from your custom location:

    rm /etc/systemd/system/traceable-runner.service

    The above command removes the file from the /etc/systemd/system directory. This directory usually contains the systemd service files created or customized by the system administrator.

  5. Enter the following command to remove the service unit file from the standard location:

    rm /user/lib/systemd/system/traceable-runner.service

    The above command removes the file from the /user/lib/systemd/system/ directory. This directory usually contains systemd service files provided by installation packages.

  6. Enter the following command to reload the systemd manager configuration:

    systemctl daemon-reload

    The above command reloads the manager configuration. You must run this command to ensure that systemd is aware of the above steps.

Option 2 - Not as a service

Complete the following steps:

  1. Enter the following command to stop the runner:

    traceable runner stop <runner_name>
  2. Ensure that the Traceable runner process is currently not running:

    ps -ef | grep traceable
  3. Enter the following command to remove the Traceable CLI installation:

    delete $HOME/.local/traceable directory

Runner installed using a Helm chart

Enter the following command to uninstall the runner:

helm uninstall <deployment_name>

Runner installed on AWS ECS

Complete the following steps:

  1. Open your web browser and log in to the AWS management console.

  2. In the console, navigate to the Amazon Elastic Container service.

  3. Click the cluster where you installed the runner.

  4. Delete the runner service.


Was this article helpful?