FAQs

Security

• What is the patching schedule like for the runners?

  An automated nightly build of all base images is created including all of the latest security updates for the Operating System.

  Github Runners are updated within 24h of a release to give us time to test the new version.

• What is being logged/captured on the runners?

  We send up the log of `runinit`, a program which is started on boot to initiate the connection between CarbonRuner and Github/Gitlab etc... The output of this program is sent up via Syslog (TLS), otherwise we do not log anything.

  `runinit` will log your Github organization/username, repo name, CPU frequency settings and network byte counters (Rx+Tx).

• Are there any prepackaged tools on the runners and how often are they updated?

  Yes. If you've chosen the standard CarbonRunner `ubuntu-latest` images then we stick to the same packages that are installed by Github.

• What controls do we have around which regions things run in? e.g. can we only allowlist European ones?

  Yes. Github Runners are usually installed at the Organization level which means that any runners we spin up for you can take the workflow in any available CarbonRunner region.

  In your Dashboard you can restrict which regions and providers are used. This is best for the general case as the developer does not have to adjust the runs-on tag beyond the initial change.