How to Setup a Secure Docker Drone Runner with Drone CI

BeeYoop BeeDeepBoom Weeop DEEpaEEya

BeeYoop BeeDeepBoom Weeop DEEpaEEya

In general, this article describes how to setup SSL with a Drone Runner. This is part II of a part I series. If you would like to learn how-to setup the Drone Server, please visit: Setup Drone CI Server.

This part II creates a pipeline runner with a Docker machine; what that means is, like GitHub Actions, but with Drone super powers. The configuration file is stored as .drone.yml in the root of your site directory and drone server uses that application yml file to do a series of commands or actions within the virtual docker machine.

This is empowering because you can automate a fresh build every time. Also, you create a drone trigger for when you push to a branch master as an example. Here is the configuration of all the possible things you can do. Docker Pipelines Overview

Note 1: If you see a [name-goes-here], I am linking to the references I shared below. Note 2: If you want to use Docker Engine without sudo, follow this url: Linux Docker Post-Install


  • Basic Linux CLI knowledge
  • A hardened remote SSH server see Linux VPS hardening
  • A running Gitea server: Git with a cup of tea
  • Docker Engine
  • a basic understanding of how to use Docker Engine
  • basic Nginx, Gitea and Certbot/Let’s Encrypt experience
  • openssl
  • a running drone ci server see part I

Let’s Begin!

Pull docker image from Dockerhub

docker pull drone/drone-runner-docker:1

Make public access to repo in drone GUI

For testing, I made sure the repo was publicly available.


Launch a Secure Docker Drone Runner

For the DRONE_RPC_SECRET use the same ssl secret we created in Part I. See Configuration for a complete list of configuration options.

Please see the reference to understand what this docker config is doing. That is important for you to do yourself.

docker run --detach \
  --volume=/var/run/docker.sock:/var/run/docker.sock \
  --env=DRONE_RPC_PROTO=https \ \
  --env=DRONE_RPC_SECRET=bea26a2221fd8090ea38720fc445eca6 \
  --env=DRONE_RUNNER_NAME=st-runner \
  --env=DRONE_UI_USERNAME=youruserhere \
  --env=DRONE_UI_PASSWORD=yourpasshere \
  --env=DRONE_DEBUG=true \
  --env=DRONE_TRACE=true \
  --publish=3000:3000 \
  --restart=always \
  --name=st-drone-runner \

A Pipeline Config Example

An example of a custom pipeline I have created. I ain’t going to explain this to you in detail; I expect you to determine your own pipeline and this is only for a reference point. Essentially, what you will be doing is launching your own virtual machine for your specific use case scenario.

In this example, on, I have created a secret pass that needs to be passed to the virtual machine so I can package the build aka _site only, then auto push to www_data branch on my git server. Furthermore, I rsync this data through an ssh tunnel to a Gitea Pages server that serves the WWW or edge data.

Note: 3: The example configuration is a .drone.yml file stored in the root of your site project.

kind: pipeline
type: docker
name: build
  path: /drone/src
  os: linux
  arch: amd64
  - master
- name: build-website
  image: ruby:latest
      from_secret: ssh_user
      from_secret: ssh_host
      from_secret: no_hostkey
  privileged: false
    - name: jekyll
      path: /srv/jekyll
    # general vm information for debugging
    - whoami
    - pwd
    - gem environment


docker logs st-drone-runner
INFO[0000] starting the server
INFO[0000] successfully pinged the remote server

Stop & Start Container

sudo docker container stop st-drone-ssl
sudo docker container start st-drone-ssl

Financial Support & Donations

I mainly debug code, drive, yak shave and deep dive into research for Linux base operating systems.

I am a Free Software Associate (FSF), privacy advocate and Cosmopolitan that enjoys philosophie, meta-physics, hacking and debugging computer hardware/software.