Error Medic

GitLab CI Timeout: Fix Job Timeouts, Permission Denied & Pipelines Not Working

Resolve GitLab CI timeout errors and permission denied failures: increase job timeout in .gitlab-ci.yml, fix runner Docker permissions, and debug stuck pipeline

Last updated:
Last verified:
2,369 words
Key Takeaways
  • GitLab CI jobs time out after 1 hour by default — increase per-job with 'timeout: 3h' in .gitlab-ci.yml or raise the project ceiling under Settings > CI/CD > General pipelines
  • Permission denied on scripts means the executable bit is missing from git — fix permanently with 'git update-index --chmod=+x script.sh'; Docker socket permission denied requires adding gitlab-runner to the docker group
  • Pipelines stuck in 'pending' almost always mean no runner is online, runner tags don't match the job, or the runner's max timeout is lower than the job needs — effective timeout is min(project_timeout, runner_max_timeout)
  • Enable CI_DEBUG_TRACE: 'true' as a CI/CD variable to get verbose step-by-step runner output for any silent failure or hang
Fix Approaches Compared
MethodWhen to UseTime to ImplementRisk
Add 'timeout: 3h' to job in .gitlab-ci.ymlSingle job consistently exceeds the 1h limit< 5 minLow
Raise project timeout in Settings > CI/CDAll jobs need a higher ceiling< 2 minLow
usermod -aG docker gitlab-runnerRunner reports 'permission denied' on /var/run/docker.sock5–10 minMedium — grants Docker daemon access
git update-index --chmod=+xScript exits with '/bin/bash: ./script.sh: Permission denied'< 5 minLow
Re-register runner as correct userRunner installed as root or wrong system user15–30 minLow
Mount Docker socket in config.toml volumesDocker builds inside jobs fail with socket errors10 minMedium — shared socket
CI_DEBUG_TRACE: 'true' variablePipeline hangs silently with no visible error< 5 minLow — exposes env vars in logs

Understanding GitLab CI Timeout, Permission Denied, and Pipeline Failures

GitLab CI/CD pipelines fail in predictable, fixable ways. This guide covers the three most common failure modes — job timeout, permission denied, and pipeline not triggering at all — with exact error messages, root cause analysis, and step-by-step remediation.

Part 1: GitLab CI Timeout

Exact error messages

When a job exceeds its configured timeout you will see one of the following in the job log:

ERROR: Job failed: execution took longer than 1h0m0s seconds

Job's activity exceeded the timeout
Running on runner-abc1234 via build-host-01
...
ERROR: Job failed (system failure): aborted: timeout
Root causes

Default 1-hour project timeout not adjusted. GitLab applies a 60-minute job timeout by default to every project. Large Rust or C++ compilations, slow integration test suites, multi-stage Docker builds with many layers, and database migration jobs frequently exceed this without any indication until they hit the wall.

Runner-level max timeout is lower than the job needs. Each registered runner has its own "Maximum job timeout" setting. The effective timeout for any job is min(project_timeout, runner_max_timeout). Raising the project setting to 3 hours does nothing if the runner is capped at 1 hour.

The job is hanging, not actually slow. Many apparent timeouts are really deadlocks: a test suite waiting on a network service that never responded, an interactive apt prompt blocking the script, or a parallel test runner that orphaned child processes.

Step 1: Determine whether the job is slow or hanging

Add coarse-grained timestamps to your script to pinpoint where time is spent:

build:
  script:
    - date && echo "[START] dependency install"
    - npm ci --prefer-offline
    - date && echo "[END] dependency install"
    - date && echo "[START] build"
    - npm run build
    - date && echo "[END] build"

If the log stops mid-step with no further output until the timeout fires, the job is hanging. Enable CI_DEBUG_TRACE for verbose executor-level output:

variables:
  CI_DEBUG_TRACE: "true"
Step 2: Increase the job-level timeout

Add timeout: directly under the job key in .gitlab-ci.yml. Accepted formats: 3h, 3h 30m, 210 minutes.

build-heavy:
  stage: build
  timeout: 3h
  script:
    - make all

This value cannot exceed the project-level ceiling or the runner's max timeout.

Step 3: Raise the project timeout ceiling

Go to Settings > CI/CD > General pipelines > Timeout and set a value that covers your worst-case job. For GitLab.com free tier, shared runners are hard-capped at 60 minutes. Paid tiers allow up to 3 hours on shared runners.

Step 4: Adjust the runner's max timeout

In Settings > CI/CD > Runners, expand the specific runner and update "Maximum job timeout". If you manage the runner yourself, you can also set this at registration time:

sudo gitlab-runner register \
  --url https://gitlab.com \
  --registration-token YOUR_TOKEN \
  --executor docker \
  --docker-image alpine:latest \
  --maximum-timeout 10800
Step 5: Fix hanging jobs

For package managers that prompt interactively, force non-interactive mode:

before_script:
  - export DEBIAN_FRONTEND=noninteractive
  - apt-get update -y && apt-get install -y curl git
  - npm ci --prefer-offline

For test suites, add explicit timeouts and a force-exit flag:

variables:
  JEST_TIMEOUT: "30000"
script:
  - npx jest --testTimeout=30000 --forceExit --bail

Part 2: GitLab CI Permission Denied

Exact error messages
/bin/bash: ./deploy.sh: Permission denied

dial unix /var/run/docker.sock: connect: permission denied

mkdir: cannot create directory '/cache': Permission denied

fatal: could not read Username for 'https://gitlab.com': No such device or address
Root causes

Script missing executable bit in git. Git tracks file permissions. If deploy.sh was added with git add without first running chmod +x, the file mode stored in git is 0644 (not executable). The runner checks out exactly what git has.

gitlab-runner user not in the docker group. On shell executor setups, the runner process runs as the gitlab-runner system user. By default this user is not in the docker group, so any command that opens /var/run/docker.sock fails immediately.

Artifact files owned by root. If a previous stage ran a Docker container that wrote files as uid 0, the next stage — running as gitlab-runner (typically uid 999 or similar) — cannot overwrite those files.

Missing deploy credentials for git push. CI jobs clone the repository read-only by default. Any script that calls git push without configuring credentials will fail with a permission error that looks like a network error.

Fix 1: Make scripts executable in git

This is the permanent fix — change the file mode stored in the git index:

git update-index --chmod=+x deploy.sh
git commit -m "fix: make deploy.sh executable"
git push

Verify the mode was stored correctly:

git ls-files -s deploy.sh
# Should show mode 100755, not 100644
Fix 2: Add gitlab-runner to the docker group

On the runner host:

sudo usermod -aG docker gitlab-runner
sudo systemctl restart gitlab-runner
# Verify membership
id gitlab-runner
# Expected output includes: groups=...,docker,...
# Spot-check access
sudo -u gitlab-runner docker ps
Fix 3: Mount the Docker socket in config.toml

Edit /etc/gitlab-runner/config.toml on the runner host:

[[runners]]
  name = "my-runner"
  executor = "docker"
  [runners.docker]
    image = "alpine:latest"
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]

Restart after changes: sudo systemctl restart gitlab-runner

Fix 4: Correct artifact ownership for multi-stage pipelines

When a build stage uses Docker to produce artifacts, fix ownership before the artifacts block:

build:
  script:
    - docker run --rm -v "$PWD:/app" -w /app node:20 npm ci
    - docker run --rm -v "$PWD:/app" -w /app node:20 npm run build
    # Ensure next stage can read these files
    - sudo chown -R "$(id -u):$(id -g)" dist/ node_modules/
  artifacts:
    paths:
      - dist/
Fix 5: Git push from CI using a deploy token

Create a deploy token in Settings > Repository > Deploy tokens with write_repository scope, then store it as a masked CI/CD variable:

before_script:
  - git remote set-url origin
      "https://deploy-token:${CI_DEPLOY_PASSWORD}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
  - git config user.email "ci@example.com"
  - git config user.name "GitLab CI"

Part 3: GitLab CI Not Working — Pipeline Stuck or Not Triggering

Symptom: Pipeline stays in 'Pending' indefinitely

This is almost always a runner availability problem. Check in order:

  1. Settings > CI/CD > Runners — is there at least one runner with a green online dot?
  2. If no online runners, SSH to the runner host and check the service:
    sudo systemctl status gitlab-runner
sudo gitlab-runner verify
  3. Check for tag mismatch — if your job specifies tags:, the runner must have matching tags AND "Run untagged jobs" must be disabled or the tags must match exactly (case-sensitive).
Symptom: Jobs never appear despite push

Validate your .gitlab-ci.yml against the GitLab lint API:

curl --silent \
  --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  --header "Content-Type: application/json" \
  --data "{\"content\": $(cat .gitlab-ci.yml | python3 -c 'import sys,json; print(json.dumps(sys.stdin.read()))')}" \
  "https://gitlab.com/api/v4/ci/lint" | python3 -m json.tool

Also check for rules: or only: blocks that never evaluate to true for your branch. A common mistake:

# Wrong — pushes to 'master' never match
deploy:
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'

# Correct — uses the project's configured default branch
deploy:
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

Frequently Asked Questions

bash
#!/usr/bin/env bash
# gitlab-ci-diagnose.sh — run on the GitLab Runner host
# Diagnoses timeout, permission denied, and pipeline-not-working issues

set -euo pipefail

HEADER() { echo ""; echo "=== $* ==="; }

HEADER "GitLab Runner Service Status"
sudo systemctl status gitlab-runner --no-pager -l

HEADER "Registered Runners"
sudo gitlab-runner list 2>&1

HEADER "Runner Connectivity (verify against GitLab)"
sudo gitlab-runner verify 2>&1

HEADER "Runner User Identity"
id gitlab-runner

HEADER "Docker Group Membership"
getent group docker || echo "docker group does not exist"

HEADER "Docker Socket Permissions"
ls -la /var/run/docker.sock

HEADER "Can gitlab-runner Access Docker?"
if sudo -u gitlab-runner docker info > /dev/null 2>&1; then
  echo "OK: gitlab-runner can reach Docker daemon"
else
  echo "FAIL: permission denied on Docker socket"
  echo "FIX:  sudo usermod -aG docker gitlab-runner && sudo systemctl restart gitlab-runner"
fi

HEADER "Runner Configuration"
sudo cat /etc/gitlab-runner/config.toml

HEADER "Effective Timeout Settings (from config.toml)"
sudo grep -E 'maximum_timeout|timeout' /etc/gitlab-runner/config.toml || echo "No explicit timeout set (runner default applies)"

HEADER "Disk Space (full disk causes silent failures)"
df -h

HEADER "Recent Runner Logs (last 60 lines)"
sudo journalctl -u gitlab-runner -n 60 --no-pager

HEADER "Git Executable Bits in .gitlab-ci.yml scripts (local repo)"
if [ -f .gitlab-ci.yml ]; then
  # Extract script paths that start with ./ and check their git mode
  grep -oP '\./.+\.sh' .gitlab-ci.yml | sort -u | while read -r script; do
    mode=$(git ls-files -s "$script" 2>/dev/null | awk '{print $1}')
    if [ "$mode" = "100644" ]; then
      echo "WARN: $script is NOT executable in git (mode 100644)"
      echo "FIX:  git update-index --chmod=+x $script"
    elif [ "$mode" = "100755" ]; then
      echo "OK:   $script is executable (mode 100755)"
    else
      echo "INFO: $script not tracked by git or not found"
    fi
  done
else
  echo "No .gitlab-ci.yml found in current directory"
fi

HEADER "YAML Validation"
if command -v python3 &>/dev/null && python3 -c 'import yaml' 2>/dev/null; then
  python3 - <<'PYEOF'
import yaml, sys
try:
    with open('.gitlab-ci.yml') as f:
        doc = yaml.safe_load(f)
    jobs = [k for k,v in doc.items() if isinstance(v, dict) and 'script' in v]
    print(f'OK: .gitlab-ci.yml is valid YAML with {len(jobs)} job(s): {", ".join(jobs)}')
except FileNotFoundError:
    print('SKIP: .gitlab-ci.yml not found in current directory')
except yaml.YAMLError as e:
    print(f'FAIL: YAML parse error: {e}')
    sys.exit(1)
PYEOF
else
  echo "Skipping — install python3-yaml: sudo apt-get install -y python3-yaml"
fi

echo ""
echo "Diagnostic complete."
E

Error Medic Editorial

The Error Medic Editorial team is composed of senior DevOps and SRE engineers with hands-on experience managing GitLab CI/CD at scale across cloud-native, on-premises, and hybrid environments. Our guides are written from production incident retrospectives and peer-reviewed for technical accuracy before publication.

Sources

Related Articles in Gitlab Ci

Resolving 'GitLab CI Timeout' and 'Permission Denied' Errors: A Complete Troubleshooting Guide
Fix GitLab CI pipeline timeouts and permission denied errors. Learn how to debug runner execution times, fix runner token issues, and optimize your CI/CD jobs.
Troubleshooting GitLab CI: Fixing Timeout, Permission Denied, and Stuck Pipeline Errors
Comprehensive guide to resolving GitLab CI job timeouts, 'permission denied' deployment errors, and stuck pipelines. Learn advanced runner debugging techniques.

Explore More DevOps Config Guides

Ansible Failed: Fix Connection Refused, Permission Denied & Timeout Errors
Fix Ansible failures including connection refused, permission denied, and timeout errors. Step-by-step diagnosis with real commands and verified solutions.
ArgoCD 'connection refused' Error: Complete Troubleshooting Guide (2024)
Fix ArgoCD 'connection refused', CrashLoopBackOff, ImagePullBackOff, and timeout errors with step-by-step diagnostic commands and proven solutions.
ArgoCD Connection Refused: Fix CrashLoopBackOff, ImagePullBackOff, Permission Denied & Timeout Errors
Fix ArgoCD connection refused errors: diagnose CrashLoopBackOff, ImagePullBackOff, permission denied, and timeout with step-by-step kubectl commands and config