Container runner installation (Kubernetes)

3 months ago6 min read
Last updated • Read time
Cloud
This document is applicable to CircleCI Cloud
Server v4.3+
This document is applicable to CircleCI Server v4.3+

This page describes how to install CircleCI’s container runner.

Prerequisites

To install container runners and run jobs, you will need to have root access, and have the following set up and installed:

  • Kubernetes 1.25+

  • Helm 3.x

  • A Kubernetes namespace without any other workloads

  • The checkout step configures Git to checkout over SSH - ensure that your cluster is configured to allow outbound connections over port 22 if you wish to use it

  • The CircleCI CLI if you wish to install runners from the command line

Self-hosted runner terms agreement

Before you can install self-hosted runners through the web app, you will need to agree to the CircleCI Runner Terms. To be able to gain access to the Self-Hosted Runners section of the CircleCI web app or your CircleCI server app, an admin in your organization needs to navigate to Organization Settings  Self-Hosted Runners, and agree to the terms.

Runner terms and conditions

Once the terms have been accepted, Self-Hosted Runners will appear permanently in the side navigation.

Your role within your org is determined differently depending on how you integrate with your code, as follows:

  • If your code is integrated with CircleCI via the GitHub OAuth App or Bitbucket Cloud, CircleCI mirrors VCS permissions for organizations. If you are an admin on your organization’s VCS, you are an admin on CircleCI. If you are unsure, check the admin permissions on your VCS.

  • If your code is integrated with CircleCI via the GitHub App, GitLab, or Bitbucket Data Center, you can check roles by navigating to Organization Settings  People. Full details on roles and permissions are available in the Roles and permissions overview.

1. Create namespace and resource class

In order to install self-hosted runners, you will need to create a namespace and resource class token. To create resource classes and tokens, you need to be an organization admin in the VCS provider. You can read about namespaces and resource classes on the Concepts page.

You can view your installed runners on the inventory page, by clicking Self-Hosted Runners on the left navigation.

  1. On the CircleCI web app, navigate to Self-Hosted Runners and select Create Resource Class.

    Runner set up
  2. Next, you will create a custom resource class to use when configuring jobs to use your self-hosted runners. If this is your organization’s first time using self-hosted runners. You will need to create or enter a namespace. If your organization already creates orbs, do not create a new namespace, but instead enter the namespace your organization uses for orbs here too. Enter aname for your self-hosted runner resource class.

    Runner set up
  3. Copy and save the resource class token. Self-hosted runners use this token to claim work for the associated resource class.

    Runner set up
  4. Select the Container tab and continue on to the container runner installation steps below.

2. Container runner installation

  1. Add the container runner Helm repository by running the following command:

    helm repo add container-agent https://packagecloud.io/circleci/container-agent/helm
  2. Next, run the following:

    helm repo update
  3. Next, run the following command to create the circleci Kubernetes namespace:

    kubectl create namespace circleci
  4. Create a file called values.yaml containing the following, substituting your namespace and resource class and token:

    agent:
      resourceClasses:
        <your-namespace>/<your-resource-class-name>:
          token: <your-resource_class_token>
  5. Finally, run the following command:

    helm install container-agent container-agent/container-agent -n circleci -f values.yaml

3. Enable rerun job with SSH (optional) - Open preview

To enable this optional feature, follow the instructions below after reading through the considerations. Rerunning jobs with SSH allows you to troubleshoot problems through inspecting log files, running processes, and directory paths.

The rerun job with SSH feature makes use of the Gateway API to facilitate SSH access from outside your cluster. To enable this feature, Gateway API resources must first be provisioned on your cluster, and the CircleCI container agent configuration must be updated.

a. Install Envoy Gateway to your cluster

  1. First, install the Gateway API CRDs and Envoy Gateway, as defined in the Envoy Gateway Helm installation document. To do this, replace <version> with the most recent stable release compatible with your cluster, then run the following command:

    helm install eg oci://docker.io/envoyproxy/gateway-helm --version <version> -n envoy-gateway-system --create-namespace
  2. Finally, wait for Envoy Gateway to become available:

    kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available

b. Enable the Rerun job with SSH feature

  1. Once all Gateway API prerequisites are installed and available, add the agent.ssh.enabled = true parameter to the container runner configuration:

    agent:
      ssh:
        enabled: true

    For a full list of SSH configuration options, refer to the Helm chart values.

  2. Redeploy the updated manifest:

    helm upgrade --wait --timeout=5m <release-name> container-agent/container-agent -n <namespace> -f values.yaml
  3. Wait for the SSH Gateway to be programmed:

    kubectl wait gateway --timeout=5m --all --for=condition=Programmed -n <namespace>

    Container runner is now ready for rerunning jobs with SSH.

Container runner configuration example

Once you have installed configuration runner, select Continue in the CircleCI web app and you will be presented with an example configuration snippet showing a job configured to use your new self-hosted runner resource class.

Runner set up

Once you have installed the container runner within your cluster, create and trigger a CircleCI job that uses the Docker executor to validate the installation. The fields you must set for a specific job to run using your container runners are:

  • image:

  • resource_class: <namespace>/<resource-class>

Simple example of how you could set up a job (cimg/base:2021.11 is a commonly used CircleCI Docker image):

version: 2.1

jobs:
  build:
    docker:
      - image: cimg/base:2021.11
    resource_class: <namespace>/<resource-class>
    steps:
      - checkout
      - run: echo "Hi I'm on Runners!"

workflows:
  build-workflow:
    jobs:
      - build

Troubleshooting

Refer to the Troubleshoot Container Runner section of the Troubleshoot Self-hosted Runner guide if you encounter issues installing or running container runner.