Container runner installation (Kubernetes)
On This Page
- Prerequisites
- Self-hosted runner terms agreement
- 1. Create namespace and resource class
- 2. Container runner installation
- 3. Enable rerun job with SSH (optional) - Open preview
- a. Install Envoy Gateway to your cluster
- b. Enable the Rerun job with SSH feature
- Container runner configuration example
- Troubleshooting
- Additional resources
This page describes how to install CircleCI’s container runner.
Prerequisites
To install container runners and run jobs, you will need to have root access, and have the following set up and installed:
-
Kubernetes 1.25+
-
Helm 3.x
-
A Kubernetes namespace without any other workloads
-
The checkout step configures Git to checkout over SSH - ensure that your cluster is configured to allow outbound connections over
port 22
if you wish to use it -
The CircleCI CLI if you wish to install runners from the command line
Self-hosted runner terms agreement
Before you can install self-hosted runners through the web app, you will need to agree to the CircleCI Runner Terms. To be able to gain access to the Self-Hosted Runners section of the CircleCI web app or your CircleCI server app, an admin in your organization needs to navigate to , and agree to the terms.
Once the terms have been accepted, Self-Hosted Runners will appear permanently in the side navigation.
Your role within your org is determined differently depending on how you integrate with your code, as follows:
-
If your code is integrated with CircleCI via the GitHub OAuth App or Bitbucket Cloud, CircleCI mirrors VCS permissions for organizations. If you are an admin on your organization’s VCS, you are an admin on CircleCI. If you are unsure, check the admin permissions on your VCS.
-
If your code is integrated with CircleCI via the GitHub App, GitLab, or Bitbucket Data Center, you can check roles by navigating to Roles and permissions overview.
. Full details on roles and permissions are available in the
To find out which GitHub integration you are using, head to the CircleCI web app, select your org, select Organization Home from the sidebar, and inspect the URL in your browser:
For more information about the differences, see the GitHub docs comparison page. |
1. Create namespace and resource class
In order to install self-hosted runners, you will need to create a namespace and resource class token. To create resource classes and tokens, you need to be an organization admin in the VCS provider. You can read about namespaces and resource classes on the Concepts page.
You can view your installed runners on the inventory page, by clicking Self-Hosted Runners on the left navigation.
-
On the CircleCI web app, navigate to Self-Hosted Runners and select Create Resource Class.
-
Next, you will create a custom resource class to use when configuring jobs to use your self-hosted runners. If this is your organization’s first time using self-hosted runners. You will need to create or enter a namespace. If your organization already creates orbs, do not create a new namespace, but instead enter the namespace your organization uses for orbs here too. Enter aname for your self-hosted runner resource class.
Each organization can only create a single namespace. While not required, we suggest using a lowercase representation of your CircleCI account name. CircleCI will populate your org name as the suggested namespace by default in the UI. -
Copy and save the resource class token. Self-hosted runners use this token to claim work for the associated resource class.
The token cannot be retrieved again, be sure to store it safely. -
Select the Container tab and continue on to the container runner installation steps below.
2. Container runner installation
-
Add the container runner Helm repository by running the following command:
helm repo add container-agent https://packagecloud.io/circleci/container-agent/helm
-
Next, run the following:
helm repo update
-
Next, run the following command to create the
circleci
Kubernetes namespace:kubectl create namespace circleci
-
Create a file called
values.yaml
containing the following, substituting your namespace and resource class and token:agent: resourceClasses: <your-namespace>/<your-resource-class-name>: token: <your-resource_class_token>
-
Finally, run the following command:
helm install container-agent container-agent/container-agent -n circleci -f values.yaml
3. Enable rerun job with SSH (optional) - Open preview
The ability to rerun a job with SSH for CircleCI container runner is in open preview. |
To enable this optional feature, follow the instructions below after reading through the considerations. Rerunning jobs with SSH allows you to troubleshoot problems through inspecting log files, running processes, and directory paths.
Retry with SSH considerations
|
The rerun job with SSH feature makes use of the Gateway API to facilitate SSH access from outside your cluster. To enable this feature, Gateway API resources must first be provisioned on your cluster, and the CircleCI container agent configuration must be updated.
Supported Gateway API implementations: CircleCI has tested, and currently supports Envoy Gateway as an implementation for the Gateway API. Other Gateway API implementations that support TCPRoute resources are likely to be compatible, but not all of these implementations have been tested, and therefore compatibility is not guaranteed. Our recommendation is to use Envoy Gateway as your implementation. Envoy Gateway is currently in beta and is under development. |
a. Install Envoy Gateway to your cluster
-
First, install the Gateway API CRDs and Envoy Gateway, as defined in the Envoy Gateway Helm installation document. To do this, replace
<version>
with the most recent stable release compatible with your cluster, then run the following command:helm install eg oci://docker.io/envoyproxy/gateway-helm --version <version> -n envoy-gateway-system --create-namespace
-
Finally, wait for Envoy Gateway to become available:
kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
b. Enable the Rerun job with SSH feature
-
Once all Gateway API prerequisites are installed and available, add the
agent.ssh.enabled = true
parameter to the container runner configuration:agent: ssh: enabled: true
For a full list of SSH configuration options, refer to the Helm chart values.
-
Redeploy the updated manifest:
helm upgrade --wait --timeout=5m <release-name> container-agent/container-agent -n <namespace> -f values.yaml
-
Wait for the SSH Gateway to be programmed:
kubectl wait gateway --timeout=5m --all --for=condition=Programmed -n <namespace>
Container runner is now ready for rerunning jobs with SSH.
Container runner configuration example
Once you have installed configuration runner, select Continue in the CircleCI web app and you will be presented with an example configuration snippet showing a job configured to use your new self-hosted runner resource class.
Once you have installed the container runner within your cluster, create and trigger a CircleCI job that uses the Docker executor to validate the installation. The fields you must set for a specific job to run using your container runners are:
-
image:
-
resource_class: <namespace>/<resource-class>
Simple example of how you could set up a job (cimg/base:2021.11
is a commonly used CircleCI Docker image):
version: 2.1
jobs:
build:
docker:
- image: cimg/base:2021.11
resource_class: <namespace>/<resource-class>
steps:
- checkout
- run: echo "Hi I'm on Runners!"
workflows:
build-workflow:
jobs:
- build
Do not use an existing job that uses setup_remote_docker (see Building container images for more information). |
Troubleshooting
Refer to the Troubleshoot Container Runner section of the Troubleshoot Self-hosted Runner guide if you encounter issues installing or running container runner.