CircleCI Logo
Navigation Menu Icon

Container runner installation (Kubernetes)

Language Icon 1 month ago · 13 min read
Cloud Server v4.3+
Contribute Go to Code

This page describes how to install CircleCI’s container runner.

Prerequisites

To install container runners and run jobs, you will need to have root access, and have the following set up and installed:

  • Kubernetes 1.25+

  • Helm 3.x

  • A Kubernetes namespace without any other workloads

  • The checkout step configures Git to checkout over SSH - ensure that your cluster is configured to allow outbound connections over port 22 if you wish to use it

  • The CircleCI CLI if you wish to install runners from the command line

Self-hosted runner terms agreement

  • Web app installation

  • CLI installation

Before you can install self-hosted runners through the web app, you will need to agree to the CircleCI Runner Terms. To be able to gain access to the Self-Hosted Runners section of the CircleCI web app or your CircleCI server app, an admin in your organization needs to navigate to Organization Settings  Self-Hosted Runners, and agree to the terms.

Runner terms and conditions

Once the terms have been accepted, Self-Hosted Runners will appear permanently in the side navigation.

Your role within your org is determined differently depending on how you integrate with your code, as follows:

  • If your code is integrated with CircleCI via the GitHub OAuth App or Bitbucket Cloud, CircleCI mirrors VCS permissions for organizations. If you are an admin on your organization’s VCS, you are an admin on CircleCI. If you are unsure, check the admin permissions on your VCS.

  • If your code is integrated with CircleCI via the GitHub App, GitLab, or Bitbucket Data Center, you can check roles by navigating to Organization Settings  People. Full details on roles and permissions are available in the Roles and permissions overview.

To find out which GitHub integration you are using, head to the CircleCI web app, select your org, select Organization Home from the sidebar, and inspect the URL in your browser:

For more information about the differences, see the GitHub docs comparison page.

If you are installing and using self-hosted runners through the CLI, you are agreeing to the CircleCI Runner Terms.

1. Create namespace and resource class

  • Web app installation

  • CLI installation

In order to install self-hosted runners, you will need to create a namespace and resource class token. To create resource classes and tokens, you need to be an organization admin in the VCS provider. You can read about namespaces and resource classes on the Concepts page.

You can view your installed runners on the inventory page, by clicking Self-Hosted Runners on the left navigation.

  1. On the CircleCI web app, navigate to Self-Hosted Runners and select Create Resource Class.

    Runner set up

  2. Next, you will create a custom resource class to use when configuring jobs to use your self-hosted runners. If this is your organization’s first time using self-hosted runners. You will need to create or enter a namespace. If your organization already creates orbs, do not create a new namespace, but instead enter the namespace your organization uses for orbs here too. Enter aname for your self-hosted runner resource class.

    Each organization can only create a single namespace. While not required, we suggest using a lowercase representation of your CircleCI account name. CircleCI will populate your org name as the suggested namespace by default in the UI.
    Runner set up

  3. Copy and save the resource class token. Self-hosted runners use this token to claim work for the associated resource class.

    The token cannot be retrieved again, be sure to store it safely.
    Runner set up

  4. Select the Container tab and continue on to the container runner installation steps below.

In order to install self-hosted runners, you will need to create a namespace and authentication token by performing the steps listed below.

To create resource classes and tokens you need to be an organization administrator in the VCS provider.

You can view your installed runners on the inventory page in the web app or your CircleCI server app, by clicking Self-Hosted Runners on the left navigation.

  1. Create a namespace for your organization’s self-hosted runners. Each organization can only create a single namespace. We suggest using a lowercase representation of your CircleCI organization’s account name. If you already use orbs, this namespace should be the same namespace orbs use.

    Use the following command to create a namespace:

    circleci namespace create <name> --org-id <your-organization-id>
    If your organization already has a namespace, you will receive an error if you run the above command to create a different namespace. The error message returns the name of the existing namespace. In this case, move on to step 2 below, using your existing namespace.

  2. Create a resource class for your self-hosted runner’s namespace using the following command:

    circleci runner resource-class create <namespace>/<resource-class> <description> --generate-token

    Make sure to replace <namespace> and <resource-class> with your org namespace and desired resource class name, respectively. You may optionally add a description.

    Example: circleci runner resource-class create my-namespace/my-resource-class my-description --generate-token.

    The resource class token is returned after the runner resource class is successfully created.

    The token cannot be retrieved again, so be sure to store it safely.

2. Container runner installation

  1. Add the container runner Helm repository by running the following command:

    helm repo add container-agent https://packagecloud.io/circleci/container-agent/helm

  2. Next, run the following:

    helm repo update

  3. Next, run the following command to create the circleci Kubernetes namespace:

    kubectl create namespace circleci

  4. Create a file called values.yaml containing the following, substituting your namespace and resource class and token:

    agent:
  resourceClasses:
    <your-namespace>/<your-resource-class-name>:
      token: <your-resource_class_token>

  5. Finally, run the following command:

    helm install container-agent container-agent/container-agent -n circleci -f values.yaml

3. Enable rerun job with SSH (optional) - Open preview

The ability to rerun a job with SSH for CircleCI container runner is in open preview.

To enable this optional feature, follow the instructions below after reading through the considerations. Rerunning jobs with SSH allows you to troubleshoot problems through inspecting log files, running processes, and directory paths.

Retry with SSH considerations

  • Task-agent runs an embedded SSH server and agent on a dedicated port when the “Rerun job with SSH” option is activated. This feature will not affect any other SSH servers or agents on the cluster that container runner is installed on.

  • The SSH server is configured for public key authentication. Anyone with permission to initiate a job can rerun it with SSH. However, only the user who initiated the rerun will have their SSH public keys added to the server for the duration of the SSH session.

  • Rerunning a job with SSH will hold the job open for two hours if a connection is made to the SSH server, or 10 minutes if no connection is made, unless canceled. While in this state, the job is counted against an organization’s concurrency limit, and the task-agent will be unavailable to handle other jobs. Therefore, it is recommended to cancel an SSH rerun job explicitly (through the web UI or CLI) when you have finished debugging.

  • When establishing a SSH connection, you may experience a warning relating to a host change, due to the reuse of a previously used port to connect to a different pod. RSA host fingerprints can be cross-referenced with the output in the console for verification.

The rerun job with SSH feature makes use of the Gateway API to facilitate SSH access from outside your cluster. To enable this feature, Gateway API resources must first be provisioned on your cluster, and the CircleCI container agent configuration must be updated.

Supported Gateway API implementations: CircleCI has tested, and currently supports Envoy Gateway as an implementation for the Gateway API. Other Gateway API implementations that support TCPRoute resources are likely to be compatible, but not all of these implementations have been tested, and therefore compatibility is not guaranteed. Our recommendation is to use Envoy Gateway as your implementation. Envoy Gateway is currently in beta and is under development.

a. Install Envoy Gateway to your cluster

  1. First, install the Gateway API CRDs and Envoy Gateway, as defined in the Envoy Gateway Helm installation document. To do this, replace <version> with the most recent stable release compatible with your cluster, then run the following command:

    helm install eg oci://docker.io/envoyproxy/gateway-helm --version <version> -n envoy-gateway-system --create-namespace

  2. Finally, wait for Envoy Gateway to become available:

    kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available

b. Enable the Rerun job with SSH feature

  1. Once all Gateway API prerequisites are installed and available, add the agent.ssh.enabled = true parameter to the container runner configuration:

    agent:
  ssh:
    enabled: true

    For a full list of SSH configuration options, refer to the Helm chart values.

  2. Redeploy the updated manifest:

    helm upgrade --wait --timeout=5m <release-name> container-agent/container-agent -n <namespace> -f values.yaml

  3. Wait for the SSH Gateway to be programmed:

    kubectl wait gateway --timeout=5m --all --for=condition=Programmed -n <namespace>

    Container runner is now ready for rerunning jobs with SSH.

Container runner configuration example

Once you have installed configuration runner, select Continue in the CircleCI web app and you will be presented with an example configuration snippet showing a job configured to use your new self-hosted runner resource class.

Runner set up

Once you have installed the container runner within your cluster, create and trigger a CircleCI job that uses the Docker executor to validate the installation. The fields you must set for a specific job to run using your container runners are:

  • image:

  • resource_class: <namespace>/<resource-class>

Simple example of how you could set up a job (cimg/base:2021.11 is a commonly used CircleCI Docker image):

version: 2.1

jobs:
  build:
    docker:
      - image: cimg/base:2021.11
    resource_class: <namespace>/<resource-class>
    steps:
      - checkout
      - run: echo "Hi I'm on Runners!"

workflows:
  build-workflow:
    jobs:
      - build
Do not use an existing job that uses setup_remote_docker (see Building container images for more information).

Troubleshooting

Refer to the Troubleshoot Container Runner section of the Troubleshoot Self-hosted Runner guide if you encounter issues installing or running container runner.

Additional resources