Pipelines runners frequently asked questions

Where do Pipelines store the generated caches/artifact?

Steps from the same pipeline can be scheduled on multiple runners that run on different hosts. So in order to share caches and artifacts between steps we upload them to the Atlassian infrastructure.

What IP address do I need to whitelist to get Runner to work?

Refer to the list of the IP addresses that you need to whitelist to get your runner connected with Pipeline behind your firewall.

It's also advisable to whitelist the following IPs here if there's an issue with your runner build.

How do I set up proxy for docker images?

With a self-hosted runner you can use a custom docker-in-docker service.

1 2 3 4 5 6 services: docker: image: docker:dind environment: HTTP_PROXY: "http://username:password@proxy2.domain.com" HTTPS_PROXY: "http://username:password@proxy2.domain.com"

See docker documentation for details.

How I can access files on the host from the build script?

Unfortunately it's not possible to access the local files with the docker runtime as by default Runners limit access to the host, else if you depend on files on particular machines there's no guarantee those files are on all machines runners are on.

As a workaround we can suggest accessing the files on the host with an SFTP client from the Runner's build by running the following command: sftp {user}@{host}:{remoteFileName} {localFileName}

How do I use an insecure Docker registry?

With a self-hosted runner you can use a custom docker-in-docker service.
Example of a Dockerfile:

1 2 3 # my-custom-dind-image FROM docker:dind ENTRYPOINT [ "sh", "-c", "dockerd-entrypoint.sh $DOCKER_OPTS" ]

Example of a pipeline configuration:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 definitions: services: docker: image: my-custom-dind-image variables: DOCKER_OPTS: "--insecure-registry=my.docker.registry" pipelines: default: - step: runs-on: self.hosted services: - docker script: - docker build -t my.docker.registry/$IMAGE_NAME . - docker push my.docker.registry/$IMAGE_NAME

How do I setup Pipelines Runner with Kubernetes?

Example of Kubernetes spec for a self-hosted runner:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 apiVersion: v1 kind: List items: - apiVersion: v1 kind: Secret metadata: name: runner-oauth-credentials # labels: # accountUuid: # Add your account uuid without curly braces to optionally allow finding the secret for an account # repositoryUuid: # Add your repository uuid without curly braces to optionally allow finding the secret for a repository # runnerUuid: # Add your runner uuid without curly braces to optionally allow finding the secret for a particular runner data: oauthClientId: # add your base64 encoded oauth client id here oauthClientSecret: # add your base64 encoded oauth client secret here - apiVersion: batch/v1 kind: Job metadata: name: runner spec: template: # metadata: # labels: # accountUuid: # Add your account uuid without curly braces to optionally allow finding the pods for an account # repositoryUuid: # Add your repository uuid without curly braces to optionally allow finding the pods for a repository # runnerUuid: # Add your runner uuid without curly braces to optionally allow finding the pods for a particular runner spec: containers: - name: runner image: docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner env: - name: ACCOUNT_UUID value: # Add your account uuid here - name: REPOSITORY_UUID value: # Add your repository uuid here - name: RUNNER_UUID value: # Add your runner uuid here - name: OAUTH_CLIENT_ID valueFrom: secretKeyRef: name: runner-oauth-credentials key: oauthClientId - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: runner-oauth-credentials key: oauthClientSecret - name: WORKING_DIRECTORY value: "/tmp" volumeMounts: - name: tmp mountPath: /tmp - name: docker-containers mountPath: /var/lib/docker/containers readOnly: true # the runner only needs to read these files never write to them - name: var-run mountPath: /var/run - name: docker-in-docker image: docker:20.10.5-dind securityContext: privileged: true # required to allow docker in docker to run and assumes the namespace your applying this to has a pod security policy that allows privilege escalation volumeMounts: - name: tmp mountPath: /tmp - name: docker-containers mountPath: /var/lib/docker/containers - name: var-run mountPath: /var/run restartPolicy: OnFailure # this allows the runner to restart locally if it was to crash volumes: - name: tmp # required to share a working directory between docker in docker and the runner - name: docker-containers # required to share the containers directory between docker in docker and the runner - name: var-run # required to share the docker socket between docker in docker and the runner # backoffLimit: 6 # this is the default and means it will retry upto 6 times if it crashes before it considers itself a failure with an exponential backoff between # completions: 1 # this is the default the job should ideally never complete as the runner never shuts down successfully # parallelism: 1 # this is the default their should only be one instance of this particular runner
Last modified on Aug 12, 2021
Cached at 12:16 AM on Sep 18, 2021 |

Additional Help