Pipelines runners frequently asked questions

Where do Pipelines store the generated caches/artifact?

Steps from the same pipeline can be scheduled on multiple runners that run on different hosts. So in order to share caches and artifacts between steps we upload them to the Atlassian infrastructure.

What IP address do I need to whitelist to get Runner to work?

Refer to the list of the IP addresses that you need to whitelist to get your runner connected with Pipeline behind your firewall.

It's also advisable to whitelist the following IPs here if there's an issue with your runner build.

How do I set up a runner to work behind a proxy?

The HTTP_PROXY and HTTPS_PROXY environment variables can be used to configure a runner to work behind a proxy. See Configure a runner to use a proxy for details on how to configure the runner to use a proxy.

How I can access files on the host from the build script?

Unfortunately it's not possible to access the local files with the docker runtime as by default Runners limit access to the host, else if you depend on files on particular machines there's no guarantee those files are on all machines runners are on.

As a workaround we can suggest accessing the files on the host with an SFTP client from the Runner's build by running the following command: sftp {user}@{host}:{remoteFileName} {localFileName}

How do I use an insecure Docker registry?

With a self-hosted runner you can use a custom docker-in-docker service.
Example of a Dockerfile:

# my-custom-dind-image
FROM docker:dind
ENTRYPOINT [ "sh", "-c", "dockerd-entrypoint.sh $DOCKER_OPTS" ]

Example of a pipeline configuration:

definitions:
  services:
    docker:
      image: my-custom-dind-image
      variables:
         DOCKER_OPTS: "--insecure-registry=my.docker.registry"

pipelines:
  default:
    - step:
        runs-on: self.hosted
        services:
          - docker
        script:
          - docker build -t my.docker.registry/$IMAGE_NAME .
          - docker push my.docker.registry/$IMAGE_NAME

How do I setup Pipelines Runner with Kubernetes?

Example of Kubernetes spec for a self-hosted runner:

apiVersion: v1
kind: List
items:
  - apiVersion: v1
    kind: Secret
    metadata:
      name: runner-oauth-credentials
#      labels:
#        accountUuid: # Add your account uuid without curly braces to optionally allow finding the secret for an account
#        repositoryUuid: # Add your repository uuid without curly braces to optionally allow finding the secret for a repository
#        runnerUuid: # Add your runner uuid without curly braces to optionally allow finding the secret for a particular runner
    data:
      oauthClientId: # add your base64 encoded oauth client id here
      oauthClientSecret: # add your base64 encoded oauth client secret here
  - apiVersion: batch/v1
    kind: Job
    metadata:
      name: runner
    spec:
      template:
#        metadata:
#          labels:
#            accountUuid: # Add your account uuid without curly braces to optionally allow finding the pods for an account
#            repositoryUuid: # Add your repository uuid without curly braces to optionally allow finding the pods for a repository
#            runnerUuid: # Add your runner uuid without curly braces to optionally allow finding the pods for a particular runner
        spec:
          containers:
            - name: runner
              image: docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner
              env:
                - name: ACCOUNT_UUID
                  value: # Add your account uuid here
                - name: REPOSITORY_UUID
                  value: # Add your repository uuid here
                - name: RUNNER_UUID
                  value: # Add your runner uuid here
                - name: OAUTH_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: runner-oauth-credentials
                      key: oauthClientId
                - name: OAUTH_CLIENT_SECRET
                  valueFrom:
                    secretKeyRef:
                      name: runner-oauth-credentials
                      key: oauthClientSecret
                - name: WORKING_DIRECTORY
                  value: "/tmp"
              volumeMounts:
                - name: tmp
                  mountPath: /tmp
                - name: docker-containers
                  mountPath: /var/lib/docker/containers
                  readOnly: true # the runner only needs to read these files never write to them
                - name: var-run
                  mountPath: /var/run
            - name: docker-in-docker
              image: docker:20.10.5-dind
              securityContext:
                privileged: true # required to allow docker in docker to run and assumes the namespace your applying this to has a pod security policy that allows privilege escalation
              volumeMounts:
                - name: tmp
                  mountPath: /tmp
                - name: docker-containers
                  mountPath: /var/lib/docker/containers
                - name: var-run
                  mountPath: /var/run
          restartPolicy: OnFailure # this allows the runner to restart locally if it was to crash
          volumes:
            - name: tmp # required to share a working directory between docker in docker and the runner
            - name: docker-containers # required to share the containers directory between docker in docker and the runner
            - name: var-run # required to share the docker socket between docker in docker and the runner
        # backoffLimit: 6 # this is the default and means it will retry upto 6 times if it crashes before it considers itself a failure with an exponential backoff between
        # completions: 1 # this is the default the job should ideally never complete as the runner never shuts down successfully
        # parallelism: 1 # this is the default their should only be one instance of this particular runner

Was this helpful?

It wasn't accurate

It wasn't clear

It wasn't relevant

Bitbucket Support