Deploying Sourcegraph executors on linux machines

Installation

Note: See offline installation guide for instructions on how to install executors in an air-gapped environment.

The following steps will guide you through the process of installing executors on a linux machine.

Dependencies

In order to run executors on your machine, a few things need to be set up correctly before proceeding.

  • Executors only support linux-based machine with amd64 processors
  • Docker has to be installed on the machine (curl -fsSL https://get.docker.com | sh)
  • Git has to be installed at a version >= v2.26
  • The ability to run commands as root on the host machine and configure networking routes

If Firecracker isolation will be used: (recommended)

  • The host has to support KVM (for AWS that means a metal instance, on GCP that means enabling nested virtualization)
  • The following additional dependencies need to be installed:
    • dmsetup
    • losetup
    • mkfs.ext4
    • iptables
    • strings (part of binutils)
    • systemd (optional)

Step 0: Confirm that virtualization is enabled (if using Firecracker)

KVM (virtualization) support is required for our sandboxing model with Firecracker. The following command checks whether virtualization is enabled on the machine (it should print something):

$ lscpu | grep Virtualization

Virtualization:                  VT-x
Virtualization type:             full

On Ubuntu-based distributions, you can also use the tool kvm-ok available in the cpu-checker package to reliably validate KVM support on your host:

# Install cpu-checker
$ apt-get update && apt-get install -y cpu-checker

# Check for KVM support
$ kvm-ok
INFO: /dev/kvm exists
KVM acceleration can be used

Step 1: Download the latest executor binary

Below are the download links for the latest release of executors:

Note: Executors need to match the version of Sourcegraph they're running against. Latest will usually only work for you when you run the latest version of Sourcegraph.

Download and setup the executor binary:

# Plug in the version of your Sourcegraph instance, like v4.1.0.
# Before Sourcegraph 3.43.0, tagged releases of executors are not available and you should default to using "latest" instead.
# Using latest is NOT recommended, because it might be incompatible with your Sourcegraph version.
curl -sfLo executor https://storage.googleapis.com/sourcegraph-artifacts/executor/${SOURCEGRAPH_VERSION}/linux-amd64/executor
chmod +x executor
# Assuming /usr/local/bin is in $PATH.
mv executor /usr/local/bin

Step 2: Setup environment variables

The executor is configured through environment variables. Those need to be passed to it when you run it (including for install, validate and test-vm), so add these to your shell profile, or an environment file. Only EXECUTOR_FRONTEND_URL, EXECUTOR_FRONTEND_PASSWORD and EXECUTOR_QUEUE_NAME or EXECUTOR_QUEUE_NAMES are required.

Env var Description Example value
EXECUTOR_FRONTEND_URL The external URL of the Sourcegraph instance. required http://sourcegraph.example.com
EXECUTOR_FRONTEND_PASSWORD The shared secret configured in the Sourcegraph instance site config under executors.accessToken. required our-shared-secret
EXECUTOR_QUEUE_NAME The name of a single queue to pull jobs from. Possible values: batches and codeintel. required: either this or EXECUTOR_QUEUE_NAMES batches
EXECUTOR_QUEUE_NAMES The names of multiple queues to pull jobs from, comma-separated. Possible values: batches and codeintel. required: either this or EXECUTOR_QUEUE_NAME batches,codeintel
EXECUTOR_USE_FIRECRACKER Whether to isolate jobs in virtual machines. Requires ignite and firecracker. Linux hosts only. Kubernetes is not supported. (default value: "true" when OS is Linux and not on Kubernetes) true
EXECUTOR_MAXIMUM_NUM_JOBS Number of virtual machines or containers that can be running at once. (default value: "1") 1
EXECUTOR_MAXIMUM_RUNTIME_PER_JOB The maximum wall time that can be spent on a single job. (default value: "30m") 30m
EXECUTOR_JOB_MEMORY How much memory to allocate to each virtual machine or container. A value of zero sets no resource bound (in Docker, but not VMs). (default value: "12G") 12G
EXECUTOR_JOB_NUM_CPUS How many CPUs to allocate to each virtual machine or container. A value of zero sets no resource bound (in Docker, but not VMs). (default value: "4") 4
EXECUTOR_DOCKER_REGISTRY_MIRROR_URL The address of a docker registry mirror to use in firecracker VMs. http://10.0.0.2:5000
EXECUTOR_FIRECRACKER_DISK_SPACE How much disk space to allocate to each virtual machine. (default value: "20G") 20G
EXECUTOR_FIRECRACKER_BANDWIDTH_EGRESS How much bandwidth to allow for egress packets to the VM in bytes/s. (default value: "524288000") 524288000
EXECUTOR_FIRECRACKER_BANDWIDTH_INGRESS How much bandwidth to allow for ingress packets to the VM in bytes/s. (default value: "524288000") 524288000
EXECUTOR_KEEP_WORKSPACES Whether to skip deletion of workspaces after a job completes (or fails). Note that when Firecracker is enabled that the workspace is initially copied into the VM, so modifications will not be observed. (default value: "false") true
EXECUTOR_MAX_ACTIVE_TIME The maximum time that can be spent by the worker dequeueing records to be handled. (default value: "0") 100m
EXECUTOR_NUM_TOTAL_JOBS The maximum number of jobs that will be dequeued by the worker. (default value: "0") 100
EXECUTOR_DOCKER_HOST_MOUNT_PATH The target workspace as it resides on the Docker host (used to enable Docker-in-Docker). /workspaces
EXECUTOR_QUEUE_POLL_INTERVAL Interval between dequeue requests. (default value: "1s") 1s
EXECUTOR_CLEANUP_TASK_INTERVAL The frequency with which to run periodic cleanup tasks. (default value: "1m") 1m
EXECUTOR_VM_PREFIX A name prefix for virtual machines controlled by this instance. (default value: "executor") executor
EXECUTOR_VM_STARTUP_SCRIPT_PATH A path to a file on the host that is loaded into a fresh virtual machine and executed on startup. /vm-startup.sh
NODE_EXPORTER_URL The URL of the node_exporter instance, without the /metrics path. http://127.0.0.1:9000
EXECUTOR_FIRECRACKER_IMAGE The base image to use for virtual machines. sourcegraph/executor-vm:insiders
EXECUTOR_FIRECRACKER_KERNEL_IMAGE The base image containing the kernel binary to use for virtual machines. sourcegraph/ignite-kernel:5.10.135-amd64
EXECUTOR_FIRECRACKER_SANDBOX_IMAGE The OCI image for the ignite VM sandbox. sourcegraph/ignite:v0.10.5
DOCKER_REGISTRY_NODE_EXPORTER_URL The URL of the Docker Registry instance's node_exporter, without the /metrics path. http://localhost:9000
SRC_LOG_LEVEL upper log level to restrict log output to (dbug, info, warn, error, crit) (default value: "warn") warn
# Example:
export EXECUTOR_QUEUE_NAME=batches
export EXECUTOR_FRONTEND_URL=http://sourcegraph.yourcompany.com
export EXECUTOR_FRONTEND_PASSWORD=SUPER_SECRET_SHARED_TOKEN

Step 3: Configure your machine

To be able to run workloads in isolation, a few dependencies need to be installed and configured. The executor CLI can do all of that automatically.

To run all of the required setup steps, just run the following commands as root:

executor install all
# OR run the following, to see how to install/configure components separately.
executor install --help

Step 4: Validate your machine is ready to receive workloads

All set up! Before letting the executor start receiving workloads from your Sourcegraph instance, you might want to verify your setup. Run the following command:

executor validate

If any issues are found, correct them before proceeding.

If you use our sandboxing model with Firecracker (recommended), you can also verify that the executor is able to spin up the isolation VMs properly. For that, use the following command:

# Optionally provide a repo to clone into the VMs workspace, to verify that cloning works properly as well.
executor test-vm [--repo=github.com/sourcegraph/sourcegraph --revision=main]

This should succeed and print a command to use to attach to the guest VM. If it is able to spin up properly, that is usually good indication that everything is set up properly. If you need to debug some issue further, this can be helpful as you can exec into the guest VM from here.

Step 5: Make executor a systemd service (optional, systemd-based distributions only)

To make sure that the executor runs post-boot of the machine, you might want to wrap it in a systemd service. This is an example of how that could look like:

cat <<EOF >/etc/systemd/system/executor.service
[Unit]
Description=Sourcegraph executor
After=docker.service
BindsTo=docker.service

[Service]
ExecStart=/usr/local/bin/executor
Restart=on-failure
EnvironmentFile=/etc/systemd/system/executor.env
Environment=HOME="%h"
Environment=SRC_LOG_LEVEL=dbug

[Install]
WantedBy=multi-user.target
EOF

# Create environment file (this can also be sourced in your shell)
cat <<EOF >/etc/systemd/system/executor.env
EXECUTOR_FRONTEND_URL="https://sourcegraph.yourcompany.com"
EXECUTOR_FRONTEND_PASSWORD="SUPER_SECRET_SHARED_TOKEN"
EXECUTOR_QUEUE_NAME="batches"
EOF

systemctl enable executor

Step 6: Start receiving workloads

If you use the systemd service, simply run systemctl start executor, otherwise run executor run. Your executor should start listening for jobs now! All done!

Upgrading executors

Upgrading executors is relatively uninvolved. Simply follow the instructions below. Also, check the changelog for any Executors related breaking changes or new features that you might want to configure.

Step 1: First, grab the executor binary for the new target Sourcegraph version.

curl -sfLo executor https://storage.googleapis.com/sourcegraph-artifacts/executor/${SOURCEGRAPH_VERSION}/linux-amd64/executor
chmod +x executor
# Assuming /usr/local/bin is in $PATH.
mv executor /usr/local/bin

Step 2: Make sure all ambient dependencies and configurations are up-to-date:

Ensure env vars has been configured.

executor install all
# OR run the following, to see how to install/configure components separately.
executor install --help

Step 3: Validate your machine is ready to receive workloads

All set up! Before letting the executor start receiving workloads from your Sourcegraph instance, you might want to verify your setup. Run the following command:

executor validate

Step 4: Restart your running executor / spin up a new machine

Depending on how you set up executors, you might want to restart the systemd service, or restart/replace the machine running them, so the new binary is running. If you use the systemd service, simply run systemctl start executor, otherwise run executor run. Your executor should start listening for jobs now and be visible under the Executors > Instances section of the Site Configuration.