Deploying Executors Binary Offline

When running in an air-gap environment, the executor binary can be deployed with this guide.

Initial Dependencies

Executors require initial dependencies to be installed on the host machine. The minimum dependencies (when not using Firecracker Isolation) are:

Docker
Git

Install Binary

Download the executor binary version that matches your deployed Sourcegraph Version (e.g. v4.1.0) from a machine with internet access

SHELL
curl -sfLo executor https://storage.googleapis.com/sourcegraph-artifacts/executor/${SOURCEGRAPH_VERSION}/linux-amd64/executor

Copy the executor binary to the offline host machine
Set the binary as executable: chmod +x executor
Move the binary to a location in your $PATH (e.g. /usr/local/bin)

executor requires the ability to connect to a Docker Registry to pull Docker Images. The offline host machine needs to be able to connect to an internal Docker Registry (e.g. JFrog Artifactory) to be able to pull the images.

Environment Variables

See deploy executors binary for a list of environment variables that are configurable.

Batch Changes

Batch Changes requires either src-cli to be installed on the host machine or for Native Execution to be enabled.

src-cli

Executors requires the src-cli to be installed on the host machine, if not using Native Execution for Batch Changes. To install src-cli:

Download the src-cli binary version that matches your deployed Sourcegraph Version (e.g. v4.1.0) from a machine with internet access.
Copy the src binary to the offline host machine

Extract the binary from the archive

SHELL
$ tar -zxcf src-cli_${VERSION}_linux_amd64.tar.gz

Set the binary as executable by running chmod +x src
Move the binary to a location in your $PATH (e.g. /usr/local/bin)

Confirm src is installed by running src

SHELL
$ src version
Current version: 4.1.0

Native Execution

See Native Execution for details on how to enable Native Execution. Ensure the image sourcegraph/batcheshelper is available in the internal Docker Registry.

Auto Indexing

Auto Indexing requires images to be available in the internal Docker Registry. The images for languages can be found in the Code Navigation page.

Once the images are available in the internal Docker Registry, the executor can be configured to use the images by updating codeIntelAutoIndexing.indexerMap in the Site configuration. For example,

JSON
"codeIntelAutoIndexing.indexerMap": {
  "go": "my.company/scip-go:custom",
}

Firecracker Setup

See Firecracker details to determine if firecracker fits your use case. If you are using Firecracker, you will need to install additional dependencies.

If you are not using Firecracker, ensure the environment variable EXECUTOR_USE_FIRECRACKER is set to false.

Initial Dependencies

Executors running Firecracker Isolation require initial dependencies to be installed on the host machine.

dmsetup
losetup
mkfs.ext4
strings
- If not already installed (part of binutils)

Install CNI

In order for ignite to function properly, CNI Plugins must be installed. To install CNI Plugins:

Download the CNI Plugins and CNI Isolation archives on a machine with internet access
Copy the archives to the offline host machine
Create the /opt/cni/bin directory
```
SHELL
$ mkdir -p /opt/cni/bin
```

Extract the archives to the /opt/cni/bin directory

SHELL
$ tar -zxcf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin
$ tar -zxcf cni-isolation-amd64.tgz -C /opt/cni/bin

Install Ignite

Executors use ignite to spawn Firecracker VMs to run code in isolation. To install ignite:

Download ignite on a machine with internet access
Copy ignite-amd64 to the offline host machine
Set the binary as executable by running chmod +x ignite-amd64
Move the binary to a location in your $PATH (e.g. /usr/local/bin)

Confirm ignite is installed by running ignite

SHELL
$ ignite version
Ignite version: version.Info{Major:"0", Minor:"8", GitVersion:"v0.10.0", GitCommit:"...", GitTreeState:"clean", BuildDate:"...", GoVersion:"...", Compiler:"gc", Platform:"linux/amd64"}
Firecracker version: v0.22.4
Runtime: containerd

Install IPTables

IPTables prevent Firecracker from talking on Private IPv4 Address ( see Firecracker details). To install IPTables, the executor binary has a command to install IPTables rules:

SHELL
$ executor install iptables-rules

Install Images

ignite requires three Docker Images to be made available on the offline host machine. To install the images, the offline host machine needs to be able to connect to an internal Docker Registry (e.g. JFrog Artifactory) to be able to pull the images.

Executor VM Image

To install the executor-vm image (ensure the version of the image matches your deployment version), import the image using ignite.

SHELL
$ ignite image import --runtime docker <docker repository image for sourcegraph/executor-vm:your-version>

If you are using a custom image instead of the Sourcegraph image, you will need to set the environment variable EXECUTOR_FIRECRACKER_IMAGE to match the image name.

Sandbox Image

To install the Firecracker sandbox image, import the image using docker.

SHELL
$ docker pull <docker repository image for sourcegraph/ignite:v0.10.5>

Note: Check the version against the version of executors being installed.

If you are using a custom image instead of the Sourcegraph image, you will need to set the environment variable EXECUTOR_FIRECRACKER_SANDBOX_IMAGE to match the image name.

Kernel Image

To install the Firecracker Kernel image, import the image (sourcegraph/ignite-kernel:5.10.135-amd64) using ignite.

SHELL
$ ignite kernel import --runtime docker <docker repository image for sourcegraph/ignite-kernel:5.10.135-amd64>

Note: Check the version against the version of executors being installed.

If you are using a custom image instead of the Sourcegraph image, you will need to set the environment variable EXECUTOR_FIRECRACKER_KERNEL_IMAGE to match the image name.

Validation

Once the executor binary is installed and dependencies are met, you can validate the installation by running:

SHELL
$ executor validate