Deploying Executors Binary Offline
When running in an air-gap environment, the executor binary can be deployed with this guide.
Initial Dependencies
Executors require initial dependencies to be installed on the host machine. The minimum dependencies (when not using Firecracker Isolation) are:
Install Binary
- Download the executor binary version that matches your deployed Sourcegraph Version (e.g. v4.1.0) from a machine with internet accessSHELLcurl -sfLo executor https://storage.googleapis.com/sourcegraph-artifacts/executor/${SOURCEGRAPH_VERSION}/linux-amd64/executor
- Copy the executorbinary to the offline host machine
- Set the binary as executable: chmod +x executor
- Move the binary to a location in your $PATH(e.g./usr/local/bin)
Configure Docker
executor requires the ability to connect to a Docker Registry to pull Docker Images. The offline host machine needs to
be able to connect to an internal Docker Registry (e.g. JFrog Artifactory) to be able to
pull the images.
Environment Variables
See deploy executors binary for a list of environment variables that are configurable.
Batch Changes
Batch Changes requires either src-cli to be installed on the host machine or
for Native Execution to be enabled.
src-cli
Executors requires the src-cli to be installed on the host machine, if not
using Native Execution for Batch Changes. To install src-cli:
- Download the src-clibinary version that matches your deployed Sourcegraph Version (e.g.v4.1.0) from a machine with internet access.
- Copy the srcbinary to the offline host machine
- Extract the binary from the archive
SHELL$ tar -zxcf src-cli_${VERSION}_linux_amd64.tar.gz
- Set the binary as executable by running chmod +x src
- Move the binary to a location in your $PATH(e.g./usr/local/bin)
- Confirm srcis installed by runningsrcSHELL$ src version Current version: 4.1.0
Native Execution
See Native Execution for details on how to enable Native Execution. Ensure the
image sourcegraph/batcheshelper is available in the internal Docker Registry.
Auto Indexing
Auto Indexing requires images to be available in the internal Docker Registry. The images for languages can be found in the Code Navigation page.
Once the images are available in the internal Docker Registry, the executor can be configured to use the images by
updating codeIntelAutoIndexing.indexerMap in the Site configuration. For example,
JSON"codeIntelAutoIndexing.indexerMap": { "go": "my.company/scip-go:custom", }
Firecracker Setup
See Firecracker details to determine if firecracker fits your use case. If you are using Firecracker, you will need to install additional dependencies.
If you are not using Firecracker, ensure the environment variable EXECUTOR_USE_FIRECRACKER is set to false.
Initial Dependencies
Executors running Firecracker Isolation require initial dependencies to be installed on the host machine.
- dmsetup
- losetup
- mkfs.ext4
- strings- If not already installed (part of binutils)
 
- If not already installed (part of 
Install CNI
In order for ignite to function properly, CNI Plugins must be installed. To install CNI Plugins:
- Download the CNI Plugins and CNI Isolation archives on a machine with internet access
- Copy the archives to the offline host machine
- Create the /opt/cni/bindirectorySHELL$ mkdir -p /opt/cni/bin
- Extract the archives to the /opt/cni/bindirectorySHELL$ tar -zxcf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin $ tar -zxcf cni-isolation-amd64.tgz -C /opt/cni/bin
Install Ignite
Executors use ignite to spawn Firecracker VMs to run code in isolation. To install ignite:
- Download igniteon a machine with internet access
- Copy ignite-amd64to the offline host machine
- Set the binary as executable by running chmod +x ignite-amd64
- Move the binary to a location in your $PATH(e.g./usr/local/bin)
- Confirm igniteis installed by runningigniteSHELL$ ignite version Ignite version: version.Info{Major:"0", Minor:"8", GitVersion:"v0.10.0", GitCommit:"...", GitTreeState:"clean", BuildDate:"...", GoVersion:"...", Compiler:"gc", Platform:"linux/amd64"} Firecracker version: v0.22.4 Runtime: containerd
Install IPTables
IPTables prevent Firecracker from talking on Private IPv4 Address (
see Firecracker details). To install IPTables, the executor binary has a command to
install IPTables rules:
SHELL$ executor install iptables-rules
Install Images
ignite requires three Docker Images to be made available on the offline host machine. To install the images, the
offline host machine needs to be able to connect to an internal Docker Registry (e.g. JFrog Artifactory) to be able to
pull the images.
Executor VM Image
To install the executor-vm image (ensure the version of the image matches your deployment version), import the image using ignite.
SHELL$ ignite image import --runtime docker <docker repository image for sourcegraph/executor-vm:your-version>
If you are using a custom image instead of the Sourcegraph image, you will need to set the environment variable
EXECUTOR_FIRECRACKER_IMAGE to match the image name.
Sandbox Image
To install the Firecracker sandbox image, import the image using docker.
SHELL$ docker pull <docker repository image for sourcegraph/ignite:v0.10.5>
Note: Check the version against the version of executors being installed.
If you are using a custom image instead of the Sourcegraph image, you will need to set the environment variable
EXECUTOR_FIRECRACKER_SANDBOX_IMAGE to match the image name.
Kernel Image
To install the Firecracker Kernel image, import the image (sourcegraph/ignite-kernel:5.10.135-amd64) using ignite.
SHELL$ ignite kernel import --runtime docker <docker repository image for sourcegraph/ignite-kernel:5.10.135-amd64>
Note: Check the version against the version of executors being installed.
If you are using a custom image instead of the Sourcegraph image, you will need to set the environment variable
EXECUTOR_FIRECRACKER_KERNEL_IMAGE to match the image name.
Validation
Once the executor binary is installed and dependencies are met, you can validate the installation by running:
SHELL$ executor validate