Deploying Sourcegraph executors
Executors provide a sandbox that can run resource-intensive or untrusted tasks on behalf of the Sourcegraph instance, such as:
Executors by default use KVM-based micro VMs powered by Firecracker in accordance with our sandboxing model to isolate jobs from each other and the host. This requires executors to be run on machines capable of running Linux KVM extensions. On the most popular cloud providers, this either means running executors on bare-metal machines (AWS) or machines capable of nested virtualization (GCP).
Optionally, executors can be run without using KVM-based isolation, which is less secure but might be easier to run on common machines.
Executors must be run separately from your Sourcegraph instance.
Since they must still be able to reach the Sourcegraph instance in order to dequeue and perform work, requests between the Sourcegraph instance and the executors are authenticated via a shared secret.
Before starting any executors, generate an arbitrary secret string (with at least 20 characters) and set it as the
executors.accessToken key in your Sourcegraph instance’s site-config.
Once the shared secret is set in Sourcegraph, you can start setting up executors that can use that access token to talk to the Sourcegraph instance.
Supported installation types
Simply launch executors on AWS or GCP using Sourcegraph-maintained modules and machine images.
Supports auto scaling.
Install executor on your machine
Run executors on any linux amd64 machine.
Confirm executors are working
If executor instances boot correctly and can authenticate with the Sourcegraph frontend, they will show up in the Executors page under Site Admin > Maintenance.