Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Support for Secure Container Builds with Bitbucket Self-Hosted Runners

iamnst
iamnst October 6, 2024

I have been exploring ways to run self-hosted Bitbucket runners without requiring privileged mode (privileged: true). Specifically, I attempted to use the docker:23.0-dind-rootless image in combination with the Bitbucket runner image (docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner) as an alternative to the docker:23.0.0-dind image. Unfortunately, this led to various errors. Additionally, I tested integrating the Kaniko image alongside the Bitbucket runner image, but encountered Java-related errors during the process.

Given this, I have the following questions:

  1. Is there a recommended approach to securely build container images in Bitbucket using self-hosted runners, without needing privileged mode enabled?
  2. Does Bitbucket officially support tools such as Kaniko or Podman to allow for daemonless builds, thus eliminating the requirement for Docker daemon root privileges?

I noticed that GitLab provides clear documentation on how to use Kaniko for secure, daemonless builds (e.g., GitLab Documentation on Kaniko), but I was unable to find similar resources within the Bitbucket community. Having detailed guidance on this topic would be extremely helpful for Bitbucket users as well.

I would greatly appreciate your guidance or any best practices for addressing this use case.

Thank you for your time and assistance

Answer
Watch
Like Sabine Mayer likes this
490 views

1 answer

0 votes
iamnst
iamnst October 6, 2024

This is the kubernetes yaml for my self hosted bitbucket runners

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: stage-bitbucket-runner
name: stage-bitbucket-runner
spec:
replicas: 1
selector:
matchLabels:
app: stage-bitbucket-runner
template:
metadata:
labels:
app: stage-bitbucket-runner
spec:
serviceAccountName: bitbucket-runner-sa
containers:
- name: stage-bitbucket-runner
  image: docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner
  imagePullPolicy: IfNotPresent
  resources:
    limits:
     cpu: 4000m
     memory: 4000Mi
     ephemeral-storage: "8Gi"
    requests:
     cpu: 50m
     memory: 100Mi
     ephemeral-storage: "4Gi"
  envFrom:
  - secretRef:
    name: stage-bitbucket-runner-repo-secret
    env:
    - name: OAUTH_CLIENT_ID
      value: 
    - name: OAUTH_CLIENT_SECRET
      value: 
    - name: WORKING_DIRECTORY
      value: "/tmp"
  volumeMounts:
  - name: tmp
    mountPath: /tmp
  - name: docker-containers
    mountPath: /var/lib/docker/containers
    readOnly: true
  - name: var-run
    mountPath: /var/run

- name: docker-in-docker
  image: docker:23.0-dind
  resources:
   limits:
     cpu: 4000m
     memory: 4000Mi
     ephemeral-storage: 4Gi
   requests:
     cpu: 50m
     memory: 100Mi
     ephemeral-storage: 2Gi
   securityContext:
     privileged: true
   volumeMounts:
   - name: tmp
     mountPath: /tmp
   - name: docker-containers
     mountPath: /var/lib/docker/containers
   - name: var-run
     mountPath: /var/run

volumes:
- name: tmp
- name: docker-containers
- name: var-run
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events