Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,367,394
Community Members
 
Community Events
168
Community Groups

Undocumented pipeline runner IPs

Hi,

We use the list of IP addresses that bitbucket publishes of "Valid IP addresses for Bitbucket Pipelines build environments" in our firewall.  A few days ago we started to see pipelines fail because they were being denied connections.

 

After some investigation, we found that some runners seem to get IP addresses that are not in the list.

 

For example, yesterday we saw a runner get the IP 10.39.157.242/32, which is not in the list.

 

Anyone else seeing this?  Anyone at Atlassian care to update the list of IP addresses?

 

2 answers

0 votes

Hi Rob,

Please see the documentation below for runners:

What IP address do I need to whitelist to get Runner to work?

Refer to the list of the IP addresses that you need to whitelist to get your runner connected with Pipeline behind your firewall.

It's also advisable to whitelist the following IPs here if there's an issue with your runner build.

Kind regards,
Theodora

Hi Theodora,

Thanks for you answer, but unfortunately this doesn't quite address my question.  My question is about the IP addresses that the bitbucket-provided runners use.  In my question I've linked to the list that bitbucket publishes, but the problem is that this list only cover the IPv4 addresses, and does not include the IPv6 addresses.  Where can I find the IPv6 address list?

 

Thanks,

 

Rob

Hi Rob,

The list of "Valid IP addresses for Bitbucket Pipelines build environments" is for Pipelines builds that run in our own infrastructure, in case you need to make requests from these Pipelines builds to one of your servers that is behind a firewall.

For runners, you need to whitelist the IPs mentioned on this page https://ip-ranges.atlassian.com/, which also includes IPv6 addresses.

Kind regards,
Theodora

Hi Theodora,

Yes, I'm talking about pipelines that run in your infrastructureNot pipelines that run in mine.

The "Valid IP addresses for Bitbucket Pipelines build environments" page lists IPv4 addresses, but not IPv6 addresses.  However those environments have IPv6 connectivity, so we need to know what those IPv6 address ranges are so we can allow them to connect to the services they need.

Thanks,

Rob

Hi Rob,

Thank you for the clarification. You mentioned 'runner' several times in your question, which made me think that you are using Bitbucket Runners where Pipelines builds run in the customer's infrastructure.

I'm afraid that Bitbucket Pipelines that run in our own infrastructure do not support IPv6 at the moment. We have a feature request to support IPv6:

It has been closed due to inactivity, but I would suggest you still add your vote and leave a comment there, as our product managers continue to monitor even closed requests.

Kind regards,
Theodora

Hi Theodora,

Ok, but the pipelines that run in your infrastructure appear to have developed IPv6 connectivity recently, which is why I've raised this as an issue...

Hi Rob,

I will reach out to the development team regarding this, I would like to ask if you could please provide me the following info:

  • Where do you see that Pipelines have developed IPv6 connectivity?
  • Can you please include the following command in the script in your bitbucket-pipelines.yml file where you make requests to your server, and let me know what is the output? (this will show what IP the build is using)
curl http://checkip.amazonaws.com

Kind regards,
Theodora

Hi Rob,

I checked with our development team and we haven't made any changes to provide IPv6 connectivity to Pipelines build environments. We would need to know the timeframe you experienced this issue as well as check the logs for these failed Pipelines builds in order to further investigate.

I went ahead and created a support ticket for you using the email of your community account, you should have received an email with a link to the support ticket. This ticket is visible only to you and Atlassian staff.

I would like to ask if you could please leave a comment on that ticket and let us know:
- the timeframe you experienced these issues
- the URL of one of the failed builds you've had
- any info about where you see IPv6 connectivity in those builds

If you have any questions, please feel free to let me know.

Kind regards,
Theodora

Ok, I've realised that the IP 10.39.157.242 is in the 10.0.0.0/24 network, which is obviously a local network address space.  So clearly there's some kind of routing or NAT going on internally within bitbucket for outgoing connections.

Now investigating whether the connection is trying to go out on IPv6 instead of IPv4.  The page I linked to above doesn't list any outgoing IPv6 address spaces though, which is a shame...

Ok -- yes, by confining our outgoing connection to IPv4, it all worked fine.   So this question is now what are the outgoing IPv6 addresses for bitbucket pipeline runners?

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS

Atlassian Community Events