3.9kGet a Demo
About
Architecture
Installation
Install script
System packages
Kubernetes
OpenShift
Docker
Windows
Standalone binaries
Offline deployments
External database
Uninstall
Quickstart
Docker
Google Cloud Platform
AWS
Azure
Templates
Resource Persistence
Provider Authentication
Change Management
Resource Metadata
Agent Metadata
Docker in Docker
Parameters
Open in Coder
Workspaces
IDEs
Web IDEs
JetBrains Gateway
Emacs
Remote Desktops
Networking
Port Forwarding
Dotfiles
Secrets
Administration
Authentication
Users
Groups
RBAC
Configuration
Git Providers
Upgrading
Automation
Scaling Coder
External Provisioners
Audit Logs
Quotas
High Availability
Prometheus
Service Banners
Telemetry
Support Links
Enterprise
Contributing
Code of Conduct
Feature stages
Documentation
Security
Frontend
API
General
Agents
Applications
Audit
Authentication
Authorization
Builds
Debug
Enterprise
Files
Insights
Members
Organizations
Parameters
Schemas
Templates
Users
Workspaces
Command Line
coder
config-ssh
create
delete
dotfiles
features
features list
groups
groups create
groups delete
groups edit
groups list
licenses
licenses add
licenses delete
licenses list
list
login
logout
ping
port-forward
provisionerd
provisionerd start
publickey
rename
reset-password
restart
scaletest
scaletest cleanup
scaletest create-workspaces
schedule
schedule override-stop
schedule show
schedule start
schedule stop
server
server create-admin-user
server postgres-builtin-serve
server postgres-builtin-url
show
speedtest
ssh
start
state
state pull
state push
stop
templates
templates create
templates delete
templates edit
templates init
templates list
templates plan
templates pull
templates push
templates versions
templates versions list
tokens
tokens create
tokens list
tokens remove
update
users
users activate
users create
users list
users show
users suspend
version
Home
/
Administration
/
External Provisioners

External Provisioners
Enterprise

External provisioners

By default, the Coder server runs built-in provisioner daemons, which execute terraform during workspace and template builds. However, there are sometimes benefits to running external provisioner daemons:

  • Secure build environments: Run build jobs in isolated containers, preventing malicious templates from gaining shell access to the Coder host.

  • Isolate APIs: Deploy provisioners in isolated environments (on-prem, AWS, Azure) instead of exposing APIs (Docker, Kubernetes, VMware) to the Coder server. See Provider Authentication for more details.

  • Isolate secrets: Keep Coder unaware of cloud secrets, manage/rotate secrets on provisoner servers.

  • Reduce server load: External provisioners reduce load and build queue times from the Coder server. See Scaling Coder for more details.

External provisioners are in an alpha state and the behavior is subject to change. Use GitHub issues to leave feedback.

Running external provisioners

Each provisioner can run a single concurrent workspace build. For example, running 30 provisioner containers will allow 30 users to start workspaces at the same time.

Requirements

  • The Coder CLI must installed on and authenticated as a user with the Owner or Template Admin role.
  • Your environment must be authenticated against the cloud environments templates need to provision against.

Types of provisioners

  • Generic provisioners can pick up any build job from templates without provisioner tags.

    coder provisionerd start

  • Tagged provisioners can be used to pick up build jobs from templates (and corresponding workspaces) with matching tags.

    coder provisionerd start \
  --tag environment=on_prem \
  --tag data_center=chicago

# In another terminal, create/push
# a template that requires this provisioner
coder templates create on-prem \
  --provisioner-tag environment=on_prem

# Or, match the provisioner exactly
coder templates create on-prem-chicago \
  --provisioner-tag environment=on_prem \
  --provisioner-tag data_center=chicago

    At this time, tagged provisioners can also pick jobs from untagged templates. This behavior is subject to change.

  • User provisioners can only pick up jobs from user-tagged templates. Unlike the other provisioner types, any Coder can run user provisioners, but they have no impact unless there is at least one template with the scope=user provisioner tag.

    coder provisionerd start \
  --tag scope=user

# In another terminal, create/push
# a template that requires user provisioners
coder templates create on-prem \
  --provisioner-tag scope=user

Example: Running an external provisioner on a VM

curl -L https://coder.com/install.sh | sh
export CODER_URL=https://coder.example.com
export CODER_SESSION_TOKEN=your_token
coder provisionerd start

Example: Running an external provisioner via Docker

docker run --rm -it \
  -e CODER_URL=https://coder.example.com/ \
  -e CODER_SESSION_TOKEN=your_token \
  --entrypoint /opt/coder \
  ghcr.io/coder/coder:latest \
  provisionerd start

Disable built-in provisioners

As mentioned above, the Coder server will run built-in provisioners by default. This can be disabled with a server-wide flag or environment variable.

coder server --provisioner-daemons=0
See an opportunity to improve our docs? Make an edit.
On this page