Enable the agent runner and durable store
This page covers enabling the agent runner sidecar and durable workspace store on an existing self-hosted Agenta deployment that predates the runner and store features.
Prerequisites
- Agenta version that includes the runner sidecar (
big-agentsbranch or later). - An existing Docker Compose or Helm deployment.
Docker Compose
-
Pull the new image set:
docker compose pull -
Start the updated stack:
./hosting/docker-compose/run.sh --oss --gh -
Confirm the runner started:
curl http://localhost:8765/healthA
200response confirms the runner is up. If you get a connection error, checkdocker compose logs runner. -
The
AGENTA_RUNNER_URL=http://runner:8765value is included in the updated Compose files by default. If you maintain a custom env file, add it there. -
(Optional) Enable durable agent workspaces. Set the store credentials in your env file:
AGENTA_STORE_ACCESS_KEY=<access-key>AGENTA_STORE_SECRET_KEY=<secret-key># Leave AGENTA_STORE_ENDPOINT_URL empty to use AWS S3,# or set it to a SeaweedFS / MinIO / R2 endpoint.The dev compose stack bundles SeaweedFS and starts it automatically when
AGENTA_STORE_ACCESS_KEYandAGENTA_STORE_SECRET_KEYare set. The gh self-host compose does not bundle SeaweedFS; pointAGENTA_STORE_ENDPOINT_URLat an external S3-compatible store or leave it empty for real AWS S3. For the full reference, see Store configuration.
Helm
-
Upgrade the chart to the version that includes the runner:
helm upgrade agenta agenta/agenta -f <your-values-file>agentRunner.enabled=trueis the default. The chart creates arunnerDeployment and Service automatically. -
Confirm the runner pod is ready:
kubectl get pods -l app=runner -
(Optional) Enable the bundled durable store:
store:enabled: trueaccessKey: <access-key>secretKey: <secret-key>seaweedfs:enabled: true# SeaweedFS serves S3 STS through its OIDC IAM engine, so a bundled store also needs:signingKey: <base64 of 32 random bytes> # head -c 32 /dev/urandom | base64jwtPrivateKey: | # one stable RSA key shared by all API replicas-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----jwtPrivateKeyis required when the API runs more than one replica — every replica must sign with the same key or SeaweedFS's cached JWKS desyncs and STS fails intermittently. Generate it withopenssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048.To point at a remote S3-compatible store instead (AWS S3, MinIO), leave
signingKeyunset — its absence selects theGetFederationTokenpath, so nojwtPrivateKeyis needed. SetstsEndpointUrlonly for AWS, which splits STS onto its own host:store:enabled: trueseaweedfs:enabled: falseendpointUrl: https://s3.<region>.amazonaws.comstsEndpointUrl: https://sts.<region>.amazonaws.comaccessKey: <access-key>secretKey: <secret-key>For the full reference, see Store configuration.
What changes
Agent runs now use durable working directories that survive sandbox teardown. Files written during one run are available in the next. Agent runs that ran on ephemeral sandboxes before this upgrade are not affected.