Install machine runner 3 on macOS
This page describes how to install CircleCI’s machine runner 3 on macOS.
Prerequisites
To install machine runners and run jobs, you will need to have root access, and have the following utilities and tools installed on your system:
-
curl (installed by default on macOS)
-
sha256sum (if not pre-installed):
-
brew install coreutils
-
-
The CircleCI CLI if you wish to install runners from the command line
Self-hosted runner terms agreement
-
Web app installation
-
CLI installation
Before you can install self-hosted runners through the web app, you will need to agree to the CircleCI Runner Terms. To be able to gain access to the Self-Hosted Runners section of the CircleCI web app or your CircleCI server app, an admin in your organization needs to navigate to , and agree to the terms.

Once the terms have been accepted, Self-Hosted Runners will appear permanently in the side navigation.
Your role within your org is determined differently depending on how you integrate with your code, as follows:
-
If your code is integrated with CircleCI via the GitHub OAuth App or Bitbucket Cloud, CircleCI mirrors VCS permissions for organizations. If you are an admin on your organization’s VCS, you are an admin on CircleCI. If you are unsure, check the admin permissions on your VCS.
-
If your code is integrated with CircleCI via the GitHub App, GitLab, or Bitbucket Data Center, you can check roles by navigating to Roles and permissions overview.
. Full details on roles and permissions are available in the
If you are installing and using self-hosted runners through the CLI, you are agreeing to the CircleCI Runner Terms.
1. Create namespace and resource class
-
Web app installation
-
CLI installation
In order to install self-hosted runners, you will need to create a namespace and resource class token. To create resource classes and tokens, you need to be an organization admin in the VCS provider. You can read about namespaces and resource classes on the Concepts page.
You can view your installed runners on the inventory page, by clicking Self-Hosted Runners on the left navigation.
-
On the CircleCI web app, navigate to Self-Hosted Runners and select Create Resource Class.
-
Next, you will create a custom resource class to use when configuring jobs to use your self-hosted runners. If this is your organization’s first time using self-hosted runners. You will need to create or enter a namespace. If your organization already creates orbs, do not create a new namespace, but instead enter the namespace your organization uses for orbs here too. Enter aname for your self-hosted runner resource class.
Each organization can only create a single namespace. While not required, we suggest using a lowercase representation of your CircleCI account name. CircleCI will populate your org name as the suggested namespace by default in the UI. -
Copy and save the resource class token. Self-hosted runners use this token to claim work for the associated resource class.
The token cannot be retrieved again, be sure to store it safely. -
Select the Machine tab and progress on to the platform-specific instructions in the next section of this installation guide.
If you are installing self-hosted runners for server, the CircleCI CLI needs to be configured using your server API key. Run circleci setup to configure the CLI and access the option to supply a new API token if required.
|
In order to install self-hosted runners, you will need to create a namespace and authentication token by performing the steps listed below.
To create resource classes and tokens you need to be an organization administrator in the VCS provider. |
You can view your installed runners on the inventory page in the web app or your CircleCI server app, by clicking Self-Hosted Runners on the left navigation.
-
Create a namespace for your organization’s self-hosted runners. Each organization can only create a single namespace. We suggest using a lowercase representation of your CircleCI organization’s account name. If you already use orbs, this namespace should be the same namespace orbs use.
Use the following command to create a namespace:
circleci namespace create <name> --org-id <your-organization-id>
If your organization already has a namespace, you will receive an error if you run the above command to create a different namespace. The error message returns the name of the existing namespace. In this case, move on to step 2 below, using your existing namespace. -
Create a resource class for your self-hosted runner’s namespace using the following command:
circleci runner resource-class create <namespace>/<resource-class> <description> --generate-token
Make sure to replace
<namespace>
and<resource-class>
with your org namespace and desired resource class name, respectively. You may optionally add a description.Example:
circleci runner resource-class create my-namespace/my-resource-class my-description --generate-token
.The resource class token is returned after the runner resource class is successfully created.
The token cannot be retrieved again, so be sure to store it safely.
2. Install CircleCI runner on macOS
You can install runner on macOS with Homebrew.
-
On the target macOS machine with Homebrew installed, run the following command to add the CircleCI repository:
brew tap circleci-public/circleci
-
Run the following command to install the
circleci-runner
package:You may see a notification indicating a background item for Circle Internet Services Inc. has been added. brew install circleci-runner
-
Open the runner
config.yaml
file with the text editor of your choice, and modify therunner.name
andapi.auth_token
values.nano $HOME/Library/Preferences/com.circleci.runner/config.yaml
runner: name: "my-macos-runner" working_directory: "/Users/$USER/Library/com.circleci.runner/workdir" cleanup_working_directory: true api: auth_token: "your-auth-token"
Replace
api.auth_token
with the token generated in the steps above, and choose a name for your runner. -
If you are using CircleCI server you will need to provide the URL for your install. You can do this by either setting the
CIRCLECI_RUNNER_API_URL
environment variable:export CIRCLECI_RUNNER_API_URL="your server domain"
Or by adding the URL to
$HOME/Library/Preferences/com.circleci.runner/config.yaml
using text editor of your choice.api: auth_token: "your-auth-token" # On server, set url to the hostname of your server installation. url: https://your.domain.here
3. Review and accept the Apple signature notarization
The binary must be approved to run on your macOS system because the self-hosted runner is not compiled from source during installation. This can be done via the macOS UI by accepting the pop-up asking if you wish to run the binary from the internet, or programmatically.
-
Verify the signature and notarization with this command:
spctl -a -vvv -t install "$(brew --prefix)/bin/circleci-runner"
It should return an output that looks like this:
/opt/homebrew/bin/circleci-runner: accepted source=Notarized Developer ID origin=Developer ID Application: Circle Internet Services Inc.
-
When ready, run the command to accept the notarization. You will need to enter the macOS system password.
sudo xattr -r -d com.apple.quarantine "$(brew --prefix)/bin/circleci-runner"
4. Start macOS machine runner 3
To start the macOS machine runner 3 for the first time, you will need to bootstrap the service. Depending on whether you are using a GUI or non-GUI session (for example, when remotely tunneling into the machine), the commands to bootstrap the service will differ:
-
GUI domain
-
User domain
-
For running the agent in a GUI session, you can bootstrap the provided
.plist
file and enable the service by running the following commands:launchctl bootstrap gui/$(id -u) $HOME/Library/LaunchAgents/com.circleci.runner.plist launchctl enable gui/$(id -u)/com.circleci.runner launchctl kickstart -k gui/$(id -u)/com.circleci.runner
-
Finally, you can check the service is running by invoking the following command:
launchctl print gui/$(id -u)/com.circleci.runner
-
When using a non-GUI (or headless) session, the provided
.plist
file should be moved to/Library/LaunchAgents
. This location is for per-user agents configured by the administrator, which allows the service to load after a reboot. Run the following command to do this:sudo mv $HOME/Library/LaunchAgents/com.circleci.runner.plist /Library/LaunchAgents/
-
Now you can bootstrap the
.plist
file and enable the service by running the following commands:launchctl bootstrap user/$(id -u) /Library/LaunchAgents/com.circleci.runner.plist launchctl enable user/$(id -u)/com.circleci.runner launchctl kickstart -k user/$(id -u)/com.circleci.runner
-
Finally, you can check the service is running by invoking the following command:
launchctl print user/$(id -u)/com.circleci.runner
Machine runner configuration example
Once you have installed configuration runner, select Continue in the CircleCI web app and you will be presented with an example configuration snippet showing a job configured to use your new self-hosted runner resource class.

The fields you must set for a specific job to run using your machine runners are:
-
machine: true
-
resource_class: <namespace>/<resource-class>
Simple example of how you could set up a job:
version: 2.1
workflows:
build-workflow:
jobs:
- runner
jobs:
runner:
machine: true
resource_class: <namespace>/<resource-class>
steps:
- run: echo "Hi I'm on Runners!"
The job will then execute using your self-hosted runner when you push the .circleci/config.yml
to your VCS provider.
Stop macOS machine runner 3
To stop the machine runner service, run the following command to disable the machine runner service, depending on the service target used in the previous step:
-
GUI domain
-
User domain
launchctl disable gui/$(id -u)/com.circleci.runner
launchctl disable user/$(id -u)/com.circleci.runner
Uninstall machine runner 3 on macOS
To uninstall machine runner 3 from your macOS device, follow these steps.
-
Stop the machine runner service by using the following command to disable it, depending on the service target used during installation:
-
GUI domain
-
User domain
Targeting the GUI domain:
launchctl bootout gui/$(id -u)/com.circleci.runner
Targeting the user domain:
launchctl bootout user/$(id -u)/com.circleci.runner
-
-
Uninstall machine runner:
-
Keep logs and configuration
-
Purge logs and configuration
To uninstall without purging logs and configuration files, run the following command.
brew uninstall --cask circleci-public/homebrew-circleci/circleci-runner
This command will purge all logs and configuration files. To uninstall and purge all logs and configuration files, run the following command.
brew uninstall --cask --zap circleci-public/homebrew-circleci/circleci-runner
-