karlmdavis / ansible-role-jenkins2 Goto Github PK
View Code? Open in Web Editor NEWThis Ansible role can be used to install and manage Jenkins 2.
Home Page: https://galaxy.ansible.com/karlmdavis/jenkins2/
License: Other
This Ansible role can be used to install and manage Jenkins 2.
Home Page: https://galaxy.ansible.com/karlmdavis/jenkins2/
License: Other
Even though the role uses state: latest
when installing the Jenkins YUM package, the package isn't updated.
After some research, it appears that what's happening is that the YUM cache isn't being updated first, so YUM doesn't know that there are newer packages to grab. Oops.
While I'm fixing this, it's probably worth adding an option to disable the auto-update, too, since I now provide that option for plugins.
I need this for some work stuff, so time to make it happen.
Fortunately, I'll be able to base it on the excellent start provided by @deviscalio in PR #7.
ansible 2.4.0.0
python version = 2.7.10 (default, Jul 15 2017, 17:16:57) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)]
Vagrant 2.0.1
mac 10.13.1
ubuntu 16.04
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.16.04.2-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)
**provisioning with vagrant ansible causes the following failure:
TASK [karlmdavis.jenkins2 : include_tasks] *************************************
included: /Users/cbrownroberts/Dev/UML-Assets/scripts/libweb-initial-setup/LibWeb/provision/ansible/roles/karlmdavis.jenkins2/tasks/packages_Debian.yml for libweb
TASK [karlmdavis.jenkins2 : Update APT Cache] **********************************
ok: [libweb]
TASK [karlmdavis.jenkins2 : Install OS Dependencies] ***************************
ok: [libweb] => (item=[u'apt-transport-https'])
TASK [karlmdavis.jenkins2 : Determine APT Key and Repo to Use (Step 1)] ********
ok: [libweb]
TASK [karlmdavis.jenkins2 : Determine APT Key and Repo to Use (Step 2)] ********
ok: [libweb]
TASK [karlmdavis.jenkins2 : Add Jenkins APT Key] *******************************
changed: [libweb]
TASK [karlmdavis.jenkins2 : Remove Unused Jenkins APT Repositories] ************
ok: [libweb] => (item=deb http://pkg.jenkins-ci.org/debian binary/)
skipping: [libweb] => (item=deb https://pkg.jenkins.io/debian binary/)
ok: [libweb] => (item=deb https://pkg.jenkins.io/debian-stable binary/)
TASK [karlmdavis.jenkins2 : Add Jenkins APT Repository] ************************
fatal: [libweb]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File "/tmp/ansible_LlFLZj/ansible_module_apt_repository.py", line 556, in \r\n main()\r\n File "/tmp/ansible_LlFLZj/ansible_module_apt_repository.py", line 544, in main\r\n cache.update()\r\n File "/usr/lib/python2.7/dist-packages/apt/cache.py", line 456, in update\r\n raise FetchFailedException()\r\napt.cache.FetchFailedException\r\n", "msg": "MODULE FAILURE", "rc": 0}
to retry, use: --limit @/Users/cbrownroberts/Dev/UML-Assets/scripts/libweb-initial-setup/LibWeb/provision/ansible/playbook.retry
PLAY RECAP *********************************************************************
libweb : ok=13 changed=2 unreachable=0 failed=1
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
The idempotency test case is causing this role's Travis CI build to fail: https://travis-ci.org/karlmdavis/ansible-jenkins2/builds/124652991
This is due to the install/upgrade of Jenkins plugins always reporting itself as changed. Need to fix that.
(Note that the role is actually idempotent; this is just a reporting problem.)
Hello - Thanks for creating and open sourcing this role. Is there any interest in supporting RHEL/CentOS 7? I can take a stab at working on it.
The role fails with Ansible 2.1.0.0 because the handler Restart Service 'Jenkins' fails with the message ERROR! Unexpected Exception: 'TaskInclude' object has no attribute 'has_triggered'
Trace information:
.....
TASK [karlmdavis.jenkins2 : Configure JVM Arguments] ***************************
changed: [52.51.225.109]
RUNNING HANDLER [karlmdavis.jenkins2 : Restart Service 'jenkins'] **************
ERROR! Unexpected Exception: 'TaskInclude' object has no attribute 'has_triggered'
to see the full traceback, use -vvv
Ansible is installed as follows, and has the following version:
$ sudo apt-add-repository ppa:ansible/ansible -y
$ sudo apt-get update
$ sudo apt-get install ansible
$ ansible --version
ansible 2.1.0.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
After manual restart, when I run your playbook again, it gives me the following error:
TASK [karlmdavis.jenkins2 : Verify CLI] ****************************************
task path: /etc/ansible/roles/karlmdavis.jenkins2/tasks/cli_config.yml:94
fatal: [52.51.225.109]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
Which seems to be related to ansible 2.1 security changes: https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
When setting allow_world_readable_tmpfiles = True
in /etc/ansible/ansible.cfg, the playbook continues until the handler is triggered again and fails with ERROR! Unexpected Exception: 'TaskInclude' object has no attribute 'has_triggered
After a clean install, this role leaves Jenkins configured in such a way that there are warnings about several not-recommended security settings:
Tracking the following dependency issue: ansible/ansible#32334.
Hi, Can you please make a new release ? There is a bug fix since the last release: #60
Recent Ansible releases provide a credible jenkins_script
module that -- on the whole -- looks like a more robust solution than this role's current usage of the Jenkins CLI. It'd also lead to somewhat more readable code, which is nice.
If Jenkins is running in a restricted/whitelisted-sites-only proxy server environment, and also points at a custom YUM repo, there may also be a need to not use the proxy server for those YUM connections.
This is kind of an obscure edge case, but one that I'm running into right now. So.
For one: they're broken on RHEL FIPS 140-2 systems, due to ansible/ansible#34304. But even without that problem, I'm not 100% convinced updating them everytime the play is run is a great idea.
Now that Jenkins 2 is out (yay!), update this role to install the final release, and to use the APT repo to stay up-to-date,
Not entirely sure this is possible -- seems like it'd screw up the package manager's attempts to update things.
jenkins_plugin supports a timeout, which is sometimes necessary if the plugin install is slow.
failed: [QAE-BND-001] (item=workflow-aggregator) => {"changed": false, "details": "Connection failure: timed out", "item": "workflow-aggregator", "msg": "Cannot install plugin."}
Changed plugins.yml to be:
- name: Install Plugins
jenkins_plugin:
name: "{{ item }}"
state: present
jenkins_home: "{{ jenkins_home }}"
url: "{{ jenkins_url_local }}"
params:
url_username: "{{ jenkins_dynamic_admin_username | default(omit) }}"
url_password: "{{ jenkins_dynamic_admin_password | default(omit) }}"
validate_certs: "{{ false if ansible_distribution_release == 'trusty' else true }}"
timeout: 120
with_items:
- "{{ jenkins_plugins_recommended }}"
- "{{ jenkins_plugins_extra }}"
become: true
notify:
- "Restart Service 'jenkins'"
- name: Update Plugins
jenkins_plugin:
name: "{{ item }}"
state: latest
jenkins_home: "{{ jenkins_home }}"
url: "{{ jenkins_url_local }}"
params:
url_username: "{{ jenkins_dynamic_admin_username | default(omit) }}"
url_password: "{{ jenkins_dynamic_admin_password | default(omit) }}"
validate_certs: "{{ false if ansible_distribution_release == 'trusty' else true }}"
timeout: 120
with_items:
- "{{ jenkins_plugins_recommended }}"
- "{{ jenkins_plugins_extra }}"
become: true
notify:
- "Restart Service 'jenkins'"
The roles jenkins_plugin
implementation doesn't work correctly while using Ansible 2.5
failed: [10.0.0.201] (item=cloudbees-folder) => {"changed": false, "item": "cloudbees-folder", "msg": "The params option to jenkins_plugin was removed in Ansible 2.5 since it circumvents Ansible's option handling"}
Fixed the problem locally by modifying the Install Plugins and Update Plugins tasks. Removed the params implementation like so:
- name: Install Plugins
jenkins_plugin:
name: "{{ item }}"
state: present
jenkins_home: "{{ jenkins_home }}"
url: "{{ jenkins_url_local }}"
url_username: "{{ jenkins_dynamic_admin_username | default(omit) }}"
url_password: "{{ jenkins_dynamic_admin_password | default(omit) }}"
validate_certs: "{{ false if ansible_distribution_release == 'trusty' else true }}"
timeout: "{{ jenkins_plugins_timeout }}"
with_items:
- "{{ jenkins_plugins_recommended }}"
- "{{ jenkins_plugins_extra }}"
become: true
notify:
- "Restart Service 'jenkins'"
Haven't made a merge request, since now I'm pretty sure this change will break Ansible 2.4 usage.
Thoughts, suggestions? Perhaps you @karlmdavis are willing to drop 2.4 support?
Before I can accept PR #7 (or other similar changes), I need a way to verify that it actually works.
It'd also be good to verify that this role works with various versions of Ansible.
The Example Playbook
in the README doesn't work out of the box.
Using for instance:
- hosts: all
vars:
jenkins_port: 8080
roles:
- karlmdavis.jenkins2
In Vagrant, gives:
TASK [karlmdavis.jenkins2 : Update APT Cache] **********************************
fatal: [jenkins]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to lock apt for exclusive operation"}
to retry, use: --limit @/Users/caleb/dev/ansible-galaxies/jenkins.retry
This is simple enough to fix by adding become: yes
here or there.
See here for a description of the problem, and also my current theory on its cause: https://groups.google.com/forum/#!searchin/jenkinsci-users/%22hudson.security.SecurityRealm$24None%22%7Csort:relevance/jenkinsci-users/QkR66pDmESU/ytutu8D6BQAJ.
If operating in an environment with a restrictive proxy server, we need the ability to specify exactly which of the YUM/APT mirrors will be used when installing Jenkins.
Also need to specify no_proxy
on anything grabbing HTTP content from localhost
.
Ansible's task/role/variable inclusion facilities were rather drastically overhauled in v2.4. The changes are definitely all for the better, but lead to a bunch of deprecation warnings for any project that was previously using role or task includes, like this one.
Unfortunately, I don't see a backwards-compatible way for us to resolve those warnings in 2.4 while still supporting 2.0. We'll have to pick a point in time to drop support for 2.0... maybe six months from now? That'd be March or April of next year.
Would be nice if it was easy to configure Jenkins' session timeout.
(Not strictly needed as a feature, since the Java args can be customized, but it's a convenient one to have called out.)
I found I had to manually disable security to get the cli to work, and a small amount of research couldn't turn up why the cli would work over http without securtiy being disabled - neither the -i or -auth options seem to be passed to the calls to jenkins-cli.
It gave an error of 'ERROR: anonymous is missing the Overall/Read permission'
So I manually switched security off, ran the role again, and it worked.
PS Thanks for the role!
The geerlingguy.java
role does not work with Ubuntu 14.04 and oracle-java8 anymore. Maybe it is a good time to just ignore Ubuntu 14.04 and run tests with Ubuntu 18.04. Also, Ubuntu 14.04 has End of Standard Support (see: https://wiki.ubuntu.com/Releases).
fatal: [docker_container]: FAILED! => {"changed": false, "msg": "No package matching 'oracle-java8-installer' is available"}
Failure occurs in PR #62
Just came across this: https://wiki.jenkins.io/display/JENKINS/JenkinsBehindProxy. Turns out that setting the proxy settings there is necessary for the GitHub plugins to work; they don't honor -Dhttp.proxyHost
and friends.
I think this role should have first-class support for that: it should provide config settings for the proxy and apply them everywhere that it makes sense.
Looks like the Jenkins CLI has changed its auth mechanism -- and now doesn't work with this role.
The jenkins_url_external
property was not being handled properly.
Tracking this upstream problem: ansible/ansible#34304
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.