karlmdavis / ansible-role-jenkins2 Goto Github PK

Even though the role uses state: latest when installing the Jenkins YUM package, the package isn't updated.

After some research, it appears that what's happening is that the YUM cache isn't being updated first, so YUM doesn't know that there are newer packages to grab. Oops.

While I'm fixing this, it's probably worth adding an option to disable the auto-update, too, since I now provide that option for plugins.

I need this for some work stuff, so time to make it happen.

Fortunately, I'll be able to base it on the excellent start provided by @deviscalio in PR #7.

ansible 2.4.0.0
python version = 2.7.10 (default, Jul 15 2017, 17:16:57) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)]
Vagrant 2.0.1
mac 10.13.1
ubuntu 16.04
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.16.04.2-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)

**provisioning with vagrant ansible causes the following failure:

TASK [karlmdavis.jenkins2 : include_tasks] *************************************
included: /Users/cbrownroberts/Dev/UML-Assets/scripts/libweb-initial-setup/LibWeb/provision/ansible/roles/karlmdavis.jenkins2/tasks/packages_Debian.yml for libweb

TASK [karlmdavis.jenkins2 : Update APT Cache] **********************************
ok: [libweb]

TASK [karlmdavis.jenkins2 : Install OS Dependencies] ***************************
ok: [libweb] => (item=[u'apt-transport-https'])

TASK [karlmdavis.jenkins2 : Determine APT Key and Repo to Use (Step 1)] ********
ok: [libweb]

TASK [karlmdavis.jenkins2 : Determine APT Key and Repo to Use (Step 2)] ********
ok: [libweb]

TASK [karlmdavis.jenkins2 : Add Jenkins APT Key] *******************************
changed: [libweb]

TASK [karlmdavis.jenkins2 : Remove Unused Jenkins APT Repositories] ************
ok: [libweb] => (item=deb http://pkg.jenkins-ci.org/debian binary/)
skipping: [libweb] => (item=deb https://pkg.jenkins.io/debian binary/)
ok: [libweb] => (item=deb https://pkg.jenkins.io/debian-stable binary/)

TASK [karlmdavis.jenkins2 : Add Jenkins APT Repository] ************************
fatal: [libweb]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File "/tmp/ansible_LlFLZj/ansible_module_apt_repository.py", line 556, in \r\n main()\r\n File "/tmp/ansible_LlFLZj/ansible_module_apt_repository.py", line 544, in main\r\n cache.update()\r\n File "/usr/lib/python2.7/dist-packages/apt/cache.py", line 456, in update\r\n raise FetchFailedException()\r\napt.cache.FetchFailedException\r\n", "msg": "MODULE FAILURE", "rc": 0}
to retry, use: --limit @/Users/cbrownroberts/Dev/UML-Assets/scripts/libweb-initial-setup/LibWeb/provision/ansible/playbook.retry

PLAY RECAP *********************************************************************
libweb : ok=13 changed=2 unreachable=0 failed=1

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

The idempotency test case is causing this role's Travis CI build to fail: https://travis-ci.org/karlmdavis/ansible-jenkins2/builds/124652991

This is due to the install/upgrade of Jenkins plugins always reporting itself as changed. Need to fix that.

(Note that the role is actually idempotent; this is just a reporting problem.)

Hello - Thanks for creating and open sourcing this role. Is there any interest in supporting RHEL/CentOS 7? I can take a stab at working on it.

The role fails with Ansible 2.1.0.0 because the handler Restart Service 'Jenkins' fails with the message ERROR! Unexpected Exception: 'TaskInclude' object has no attribute 'has_triggered'

Trace information:

.....
TASK [karlmdavis.jenkins2 : Configure JVM Arguments] ***************************
changed: [52.51.225.109]

RUNNING HANDLER [karlmdavis.jenkins2 : Restart Service 'jenkins'] **************
ERROR! Unexpected Exception: 'TaskInclude' object has no attribute 'has_triggered'
to see the full traceback, use -vvv

Ansible is installed as follows, and has the following version:

$ sudo apt-add-repository ppa:ansible/ansible -y
$ sudo apt-get update
$ sudo apt-get install ansible
$ ansible --version
ansible 2.1.0.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

After manual restart, when I run your playbook again, it gives me the following error:

TASK [karlmdavis.jenkins2 : Verify CLI] ****************************************
task path: /etc/ansible/roles/karlmdavis.jenkins2/tasks/cli_config.yml:94
fatal: [52.51.225.109]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

Which seems to be related to ansible 2.1 security changes: https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user

When setting allow_world_readable_tmpfiles = True in /etc/ansible/ansible.cfg, the playbook continues until the handler is triggered again and fails with ERROR! Unexpected Exception: 'TaskInclude' object has no attribute 'has_triggered

After a clean install, this role leaves Jenkins configured in such a way that there are warnings about several not-recommended security settings:

• CLI remoting is enabled
• deprecated agent protocols are enabled
• agent-master access control is disabled
• CSRF is disabled

Tracking the following dependency issue: ansible/ansible#32334.

Hi, Can you please make a new release ? There is a bug fix since the last release: #60

Recent Ansible releases provide a credible jenkins_script module that -- on the whole -- looks like a more robust solution than this role's current usage of the Jenkins CLI. It'd also lead to somewhat more readable code, which is nice.

If Jenkins is running in a restricted/whitelisted-sites-only proxy server environment, and also points at a custom YUM repo, there may also be a need to not use the proxy server for those YUM connections.

This is kind of an obscure edge case, but one that I'm running into right now. So.

For one: they're broken on RHEL FIPS 140-2 systems, due to ansible/ansible#34304. But even without that problem, I'm not 100% convinced updating them everytime the play is run is a great idea.

For example: https://travis-ci.org/karlmdavis/ansible-role-jenkins2/jobs/369831155

Now that Jenkins 2 is out (yay!), update this role to install the final release, and to use the APT repo to stay up-to-date,

Not entirely sure this is possible -- seems like it'd screw up the package manager's attempts to update things.

jenkins_plugin supports a timeout, which is sometimes necessary if the plugin install is slow.

failed: [QAE-BND-001] (item=workflow-aggregator) => {"changed": false, "details": "Connection failure: timed out", "item": "workflow-aggregator", "msg": "Cannot install plugin."}
Changed plugins.yml to be:

- name: Install Plugins
  jenkins_plugin:
    name: "{{ item }}"
    state: present
    jenkins_home: "{{ jenkins_home }}"
    url: "{{ jenkins_url_local }}"
    params:
      url_username: "{{ jenkins_dynamic_admin_username | default(omit) }}"
    url_password: "{{ jenkins_dynamic_admin_password | default(omit) }}"
    validate_certs: "{{ false if ansible_distribution_release == 'trusty' else true }}"
    timeout: 120
  with_items:
    - "{{ jenkins_plugins_recommended }}"
    - "{{ jenkins_plugins_extra }}"
  become: true
  notify:
    - "Restart Service 'jenkins'"

- name: Update Plugins
  jenkins_plugin:
    name: "{{ item }}"
    state: latest
    jenkins_home: "{{ jenkins_home }}"
    url: "{{ jenkins_url_local }}"
    params:
      url_username: "{{ jenkins_dynamic_admin_username | default(omit) }}"
    url_password: "{{ jenkins_dynamic_admin_password | default(omit) }}"
    validate_certs: "{{ false if ansible_distribution_release == 'trusty' else true }}"
    timeout: 120
  with_items:
    - "{{ jenkins_plugins_recommended }}"
    - "{{ jenkins_plugins_extra }}"
  become: true
  notify:
    - "Restart Service 'jenkins'"

The roles jenkins_plugin implementation doesn't work correctly while using Ansible 2.5

failed: [10.0.0.201] (item=cloudbees-folder) => {"changed": false, "item": "cloudbees-folder", "msg": "The params option to jenkins_plugin was removed in Ansible 2.5 since it circumvents Ansible's option handling"}

Fixed the problem locally by modifying the Install Plugins and Update Plugins tasks. Removed the params implementation like so:

- name: Install Plugins
  jenkins_plugin:
    name: "{{ item }}"
    state: present
    jenkins_home: "{{ jenkins_home }}"
    url: "{{ jenkins_url_local }}"
    url_username: "{{ jenkins_dynamic_admin_username | default(omit) }}"
    url_password: "{{ jenkins_dynamic_admin_password | default(omit) }}"
    validate_certs: "{{ false if ansible_distribution_release == 'trusty' else true }}"
    timeout: "{{ jenkins_plugins_timeout }}"
  with_items:
    - "{{ jenkins_plugins_recommended }}"
    - "{{ jenkins_plugins_extra }}"
  become: true
  notify:
    - "Restart Service 'jenkins'"

Haven't made a merge request, since now I'm pretty sure this change will break Ansible 2.4 usage.

Thoughts, suggestions? Perhaps you @karlmdavis are willing to drop 2.4 support?

Before I can accept PR #7 (or other similar changes), I need a way to verify that it actually works.

It'd also be good to verify that this role works with various versions of Ansible.

The Example Playbook in the README doesn't work out of the box.

Using for instance:

- hosts: all
  vars:
    jenkins_port: 8080

  roles:
     - karlmdavis.jenkins2

In Vagrant, gives:

TASK [karlmdavis.jenkins2 : Update APT Cache] **********************************
fatal: [jenkins]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to lock apt for exclusive operation"}
        to retry, use: --limit @/Users/caleb/dev/ansible-galaxies/jenkins.retry

This is simple enough to fix by adding become: yes here or there.

See here for a description of the problem, and also my current theory on its cause: https://groups.google.com/forum/#!searchin/jenkinsci-users/%22hudson.security.SecurityRealm$24None%22%7Csort:relevance/jenkinsci-users/QkR66pDmESU/ytutu8D6BQAJ.

See here: https://travis-ci.org/karlmdavis/ansible-role-jenkins2/builds/287508597

If operating in an environment with a restrictive proxy server, we need the ability to specify exactly which of the YUM/APT mirrors will be used when installing Jenkins.

Also need to specify no_proxy on anything grabbing HTTP content from localhost.

Ansible's task/role/variable inclusion facilities were rather drastically overhauled in v2.4. The changes are definitely all for the better, but lead to a bunch of deprecation warnings for any project that was previously using role or task includes, like this one.

Unfortunately, I don't see a backwards-compatible way for us to resolve those warnings in 2.4 while still supporting 2.0. We'll have to pick a point in time to drop support for 2.0... maybe six months from now? That'd be March or April of next year.

Would be nice if it was easy to configure Jenkins' session timeout.

(Not strictly needed as a feature, since the Java args can be customized, but it's a convenient one to have called out.)

I found I had to manually disable security to get the cli to work, and a small amount of research couldn't turn up why the cli would work over http without securtiy being disabled - neither the -i or -auth options seem to be passed to the calls to jenkins-cli.

It gave an error of 'ERROR: anonymous is missing the Overall/Read permission'

So I manually switched security off, ran the role again, and it worked.

PS Thanks for the role!

The geerlingguy.java role does not work with Ubuntu 14.04 and oracle-java8 anymore. Maybe it is a good time to just ignore Ubuntu 14.04 and run tests with Ubuntu 18.04. Also, Ubuntu 14.04 has End of Standard Support (see: https://wiki.ubuntu.com/Releases).

fatal: [docker_container]: FAILED! => {"changed": false, "msg": "No package matching 'oracle-java8-installer' is available"}

Failure occurs in PR #62

Just came across this: https://wiki.jenkins.io/display/JENKINS/JenkinsBehindProxy. Turns out that setting the proxy settings there is necessary for the GitHub plugins to work; they don't honor -Dhttp.proxyHost and friends.

I think this role should have first-class support for that: it should provide config settings for the proxy and apply them everywhere that it makes sense.

Looks like the Jenkins CLI has changed its auth mechanism -- and now doesn't work with this role.

The jenkins_url_external property was not being handled properly.

Tracking this upstream problem: ansible/ansible#34304