redhatqe / cinch Goto Github PK
View Code? Open in Web Editor NEWJenkins configuration tool using Ansible
Home Page: http://redhatqe-cinch.rtfd.io
License: GNU General Public License v3.0
Jenkins configuration tool using Ansible
Home Page: http://redhatqe-cinch.rtfd.io
License: GNU General Public License v3.0
Audit the command line options passed to the Jenkins service to be sure all needed values are being properly set.
Ensure the iptables has the following rules:
Drop/deny everything else.
Improve installing Jenkins plugins to directly call the API instead of passing calls through the Jenkins CLI jar file.
If the host is configured for LDAP/Kerberos, add the same set of authentication to Jenkins.
Also, provide a method to configure the host for LDAP/Kerberos authentication.
There are now beaker-client RPMs built into Fedora and EPEL7 repositories. Therefore, remove the beaker-project.org repository files from those groups and use the native packages, instead.
In some cases, we want to pin a plugin to a specific version. The process is explained here: https://wiki.jenkins-ci.org/display/JENKINS/Pinned+Plugins . (Note: this is only applicable to Jenkins 1.X)
Given a list of plugin names
When a jenkins instance is deployed
Then each plugin name will have a file created in JENKINS_HOME/plugins/{plugin_name}.jpi.pinned
Example:
pinned_plugins=credentials,junit
will create:
Support a Jenkins Slave configuration that does nothing more than execute the latest Cinch-built Docker container directly on a host.
Regardless of the number of times it is run, the plugin installation process always reports at least some of the plug ins have been changed. Track down the reasons for this and mitigate, if possible (might require a PR to upstream Ansible to update the module - if this is the case, the patched version can live in our library/ folder until we upgrade to a version of Ansible that includes the fix).
Ensure that Jenkins Master configuration matches version 1.3.0 of this Puppet module: https://forge.puppet.com/rtyler/jenkins/1.3.0/readme
Ensure that all Jenkins masters have pip installed
TASK [jenkins_master : set iptables to reject all other connections] ***********
changed: [10.8.182.47] => {"chain": "INPUT", "changed": true, "failed": false, "flush": false, "ip_version": "ipv4", "rule": "-p all -m comment --comment 999 Reject all other communication -j REJECT --reject-with icmp-admin-prohibited", "state": "present", "table": "filter"}
RUNNING HANDLER [nginx : reload systemd] ***************************************
fatal: [10.8.182.47]: FAILED! => {"changed": false, "failed": true, "msg": "missing required arguments: name"}
This package has some benefits for interacting with cloud-init, such as specifying user data files for an OpenStack instance.
If the Ansible variable jslave_name is set to something like 'cinch-slave', when the Jenkins slave is created it will had a UID of sorts appending to the end of the name, like 'cinch-slave-123fdsa'. We need to find out where this is coming from, and possibly make its existence user-configurable.
Factor out the Beaker client work into its own role.
Ensure that SSH is installed and running on Jenkins masters.
Ensure EPEL is configured in all RHEL and CentOS hosts.
Configure Jenkins Master to listen on port 50000 for slaves, instead of relying on the default ports.
Building remotely on cinch-slave-c37471bc (cinch-slave swarm) in workspace /home/jenkins/workspace/jslave-cinch-test-2-runtest
java.io.IOException: Failed to mkdirs: /home/jenkins/workspace/jslave-cinch-test-2-runtest
at hudson.FilePath.mkdirs(FilePath.java:1169)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1276)
at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:604)
at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:529)
at hudson.model.Run.execute(Run.java:1728)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:404)
Archiving artifacts
ERROR: Build step failed with exception
/home/jenkins/workspace/jslave-cinch-test-2-runtest does not exist.
My playbook.yml:
Test machine: centOs7
jenkins_rpm ~ jenkins-2.32
First error:
TASK [jenkins_master : download jenkins CLI] ***********************************
fatal: [default]: FAILED! => {"changed": false, "failed": true, "msg": "Destination /var/lib/jenkins not writable"}
Workaround with permissions 777
Errors about configuring users:
TASK [jenkins_master : configure CLI users appropriately] **********************
fatal: [default]: FAILED! => {"changed": false, "failed": true, "msg": "Roles not found - have you configured an admin using the Role-based Authorization Strategy?"}
Workaround with jenkins_security_enabled: false
Errors about plugins:
TASK [jenkins_master : install plugins] ****************************************
FAILED - RETRYING: TASK: jenkins_master : install plugins (3 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (2 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (1 retries left).
failed: [default] (item=build-name-setter) => {"attempts": 3, "details": "HTTP Error 403: Forbidden", "failed": true, "item": "build-name-setter", "msg": "Cannot get CSRF"}
FAILED - RETRYING: TASK: jenkins_master : install plugins (3 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (2 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (1 retries left).
failed: [default] (item=envinject) => {"attempts": 3, "details": "HTTP Error 403: Forbidden", "failed": true, "item": "envinject", "msg": "Cannot get CSRF"}
FAILED - RETRYING: TASK: jenkins_master : install plugins (3 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (2 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (1 retries left).
failed: [default] (item=greenballs) => {"attempts": 3, "details": "HTTP Error 403: Forbidden", "failed": true, "item": "greenballs", "msg": "Cannot get CSRF"}
FAILED - RETRYING: TASK: jenkins_master : install plugins (3 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (2 retries left).
FAILED - RETRYING: TASK: jenkins_master : install plugins (1 retries left).
failed: [default] (item=rebuild) => {"attempts": 3, "details": "HTTP Error 403: Forbidden", "failed": true, "item": "rebuild", "msg": "Cannot get CSRF"}
Create a method of running JJB on a configured git repository of jobs against configured Jenkins masters.
Update provisioning to work when a slave is running in Fedora.
Also, update Docker builds to support a Fedora-based image.
linchpin init as of right now in the master branch creates a subdirectory named inventories, yet cinchpin expects the directory to be named inventory.
There are a few places where jenkins-cli.jar is used in our work. These should be eliminated in favor of directly calling methods on the host's API, where applicable, or directly modifying configuration and other files where that is the preferred method.
When installing a Jenkins Master, some plugins are supposed to be installed, but they are not. Figure out why.
e.g. "Scriptler"
Now that linchpin supports postup and predestroy hooks as of the 1.0.0 release, we should try to use them. Here is an example of what hooks would look like in the linchpin PinFile:
cinch:
topology: cinch.yml
layout: cinch.yml
hooks:
postup:
- name: cinchup
type: shell
context: false
actions:
- echo Running postup
- ansible-playbook -i inventories/cinch.inventory /paht/to/cinch/cinch/site.yml
predestroy:
- name: cinchdestroy
type: shell
context: false
actions:
- echo Running predestroy
- ansible-playbook -i inventories/cinch.inventory /path/to/cinch/cinch/teardown.yml
Jenkins masters should have the following packages installed:
In RHEL and CentOS, this might require the RHOS repository to be activated.
Ensure that Jenkins Service User is properly created and has SSH keys generated.
Ensure Swarm User is properly created on Master with swarm password.
Currently, in order for a user to add a custom plugin to their installation, they either have to edit the local code of their default.txt file or they have to fully duplicate the default.txt file contents into a host_var/group_var override of the jenkins_plugins variable and then add the extra plugins they want.
We should make default.txt truly the default list, and then provide a (default empty) list of extra plugins that can be installed, so the user does not have to duplicate or completely override the default.txt values.
Create results and views in Jenkins Masters
Ensure that NTP is installed and operating on Jenkins masters
I've witnessed a case where the systemd swarm service started via Ansible, but later failed due to an authentication issue with the Jenkins master. In these cases we should watch the swarm service for some period of time to make sure it started successfully.
Create a method to raise the configured ulimits for a Jenkins master
Replace Apache SSL termination with Nginx for SSL termination.
After we upgrade to a version of linchpin that depends on Ansible >= 2.2.1 (currently we are pinned to >= 2.1), then the file cinch/library/jenkins_plugin.py should be dropped. The current version masks a buggy jenkins_plugin.py in Ansible 2.2.0 and absent from Ansible 2.1. Once we upgrade to 2.21 or later, we can drop the masking module.
Since updating plugins requires a Jenkins restart, this task would need to be created in a way to inform the user that a restart would occur, and implement the necessary safety measures/warnings for a production Jenkins master.
Right now, the output we get from Ansible is a big JSON blob that is not split on newlines, and is hard to read. Can we consider a way to split on newlines so that the output is easier to read? One implementation goes like so:
debug: var=service_swarm_err_output.stdout.split('\n')
Certainly this is not useful for all output, but should we spend some time to find a way to apply this globally?
Lots of Ansible warnings are now coming out about our "when" lines with the release of Ansible 2.3. Mostly these warnings are straightforward to squelch by simply removing the Jinja2 templates from the line. By default, all "when" lines in a play are evaluated as a Jinja 2 expression, so adding those template lines is both unnecessary and now generates a warning.
In the check_ssh role, we must run the verify that configured SSH private key is a file and has permissions of 0600 task and the check for SSH connectivity and authentication task on localhost. In 1e8ad1b the role was updated to be compliant with ansible-lint, but the removal of the local_action setting caused the check_ssh role to run remotely:
TASK [check_ssh : verify that configured SSH private key is a file and has permissions of 0600] ***
fatal: [10.8.180.33]: FAILED! => {"changed": false, "failed": true, "msg": "file (/home/vagrant/openstack-slave/keystore/mykey) is absent, cannot continue", "path": "/home/vagrant/openstack-slave/mykey", "state": "absent"}
I'm not sure why the remote host is used for this task (perhaps it's related to this ansible bug report), but I do know that we will need to revert the removal of local_action for now to ensure that the check_ssh role continues to work as expected.
Personally I prefer a reverse proxy to deal with the fact that some webapps should not run on privileged ports. Production Jenkins servers will have an nginx reverse proxy, and in my personal opinion we should do the same for consistency. Note that this is a "consider" ticket and if anyone disagrees with my approach we can close this out after some discussion.
Provide a method for loading private files into arbitrary places on the destination host. This will allow things such as keytab files, corporate SSL certificate keys, and the like to be loaded in without needing to be a part of the public repository.
Running the development master environment on the CentOS 7 environments fails.
Steps to reproduce:
Expected results:
Master provision completes successfully
Actual results:
Provisioning errors on step "TASK [jenkins_master : run Jenkins global config] ******************************"
Running cinch a second time completes successfully. Perhaps there is a status somewhere in the service that hasn't come up fully yet?
Provide a mechanism to configure more than one Jenkins update center at a time.
Since we'll no longer need advanced functionality from iptables after moving to Nginx and we only use it as a firewall, I'd suggest moving the rules to firewalld for easier administration (adding new ports, etc.)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.