From: Fatih Degirmenci Date: Fri, 2 Oct 2020 09:37:20 +0000 (+0000) Subject: Create packer template for Eiffel build servers X-Git-Url: https://gerrit.nordix.org/gitweb?a=commitdiff_plain;h=80b67464d4b0b4170c616e0c85e9558c931d38a3;hp=e3116ead39508e9713a860ea59fb123c33d5854b;p=infra%2Ftools.git Create packer template for Eiffel build servers This change created packer template to use for instantiating build nodes from OpenStack on Nordix Jenkins. The major difference between the other/existing templates and this one is the installation and configuration of podman. This is done in order to utilize docker hub proxy setup on Nordix Harbor. The build server is created using Ubuntu 20.04 in order to use fuse-overlayfs and rootless podman. README.md and configure-image-ubuntu2004.sh have more details. Change-Id: I0e4f0e78f6e97f16f623519a94c21017a91177ce --- diff --git a/infra/jenkins/slave-setup/eiffel-build-server/README.md b/infra/jenkins/slave-setup/eiffel-build-server/README.md new file mode 100644 index 0000000..f65429f --- /dev/null +++ b/infra/jenkins/slave-setup/eiffel-build-server/README.md @@ -0,0 +1,20 @@ +The packer file and corresponding script in this folder are used +for building Eiffel projects on Nordix Jenkins. +Nordix Jenkins. + +The packer file is specific to City Cloud Karlskrona region since +it contains the Karlskrona region endpoint and UUID of the network +created there. For other regions or clouds, a similar file needs +to be created. The actual script that is executed by packer on +provisioned temporary instances should work on any Ubuntu2004 +regardless of cloud and region. + +Eiffel projects build container images and the script +configure-image-ubuntu2004.sh installs and configures podman so +the proxy for Docker Hub setup on Nordix Container Image Registry +can be utilized. + +A final note is that the file authorized_keys.packer is used for +injecting user keys into image during cloud-init phase for ssh +access to the slaves for troubleshooting. If you want to have +access to the slaves, please add your ssh public key in it. diff --git a/infra/jenkins/slave-setup/eiffel-build-server/authorized_keys b/infra/jenkins/slave-setup/eiffel-build-server/authorized_keys new file mode 100644 index 0000000..f835e17 --- /dev/null +++ b/infra/jenkins/slave-setup/eiffel-build-server/authorized_keys @@ -0,0 +1,4 @@ +# injected by packer +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZt9Ge7X3ZT/bMnYRS/zaHrM94zp+dlWH5k4LdeCpMQu9PjI3VbOqCDgemaKgKVapKRpk6etu9+Sy+P4aWnRXZsAGHEmfSwcfVaRZ2LnEUKKwbvJ8SaaSopdhkfgNV5ztkh7E+3wHIEp+fsSIC/LRXGPvcbkfNlZko96Ihz4BW0ezaeF3ikINtHb9r/cV4zNONE5NJoNkjAAE7chAiaZ+tyca4Nonb8UsCWxHofjxWNAGsC9tyuIOYIBAdXQI8kpS7VarEHK2WyOmPxNPuJqy6yQ/MYpgkg1tY5x7XsKa/O0DNl5kdH3R3ECqQ7H+AHrL5UK0l87BFan6O9xJTpb0p jenkins +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArXQug0RDmcbEWKcVnTbffD8jAgzm/lVhwG+Qdlz6iZZwEyLSU4nq6ymo2ukG7xTC8yBv5T0rjTtjQollFPc6CcM4I8aPnr8adI3ajDEseI4k/9bjr8+YrnXzLEszsoeYqCEqXz8gm1tbV1MMtxN3w7IUEdekAslFeMpJ8fEzFj8Ii5IiIGVJtz2mKdhReJEmqkW0u0UBQbg8L8n4YLj2wuW4V6hkDS/p96DJeBXb/wgB4u2bRWRFB45wlHyuVImeLxlMJTvWc6G1U7B7s/mcBLFX2Fis8brvMZDMiNPaUwWfYIJN+m2wzHhx0SkeboO6Svvcn7qe2qzgnDMOEUVQjQ== fdegir +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuEIMUpo5XvG4ZI7R7EJCikN3bDD9fbYsohyvDsOLseyfBtCauK01KELDc0H+H9j2m+icBUGBmHoQeOpVFKE0jW6Y/3qDTl5UoYV9708BMCtj9j0N7CrwrBwkLbIVIWGkf0jC5HEip9/04PE/4GSiB2ORim6I1RjOiASB52FCO+J4rc6LiQbFL+RRiimcRajwuWR4msLpr+c/S2u3mnbSnityQJc0wCR/xZWS5poOuvF4oJ5vx3Vr8RspKxyN4ooLQYXEjVjWxYb7U3PUZ7Gbiu5hiMwm+X9qyit9RmE5f27vNoqssdSdfHQ5K84txbcfRDQ19bMO2gRA+IA0xEVgZ root@esy52-afrelalto-nfs diff --git a/infra/jenkins/slave-setup/eiffel-build-server/cloud-infra-base-city-kna-ubuntu2004.json b/infra/jenkins/slave-setup/eiffel-build-server/cloud-infra-base-city-kna-ubuntu2004.json new file mode 100644 index 0000000..a480692 --- /dev/null +++ b/infra/jenkins/slave-setup/eiffel-build-server/cloud-infra-base-city-kna-ubuntu2004.json @@ -0,0 +1,37 @@ +{ + "builders": [ + { + "type": "openstack", + "identity_endpoint": "https://identity1.citycloud.com:5000/v3/", + "image_name": "eiffel-build-ubuntu2004", + "ssh_username": "ubuntu", + "source_image_name": "Ubuntu 20.04 Focal Fossa 20200423", + "flavor": "2C-4GB-50GB", + "networks": [ + "e310fab3-cfef-4107-b40e-791e9c01903d" + ], + "floating_ip_network": "ext-net" + } + ], + "provisioners": [ + { + "type": "file", + "source": "authorized_keys", + "destination": "/home/ubuntu/authorized_keys.packer" + }, + { + "type": "file", + "source": "podman_registries.conf", + "destination": "/home/ubuntu/podman_registries.conf.packer" + }, + { + "type": "file", + "source": "podman_storage.conf", + "destination": "/home/ubuntu/podman_storage.conf.packer" + }, + { + "script": "configure-image-ubuntu2004.sh", + "type": "shell" + } + ] +} diff --git a/infra/jenkins/slave-setup/eiffel-build-server/configure-image-ubuntu2004.sh b/infra/jenkins/slave-setup/eiffel-build-server/configure-image-ubuntu2004.sh new file mode 100644 index 0000000..02affc9 --- /dev/null +++ b/infra/jenkins/slave-setup/eiffel-build-server/configure-image-ubuntu2004.sh @@ -0,0 +1,131 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2020 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o nounset +set -o pipefail + +# ensure apt is not running before proceeding with the rest +echo "Info : Wait for completion of an existing apt process before proceeding..." +while true; do + pkg_mgr_process=$(pgrep -f apt | cat) + if [[ -n $pkg_mgr_process ]]; then + sleep 10 + else + break + fi +done +echo "Info : apt process done. Continuing..." + +# list of basic packages to install +PKG_LIST=( + apt-utils + apt-transport-https + ca-certificates + gnupg-agent + software-properties-common + git + vim + curl + wget + chrony + openjdk-11-jre-headless +) + +# we need apt to proceed without any prompt asking for user input +export DEBIAN_FRONTEND=noninteractive + +echo "Info : Install packages" +# update packages to their latest +sudo -H -E apt update +sudo -H -E apt upgrade -y -q=3 + +# install packages +sudo -H -E apt -y -q=3 install ${PKG_LIST[@]} + +# remove unnecessary packages +sudo -H -E apt autoremove -y + +echo "Info : Enable time sync" +# ensure time sync is setup +sudo systemctl enable chrony --now +sudo chronyc -a 'burst 4/4' && sudo chronyc -a makestep + +echo "Info : Enable nested virtualization" +# enable nested virtualization +sudo bash -c 'cat << EOF > /etc/modprobe.d/qemu-system-x86.conf +options kvm-intel nested=y enable_apicv=n +EOF' +sudo modprobe -r kvm_intel kvm +sudo modprobe -a kvm_intel kvm +sudo lsmod | grep kvm_intel +sudo cat /sys/module/kvm_intel/parameters/nested + +echo "Info : Create and configure jenkins user" +# create and configure jenkins user +sudo useradd -G sudo -d /home/jenkins -m -c "jenkins user" -s /bin/bash jenkins +sudo mkdir -p /home/jenkins/nordix/slave_root +sudo chown -R jenkins:jenkins /home/jenkins/nordix +sudo chmod -R 755 /home/jenkins/nordix/slave_root + +# modify sudoers - disable env_reset, !requiretty and passwordless sudo +sudo sed -i "s/^Defaults.*env_reset/#&\nDefaults:jenkins \!requiretty/" /etc/sudoers +sudo sed -i "s/^%sudo.*ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/" /etc/sudoers + +# disable ssh password login, enable ssh with keys for jenkins user +sudo bash -c "echo PasswordAuthentication no >> /etc/ssh/sshd_config" +sudo bash -c "echo PubkeyAuthentication yes >> /etc/ssh/sshd_config" +sudo bash -c "echo AllowUsers jenkins >> /etc/ssh/sshd_config" +sudo systemctl restart sshd + +echo "Info : Install and configure podman" +# install and configure podman +. /etc/os-release +echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list +curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add - +sudo apt-get update +sudo apt-get -y upgrade +sudo apt-get -y install podman fuse-overlayfs + +echo "Info : Create cloud-init script" +# get cloud-init script in place so we can place the required files in place during cloud-init phase +sudo bash -c 'cat << EOF > /var/lib/cloud/scripts/per-instance/configure-instance.sh +#!/bin/bash +sudo mkdir -p /home/jenkins/.ssh +# append ssh key injected by openstack to authorized_keys +sudo cat /home/ubuntu/.ssh/authorized_keys >> /home/jenkins/.ssh/authorized_keys +# append user ssh public keys uploaded by packer to authorized_keys +sudo cat /home/ubuntu/authorized_keys.packer >> /home/jenkins/.ssh/authorized_keys + +# create podman configuration +sudo mkdir -p /home/jenkins/.config/containers +sudo mv /home/ubuntu/podman_registries.conf.packer /home/jenkins/.config/containers/registries.conf +sudo mv /home/ubuntu/podman_storage.conf.packer /home/jenkins/.config/containers/storage.conf +sudo chown -R jenkins:jenkins /home/jenkins/.config +sudo chmod -R go-rwx /home/jenkins/.config + +# remove /home/ubuntu/authorized_keys.packer +sudo rm -f /home/jenkins/authorized_keys.packer +sudo chown -R jenkins:jenkins /home/jenkins/.ssh +sudo chmod -R go-rwx /home/jenkins/.ssh + +# remove ubuntu user +sudo userdel -f -r ubuntu +EOF' + +sudo chmod +x /var/lib/cloud/scripts/per-instance/configure-instance.sh diff --git a/infra/jenkins/slave-setup/eiffel-build-server/podman_registries.conf b/infra/jenkins/slave-setup/eiffel-build-server/podman_registries.conf new file mode 100644 index 0000000..aa2bee7 --- /dev/null +++ b/infra/jenkins/slave-setup/eiffel-build-server/podman_registries.conf @@ -0,0 +1,6 @@ +unqualified-search-registries = ["docker.io"] + +[[registry]] +prefix = "docker.io" +location = "registry.nordix.org/docker-hub-proxy" +insecure = false diff --git a/infra/jenkins/slave-setup/eiffel-build-server/podman_storage.conf b/infra/jenkins/slave-setup/eiffel-build-server/podman_storage.conf new file mode 100644 index 0000000..3b799b1 --- /dev/null +++ b/infra/jenkins/slave-setup/eiffel-build-server/podman_storage.conf @@ -0,0 +1,6 @@ +[storage] + driver = "overlay" + runroot = "/home/$USER/.local/share/containers/run/user/$(id -u)" + graphroot = "/home/$USER/.local/share/containers/storage" + [storage.options] + mount_program = "/usr/bin/fuse-overlayfs"