From e3116ead39508e9713a860ea59fb123c33d5854b Mon Sep 17 00:00:00 2001 From: "robert.tomczyk" Date: Tue, 11 Aug 2020 13:18:11 +0100 Subject: [PATCH] ONAP jenkins build server image defintion for Nordix This image file for ONAP conatains: - Multiple Java versions: JDK8, JDK11 and JDK12 - Latest docker distribution - Default jenkins user set up Change-Id: I6a44128b213e0cc18866637949cbc9988ffd97e1 --- .../README.md | 15 ++ .../authorized_keys | 2 + .../configure-image.sh | 139 ++++++++++++++++++ .../onap-build-ubuntu1804.json | 30 ++++ 4 files changed, 186 insertions(+) create mode 100644 infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/README.md create mode 100644 infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/authorized_keys create mode 100644 infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/configure-image.sh create mode 100644 infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/onap-build-ubuntu1804.json diff --git a/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/README.md b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/README.md new file mode 100644 index 0000000..d9fb308 --- /dev/null +++ b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/README.md @@ -0,0 +1,15 @@ +## Description +Packer files to create OpenStack base image for ONAP jenkins slave build server. +Image is base on Ubuntu 18.04 OS with Java 8, Java 11 and Java 12 installed as ONAP projects has different Java build version requirements. + +## Steps To Run + 1. Source OpenStack RC file `source ` that points to **"Default Project 34201"** in Karlskrona region as this is where the build servers for Nordix are located. This will set up environment variables used by packer e.g. OS_USERNAME, OS_PASSWORD and OS_AUTH_URL. + 2. Run `packer build ` + + +This will create the image specified (image_name) onto the OpenStack (identity_endpoint). Modify packer parameters as required and add packages to be installed into the shell script. For more info see [Packer docs](https://www.packer.io/docs/builders/openstack) +## Note +### Image public key handling +The public key for jenkins user will be injected by [OpenStack Cloud plugin](https://github.com/jenkinsci/openstack-cloud-plugin) and this key should be configured for the slave in Nordix Jenkins. There is also an option to inject they public key in the image using the file authorized_keys.packer. This file is used for injecting user keys into image during cloud-init phase for ssh access to the slaves for troubleshooting. If you want to have access to the slaves, please add your ssh public key in it. +### Maven configuration handling +The mvn configuration file (settings.xml) is not part of the ONAP build server image. The mvn settings.xml will be provided as part of the ONAP java verify jobs: [verify-jobs.sh](https://gerrit.nordix.org/gitweb?p=infra/cicd.git;a=blob;f=jjb/onap/verify-jobs.sh;hb=HEAD). If commitid is not provided for the settings.xml, the latest master version is used as default for backward compatibility for existing ONAP jobs. \ No newline at end of file diff --git a/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/authorized_keys b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/authorized_keys new file mode 100644 index 0000000..bbb2cb9 --- /dev/null +++ b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/authorized_keys @@ -0,0 +1,2 @@ +# injected by packer +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyaLiCX2XAWjcUM8qL69s9IdLtbV/+wLV8UECiMVLot679tQtLJGF2inlaQA2MM77TbJ2CurA5pFfHzEQfbLiGoGrCwMOE0eQHRUVbMrjA1vXxW4jeA7owk13jfDahBKKS5S7SsiJLsfqRAUmdXKHkLwyIC5SQF4Yby/XjcmphwgtWzkDk4SMJJJNjsH3L8/hFKGACHD0k0TQwo8fLqJPO88o+T13JAr4rkioUo6dZZj5idJPDqF+IG2frBM9uMiKztUUrQq0IpT+bzzXuylRU0QsaaViRqS7s9TtrQ7VeakMvhlJ1J/Xje3VND9FruOt6boLhyRXh6kqg2pYVRuPF erobtom@hyperion \ No newline at end of file diff --git a/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/configure-image.sh b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/configure-image.sh new file mode 100644 index 0000000..a59a7e2 --- /dev/null +++ b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/configure-image.sh @@ -0,0 +1,139 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2020 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +set -o nounset +set -o errexit +set -o pipefail +#set -o xtrace +DPKG_LOCK="/var/lib/dpkg/lock-frontend" + +# Wait for other apt process to finish by checking the dpkg lock file. +try=0 +while sudo lsof ${DPKG_LOCK} >/dev/null 2>&1; do + echo "DPKG file locked: ${DPKG_LOCK}." + echo " Waiting for another pkg instalaltion process to finish ..." + sleep 10 + if [[ ${try} -gt 60 ]]; then + echo "ERROR: Max number of re-tries reached, exiting..." + exit 1 + fi + try=$((try + 1)) +done + +# list of basic packages to install +PKG_LIST=( + apt-utils + apt-transport-https + ca-certificates + gnupg-agent + software-properties-common + git + vim + curl + wget + zip + unzip + chrony + curl + jq + docker-ce + docker-ce-cli + containerd.io + openjdk-8-jre + openjdk-8-jdk +) +# we need apt to proceed without any prompt asking for user input +export DEBIAN_FRONTEND=noninteractive + +echo "Info : Install packages" +# update packages to their latest +sudo -H -E apt update +sudo -H -E apt upgrade -y -q=3 + +# install packages +sudo apt remove -y docker docker-engine docker.io containerd runc +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - +sudo add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" +sudo apt-get update +sudo -H -E apt -y -q=3 --no-install-recommends install "${PKG_LIST[@]}" + +# Enable and start docker +docker --version +sudo systemctl enable docker +sudo systemctl start docker + +# install command-line YAML processor from Snappy +sudo snap install yq + +# remove unnecessary packages +sudo -H -E apt autoremove -y + +echo "Info : Install additional Java version" +# INSTALL additional Java 11 and 12 while keep pointing alternatives to JDK8 +sudo cp -R /etc/alternatives /etc/keep-alternatives +sudo add-apt-repository -y ppa:openjdk-r/ppa +sudo apt-get update +sudo -H -E apt -y -q=3 install \ + openjdk-11-jdk \ + openjdk-12-jdk +sudo rm -rf /etc/alternatives +sudo mv /etc/keep-alternatives /etc/alternatives +java -version + +echo "Info : Enable time sync" +# ensure time sync is setup +sudo systemctl enable chrony --now +sudo chronyc -a 'burst 4/4' && sudo chronyc -a makestep + +echo "Info : Create and configure jenkins user" +# create and configure jenkins user +sudo useradd -G sudo,docker -d /home/jenkins -m -c "jenkins user" -s /bin/bash jenkins +sudo mkdir -p /home/jenkins/nordix/slave_root +sudo chown -R jenkins:jenkins /home/jenkins/nordix/slave_root +sudo chmod -R 755 /home/jenkins/nordix/slave_root + +# Modify sudoers - disable env_reset, !requiretty and passwordless sudo +sudo sed -i "s/^Defaults.*env_reset/#&\nDefaults:jenkins \!requiretty/" /etc/sudoers +sudo sed -i "s/^%sudo.*ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/" /etc/sudoers + +# Disable ssh password login, enable ssh with keys for jenkins user +sudo bash -c "echo PasswordAuthentication no >> /etc/ssh/sshd_config" +sudo bash -c "echo PubkeyAuthentication yes >> /etc/ssh/sshd_config" +sudo bash -c "echo AllowUsers jenkins >> /etc/ssh/sshd_config" +sudo systemctl restart sshd + +echo "Info : Create cloud-init script" +# get cloud-init script in place so we can place the keys into ~jenkins/.ssh +sudo bash -c 'cat << EOF > /var/lib/cloud/scripts/per-instance/copykeystojenkins.sh +#!/bin/bash +sudo mkdir -p /home/jenkins/.ssh +# append ssh key injected by openstack to authorized_keys +sudo cat /home/ubuntu/.ssh/authorized_keys >> /home/jenkins/.ssh/authorized_keys +# append user ssh public keys uploaded by packer to authorized_keys +sudo cat /home/ubuntu/authorized_keys.packer >> /home/jenkins/.ssh/authorized_keys +# remove /home/ubuntu/authorized_keys.packer +sudo rm -f /home/jenkins/authorized_keys.packer +sudo chown -R jenkins:jenkins /home/jenkins/.ssh +sudo chmod -R go-rwx /home/jenkins/.ssh +sudo userdel -f -r ubuntu +EOF' + +sudo chmod +x /var/lib/cloud/scripts/per-instance/copykeystojenkins.sh diff --git a/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/onap-build-ubuntu1804.json b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/onap-build-ubuntu1804.json new file mode 100644 index 0000000..53e8117 --- /dev/null +++ b/infra/jenkins/slave-setup/nordix-onap-jenkins-build-server/onap-build-ubuntu1804.json @@ -0,0 +1,30 @@ +{ + "builders": [ + { + "type": "openstack", + "image_name": "onap-build-ubuntu1804", + "region": "Kna1", + "domain_name": "CCP_Domain_34201", + "identity_endpoint": "https://kna1.citycloud.com:5000", + "ssh_username": "ubuntu", + "security_groups": "infra-ssh-ext", + "source_image_name": "Ubuntu 18.04 Bionic Beaver", + "flavor": "2C-4GB-50GB", + "networks": [ + "e310fab3-cfef-4107-b40e-791e9c01903d" + ], + "floating_ip_network": "ext-net" + } + ], + "provisioners": [ + { + "type": "file", + "source": "authorized_keys", + "destination": "/home/ubuntu/authorized_keys.packer" + }, + { + "script": "configure-image.sh", + "type": "shell" + } + ] +} -- 2.25.1