From 00d939195842e1a5af4dcfd36847e621b35baa20 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Wed, 15 May 2013 16:03:05 -0700 Subject: [PATCH] Add jenkins dev slaves. Allow them to use an ssh key distinct from production. Clean up unused slave classes. Use dedicated keys on dev slaves (do this in prod in the future, but it's a breaking change). Add a dev_slave_template class for devstack-gate to use. Remove devstack-gate deps from jenkins master (they're on devstack-launch now). Clean up unneeded remove statements for glance creds. Tidy up some permissions on files where they weren't specified before. Change-Id: I02cef1ee3951c5780084118073770521bebb9eda Reviewed-on: https://review.openstack.org/29319 Reviewed-by: Jeremy Stanley Reviewed-by: Clark Boylan Approved: Clark Boylan Tested-by: Jenkins --- manifests/site.pp | 103 ++++-------------- modules/jenkins/manifests/master.pp | 67 ++++++------ .../manifests/dev_slave_template.pp | 16 +++ modules/openstack_project/manifests/init.pp | 2 + .../openstack_project/manifests/jenkins.pp | 8 ++ .../manifests/jenkins_dev.pp | 15 ++- modules/openstack_project/manifests/slave.pp | 11 +- 7 files changed, 101 insertions(+), 121 deletions(-) create mode 100644 modules/openstack_project/manifests/dev_slave_template.pp diff --git a/manifests/site.pp b/manifests/site.pp index aab57290ab..4e4bdb1e18 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -70,6 +70,7 @@ node 'review-dev.openstack.org' { node 'jenkins.openstack.org' { class { 'openstack_project::jenkins': jenkins_jobs_password => hiera('jenkins_jobs_password'), + jenkins_ssh_private_key => hiera('jenkins_ssh_private_key_contents'), ssl_cert_file_contents => hiera('jenkins_ssl_cert_file_contents'), ssl_key_file_contents => hiera('jenkins_ssl_key_file_contents'), ssl_chain_file_contents => hiera('jenkins_ssl_chain_file_contents'), @@ -79,7 +80,8 @@ node 'jenkins.openstack.org' { node 'jenkins-dev.openstack.org' { class { 'openstack_project::jenkins_dev': - sysadmins => hiera('sysadmins'), + jenkins_ssh_private_key => hiera('jenkins_dev_ssh_private_key_contents'), + sysadmins => hiera('sysadmins'), } } @@ -256,6 +258,11 @@ node /^.*\.template\.openstack\.org$/ { include openstack_project::slave_template } +# A bare machine, but with a jenkins user +node /^.*dev-.*\.template\.openstack\.org$/ { + include openstack_project::dev_slave_template +} + # A backup machine. Don't run cron or puppet agent on it. node /^ci-backup-.*\.openstack\.org$/ { include openstack_project::backup_server @@ -299,114 +306,44 @@ node 'pypi.slave.openstack.org' { } } -node /^quantal.*\.slave\.openstack\.org$/ { - include openstack_project::puppet_cron - class { 'openstack_project::slave': - certname => 'quantal.slave.openstack.org', - sysadmins => hiera('sysadmins'), - } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } -} - -node /^precise.*\.slave\.openstack\.org$/ { +node /^precise-?\d+.*\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'precise.slave.openstack.org', + ssh_key => $openstack_project::jenkins_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } -node /^oneiric.*\.slave\.openstack\.org$/ { +node /^precise-dev\d+.*\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': - certname => 'oneiric.slave.openstack.org', + ssh_key => $openstack_project::jenkins_dev_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } - -node /^centos6.*\.slave\.openstack\.org$/ { +node /^centos6-?\d+\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'centos6.slave.openstack.org', + ssh_key => $openstack_project::jenkins_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } - -node /^rhel6.*\.slave\.openstack\.org$/ { +node /^centos6-dev\d+\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': - certname => 'rhel6.slave.openstack.org', + ssh_key => $openstack_project::jenkins_dev_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } - node /^.*\.jclouds\.openstack\.org$/ { class { 'openstack_project::bare_slave': certname => 'jclouds.openstack.org', diff --git a/modules/jenkins/manifests/master.pp b/modules/jenkins/manifests/master.pp index 145d404845..09ecd11c34 100644 --- a/modules/jenkins/manifests/master.pp +++ b/modules/jenkins/manifests/master.pp @@ -10,6 +10,8 @@ class jenkins::master( $ssl_cert_file_contents = '', # If left empty puppet will not create file. $ssl_key_file_contents = '', # If left empty puppet will not create file. $ssl_chain_file_contents = '', # If left empty puppet will not create file. + $jenkins_ssh_private_key = '', + $jenkins_ssh_public_key = '', ) { include pip include apt @@ -89,42 +91,11 @@ class jenkins::master( ensure => present, } - # devstack-gate - if ! defined(Package['python-jenkins']) { - package { 'python-jenkins': - ensure => present, - } - } - package { 'jenkins': ensure => present, require => Apt::Source['jenkins'], } - package { 'apache-libcloud': - ensure => present, - provider => pip, - require => Class[pip], - } - - package { 'git-review': - ensure => '1.18', - provider => pip, - require => Class[pip], - } - - package { 'tox': - ensure => latest, # okay to use latest for pip - provider => pip, - require => Class[pip], - } - - package { 'statsd': - ensure => latest, # okay to use latest for pip - provider => pip, - require => Class[pip], - } - exec { 'update apt cache': subscribe => File['/etc/apt/sources.list.d/jenkins.list'], refreshonly => true, @@ -139,6 +110,32 @@ class jenkins::master( require => Package['jenkins'], } + file { '/var/lib/jenkins/.ssh/': + ensure => directory, + owner => 'jenkins', + group => 'nogroup', + mode => '0700', + require => File['/var/lib/jenkins'], + } + + file { '/var/lib/jenkins/.ssh/id_rsa': + owner => 'jenkins', + group => 'nogroup', + mode => '0600', + content => $jenkins_ssh_private_key, + replace => true, + require => File['/var/lib/jenkins/.ssh/'], + } + + file { '/var/lib/jenkins/.ssh/id_rsa.pub': + owner => 'jenkins', + group => 'nogroup', + mode => '0644', + content => $jenkins_ssh_public_key, + replace => true, + require => File['/var/lib/jenkins/.ssh/'], + } + file { '/var/lib/jenkins/plugins': ensure => directory, owner => 'jenkins', @@ -156,24 +153,32 @@ class jenkins::master( file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.css': ensure => present, + owner => 'jenkins', + group => 'nogroup', source => 'puppet:///modules/jenkins/openstack.css', require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.js': ensure => present, + owner => 'jenkins', + group => 'nogroup', content => template('jenkins/openstack.js.erb'), require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack-page-bkg.jpg': ensure => present, + owner => 'jenkins', + group => 'nogroup', source => 'puppet:///modules/jenkins/openstack-page-bkg.jpg', require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } file { '/var/lib/jenkins/plugins/simple-theme-plugin/title.png': ensure => present, + owner => 'jenkins', + group => 'nogroup', source => "puppet:///modules/jenkins/${logo}", require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } diff --git a/modules/openstack_project/manifests/dev_slave_template.pp b/modules/openstack_project/manifests/dev_slave_template.pp new file mode 100644 index 0000000000..f67ad234e8 --- /dev/null +++ b/modules/openstack_project/manifests/dev_slave_template.pp @@ -0,0 +1,16 @@ +# == Class: openstack_project::dev_slave_template +# +class openstack_project::dev_slave_template ( + $install_users = true, + $ssh_key = $openstack_project::jenkins_dev_ssh_key +) inherits openstack_project { + class { 'openstack_project::template': + iptables_public_tcp_ports => [], + install_users => $install_users, + } + class { 'jenkins::slave': + ssh_key => $ssh_key, + sudo => true, + bare => true, + } +} diff --git a/modules/openstack_project/manifests/init.pp b/modules/openstack_project/manifests/init.pp index bbeaa85648..c48873c7bf 100644 --- a/modules/openstack_project/manifests/init.pp +++ b/modules/openstack_project/manifests/init.pp @@ -4,4 +4,6 @@ class openstack_project { $jenkins_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVzWbrww7Q2oSXawjARz0QAh9Nzk899zKAj37no5jJEyv+2T6rWt1NSWm84TBywcifzu7p+j8rtOPJKNeHMID53rnMURX7MBCqBnpFeSb44KlV9Hno6Yl6J+dZFugXl6wxbuqpWicpFqu264SUupPdOw2SNQPqzQF01KNoj3KEYmvdSbvuzInlHWkRcFHSRuFKwXQCCKglpYDvRgajWGq8hKQ89SNa6hq7T7zfOJ8LHm4KD3tyWimSGuMgrAq9El3zzthsY/wymXCkUGccJuup/1/Z/QIOrhaf+lVoROhoVc2/nsZfmzX2RkLS/FZ+4RQAry15XkpCmmLZj9ldEPov hudson@hudson\n" + $jenkins_dev_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbncCli/usVge5xB5t753zvYTNDO6TB32h14BdVjpcFXbXdh5MMKvf//BrTJxJNNVOClWmL1ERclJYNWi/klIHyQcuTtAETlO/0gNlO+RkTBthpjPoM8s7zcuiQ/Qi/kbb2LPLV0Id7G31BZOoZNSZNUmHF2PbSE4bB+t4kAzvoFbEHDPJkQ4KUIJy/+TLAZ+o7sxeGM6ndljzNo98h0tBCTXmLzYJ7VNEhRE+2aPf6ozOWGX7RFTvDnSV7SdN9fswmdQ1bxwQ9lUbBbrecuWpzj/PmD8thT3Y+NJyBCP/FCdc1FKL8OMZxeZFFrzainEsEhsSNd8fRIcG2IYqlnpB jenkins@jenkins-dev.openstack.org\n" + } diff --git a/modules/openstack_project/manifests/jenkins.pp b/modules/openstack_project/manifests/jenkins.pp index b158f91e10..8d3c597b26 100644 --- a/modules/openstack_project/manifests/jenkins.pp +++ b/modules/openstack_project/manifests/jenkins.pp @@ -6,8 +6,11 @@ class openstack_project::jenkins ( $ssl_cert_file_contents = '', $ssl_key_file_contents = '', $ssl_chain_file_contents = '', + $jenkins_ssh_private_key = '', $sysadmins = [] ) { + include openstack_project + $iptables_rule = '-m state --state NEW -m tcp -p tcp --dport 8888 -s logstash.openstack.org -j ACCEPT' class { 'openstack_project::server': iptables_public_tcp_ports => [80, 443], @@ -27,6 +30,8 @@ class openstack_project::jenkins ( ssl_cert_file_contents => $ssl_cert_file_contents, ssl_key_file_contents => $ssl_key_file_contents, ssl_chain_file_contents => $ssl_chain_file_contents, + jenkins_ssh_private_key => $jenkins_ssh_private_key, + jenkins_ssh_public_key => $openstack_project::jenkins_ssh_key, } if $manage_jenkins_jobs == true { @@ -49,6 +54,9 @@ class openstack_project::jenkins ( file { '/etc/default/jenkins': ensure => present, + owner => 'root', + group => 'root', + mode => '0644', source => 'puppet:///modules/openstack_project/jenkins/jenkins.default', } } diff --git a/modules/openstack_project/manifests/jenkins_dev.pp b/modules/openstack_project/manifests/jenkins_dev.pp index cf91c2520a..7d6750d024 100644 --- a/modules/openstack_project/manifests/jenkins_dev.pp +++ b/modules/openstack_project/manifests/jenkins_dev.pp @@ -1,6 +1,7 @@ # == Class: openstack_project::jenkins_dev # class openstack_project::jenkins_dev ( + $jenkins_ssh_private_key = '', $sysadmins = [] ) { class { 'openstack_project::server': @@ -13,11 +14,13 @@ class openstack_project::jenkins_dev ( backup_server => 'ci-backup-rs-ord.openstack.org', } class { '::jenkins::master': - vhost_name => 'jenkins-dev.openstack.org', - serveradmin => 'webmaster@openstack.org', - logo => 'openstack.png', - ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem', - ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', - ssl_chain_file => '', + vhost_name => 'jenkins-dev.openstack.org', + serveradmin => 'webmaster@openstack.org', + logo => 'openstack.png', + ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem', + ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', + ssl_chain_file => '', + jenkins_ssh_private_key => $jenkins_ssh_private_key, + jenkins_ssh_public_key => $openstack_project::jenkins_dev_ssh_key, } } diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp index b700b3de69..538aa61faa 100644 --- a/modules/openstack_project/manifests/slave.pp +++ b/modules/openstack_project/manifests/slave.pp @@ -3,6 +3,7 @@ class openstack_project::slave ( $bare = false, $certname = $::fqdn, + $ssh_key = '', $sysadmins = [] ) { include openstack_project @@ -15,9 +16,17 @@ class openstack_project::slave ( } class { 'jenkins::slave': bare => $bare, - ssh_key => $openstack_project::jenkins_ssh_key, + ssh_key => $ssh_key, } class { 'salt': salt_master => 'ci-puppetmaster.openstack.org', } + include jenkins::cgroups + include ulimit + ulimit::conf { 'limit_jenkins_procs': + limit_domain => 'jenkins', + limit_type => 'hard', + limit_item => 'nproc', + limit_value => '256' + } }