(Adding SSH key advice) |
|||
(8 intermediate revisions by 6 users not shown) | |||
Line 18: | Line 18: | ||
== What is Jenkins @ Fedora-infra? == | == What is Jenkins @ Fedora-infra? == | ||
{{admon/warning||Fedora Infrastructure wanted to have a jenkins instance to help test its own software. Once we had it up and running we decided we could let other Fedora Contributors use it as well. However, this remains basically our own means of testing that we're just letting others use. So please, consider this an add-on, courtesy service that does not come with any particular SLA. Fedora Infrastructure will try and keep this service up, available, and secure but we reserve the right to suspend the service or discontinue it altogether at any time. Projects should not depend on this service for any release critical functions.}} | |||
The Fedora infrastructure now has its own dedicated private cloud system allowing to spin off/destroy easily virtual machin (VM) for any needs we could have. | The Fedora infrastructure now has its own dedicated private cloud system allowing to spin off/destroy easily virtual machin (VM) for any needs we could have. | ||
Line 26: | Line 28: | ||
Now, you must be thinking: "This is awesome, but [ how can I add my project to jenkins?] and [ how can I configure jenkins the way I want?". No worries the answer to your question is just below. | Now, you must be thinking: "This is awesome, but [ how can I add my project to jenkins?] and [ how can I configure jenkins the way I want?". No worries the answer to your question is just below. | ||
== Can I add my project to Jenkins? == | == Can I add my project to Jenkins? == | ||
Line 40: | Line 41: | ||
== How can I add my project to Jenkins? == | == How can I add my project to Jenkins? == | ||
This is actually a very simple process, create a ticket on the [https:// | This is actually a very simple process, create a ticket on the [https://pagure.io/fedora-infrastructure/ fedora-infrastructure project on pagure] with the following information: | ||
* Subject: [Jenkins] project request: <name of your project> | * Subject: [Jenkins] project request: <name of your project> | ||
* Body: | * Body: | ||
Line 50: | Line 51: | ||
The URL is actually not needed but asked so that we can have a quick look at your project and see if (at least) license wise it follows Fedora's philosophy. | The URL is actually not needed but asked so that we can have a quick look at your project and see if (at least) license wise it follows Fedora's philosophy. | ||
== How can I use Jenkins? == | == How can I use Jenkins? == | ||
Line 69: | Line 69: | ||
To do so: | To do so: | ||
* Login in [ | * Login in [http://jenkins.fedorainfracloud.org Jenkins] | ||
* Go to your project | * Go to your project | ||
* Go to configure ( http://jenkins. | * Go to configure ( http://jenkins.fedorainfracloud.org/job/<project>/configure ) | ||
* The checkbox for "Enable project-based security" should already be checked. | * The checkbox for "Enable project-based security" should already be checked. | ||
* There you have the ACL matrix where you can add a new user (using his/her FAS name) and give/remove ACL to these users | * There you have the ACL matrix where you can add a new user (using his/her FAS name) and give/remove ACL to these users | ||
Line 80: | Line 80: | ||
To configure the build of your project | To configure the build of your project | ||
* login in [ | * login in [http://jenkins.fedorainfracloud.org Jenkins] | ||
* go to your project | * go to your project | ||
* go to configure ( http://jenkins. | * go to configure ( http://jenkins.fedorainfracloud.org/job/<project>/configure ) | ||
* There you can set: | * There you can set: | ||
** where are the sources (git/subversion/bazaar/mercurial) | ** where are the sources (git/subversion/bazaar/mercurial) | ||
Line 97: | Line 97: | ||
virtualenv fedocalenv | virtualenv fedocalenv | ||
source fedocalenv/bin/activate | source fedocalenv/bin/activate | ||
## we need kitchen before we can do the list | ## we need kitchen before we can do the list | ||
pip install kitchen | pip install kitchen | ||
Line 113: | Line 113: | ||
deactivate | deactivate | ||
==== Builders ==== | |||
There are multiple builders in the Jenkins infrastructure. You may need to restrict your jobs to only one kind. The labels are documented in git here: | |||
https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/inventory/group_vars/jenkins-master#n5 | |||
==== Running jobs requiring password-protected SSH keys ==== | |||
Store your password in the Jenkins configuration script: | |||
set +x | |||
export SSHPASS=noOneLikesPWs | |||
set -x | |||
bash my_build_script | |||
The SSHPASS environment variable is consumed by sshpass. | |||
In this example, the actual build script is stored, as recommended, with your code and not in Jenkins. | |||
Determine if you need only a few SSH commands or a lot of them: | |||
===== Only a few SSH commands ===== | |||
Just provide the password for each one in your build script. | |||
sshpass -P assphrase -v -e ssh -i /path/to/your/private/key foo@bar.com command | |||
sshpass -P assphrase -v -e scp -i /path/to/your/private/key local_content foo@bar.com:/destination | |||
===== Lots of SSH commands (or git and the like) ===== | |||
In your build script, start an ssh-agent and load the key. Then run your commands: | |||
eval "$(ssh-agent -s)" | |||
sshpass -P assphrase -v -e ssh-add /path/to/your/private/key | |||
... | |||
===== A word about Host Keys ===== | |||
You may need to use ```-o stricthostkeychecking=no``` on your first SSH connection to save the hostkey. | |||
=== This is incomplete! === | === This is incomplete! === | ||
If you are missing a plugin, an information on how to set-up your project, or if you just have any question regarding our Jenkins, feel free to drop-by #fedora-admin on [ IRC] or create a ticket in the [ fedora-infrastructure trac] or send an email to the [ infrastructure mailing-list]. | If you are missing a plugin, an information on how to set-up your project, or if you just have any question regarding our Jenkins, feel free to drop-by #fedora-admin on [ IRC] or create a ticket in the [ fedora-infrastructure trac] or send an email to the [ infrastructure mailing-list]. |
Latest revision as of 11:08, 2 February 2017
DRAFT!
This page is still a draft, please consider it as such.
Jenkins @ Fedora-infra
What is Jenkins?
Jenkins is a continuous integration (CI) server. It runs the unit-tests of your project on a regular basis allowing early detection of problem in your code and making sure that your change are not too disruptive or do not break other part of your project.
If your project has unit-tests having CI is a nice thing. Ideally the tests should be ran after each commit and in a clean environment so that if additionnal dependencies have not been marked as such, the project will fail to run. Problem is, no-one runs the tests of his project after each change or has a clean environment in which to do so.
Jenkins is just one of a family of CI server which includes also buildbot, travis-ci and more.
What is Jenkins @ Fedora-infra?
The Fedora infrastructure now has its own dedicated private cloud system allowing to spin off/destroy easily virtual machin (VM) for any needs we could have.
Having easy throw-away VMs allows to build quickly Fedora image for any release desired.
Thus we decided to offer to our contributor the access to a Jenkins server which would allow to run the unit-tests of their project in Fedora and/or RHEL.
Now, you must be thinking: "This is awesome, but [ how can I add my project to jenkins?] and [ how can I configure jenkins the way I want?". No worries the answer to your question is just below.
Can I add my project to Jenkins?
The basic answer is yes, but there are of course some conditions to satisfy:
- MUST have a license thats acceptable for Fedora itself.
- MUST not include any items Fedora considers forbidden.
- MUST have a public source repo
If your project satisfies these conditions, keep reading ;-)
How can I add my project to Jenkins?
This is actually a very simple process, create a ticket on the fedora-infrastructure project on pagure with the following information:
- Subject: [Jenkins] project request: <name of your project>
- Body:
- name of the project
- One line description of the project
- Contact person for this / admin for the project
- URL to the sources of the project
- Remarks
The URL is actually not needed but asked so that we can have a quick look at your project and see if (at least) license wise it follows Fedora's philosophy.
How can I use Jenkins?
Login
To login into Jenkins, you will have to login using [ FAS] and via [ FAS-OpenId]
Jenkins is configured with a per project access policy. This means that when the people processing the Jenkins request on the fedora-infrastructure trac create the project, they will give admin right to that project to whoever is specified in the ticket.
To have the rights to run a project on Jenkins, you need the appropriate ACL that only a the project admin can provide you (or one of the Jenkins admin in case of problem).
How to configure Jenkins?
Add co-workers
If you are an admin or have the appropriate rights, you can give rights to your co-workers to run builds, clean the workspace, destroy the project.
To do so:
- Login in Jenkins
- Go to your project
- Go to configure ( http://jenkins.fedorainfracloud.org/job/<project>/configure )
- The checkbox for "Enable project-based security" should already be checked.
- There you have the ACL matrix where you can add a new user (using his/her FAS name) and give/remove ACL to these users
Build my project
Jenkins aims at running your unit-tests in a clean environment, meaning you have to take care of specifying the dependencies (or in some case, ask fedora-infrastructure to add them to the builders).
To configure the build of your project
- login in Jenkins
- go to your project
- go to configure ( http://jenkins.fedorainfracloud.org/job/<project>/configure )
- There you can set:
- where are the sources (git/subversion/bazaar/mercurial)
- which branch to build (leave to '*' to build all the branches)
- when the project should be run (every hour, every day or just when there are changes)
- where the project can be run (see "Restrict where this project can be run") to restrict building on for example Fedora builders only)
- how the project should be run.
- if you are using python you want to make the build in a virtualenv which will provide you always a clean environment
- if you are using java, you might consider using maven to do the dependency management
Example of the shell script used to run the fedocal unit-tests:
rm -rf fedocalenv
virtualenv fedocalenv
source fedocalenv/bin/activate
## we need kitchen before we can do the list
pip install kitchen
## python-fedora fails the first time, so we try twice
pip install -r requirements.txt || pip install -r requirements.txt
pip install nose --upgrade ## Needed within the venv
hash -r ## Reload where the nosetests app is (within the venv) - see which nosetests
with and without
pip install nosexcover
FEDOCAL_CONFIG=../tests/fedocal_test.cfg PYTHONPATH=fedocal nosetests --with-xcoverage --cover-erase --cover-package=fedocal
PYTHONPATH=fedocal pylint -f parseable fedocal | tee pylint.out
pep8 fedocal/*.py fedocal/*/*.py | tee pep8.out
deactivate
Builders
There are multiple builders in the Jenkins infrastructure. You may need to restrict your jobs to only one kind. The labels are documented in git here:
Running jobs requiring password-protected SSH keys
Store your password in the Jenkins configuration script:
set +x export SSHPASS=noOneLikesPWs set -x bash my_build_script
The SSHPASS environment variable is consumed by sshpass.
In this example, the actual build script is stored, as recommended, with your code and not in Jenkins.
Determine if you need only a few SSH commands or a lot of them:
Only a few SSH commands
Just provide the password for each one in your build script.
sshpass -P assphrase -v -e ssh -i /path/to/your/private/key foo@bar.com command sshpass -P assphrase -v -e scp -i /path/to/your/private/key local_content foo@bar.com:/destination
Lots of SSH commands (or git and the like)
In your build script, start an ssh-agent and load the key. Then run your commands:
eval "$(ssh-agent -s)" sshpass -P assphrase -v -e ssh-add /path/to/your/private/key ...
A word about Host Keys
You may need to use `-o stricthostkeychecking=no
` on your first SSH connection to save the hostkey.
This is incomplete!
If you are missing a plugin, an information on how to set-up your project, or if you just have any question regarding our Jenkins, feel free to drop-by #fedora-admin on [ IRC] or create a ticket in the [ fedora-infrastructure trac] or send an email to the [ infrastructure mailing-list].