From BCCD 3.0

Revision as of 21:44, 18 March 2018

Introduction

Jenkins is a continuous integration system that the BCCD project uses for automating building and testing of BCCD.

Access

Our local Jenkins server may be found at https://bigfe.cluster.earlham.edu/jenkins/. Login using your CCG username/password.

Note that bigfe is not accessible outside the CCG network (159.28.23.0/24). You may access it from outside using SSH SOCKS proxying. Use your cluster LDAP username/password to login.

1. Place this block in your ~/.ssh/config:

    Host hopper
            HostName hopper.cluster.earlham.edu
            DynamicForward 1081
   

2. ssh hopper (not hopper.cluster.earlham.edu!)
3. In your browser proxy configuration (for Firefox this is Preferences->Advanced->Network Settings) set your SOCKS v5 proxy to be localhost, port 1081.
4. You should now be able to access https://bigfe.cluster.earlham.edu/jenkins/

Builds

Builds are automated processes that Jenkins uses to create a software product.

Creating a new build

You will want to do this after you create a new SVN branch.

1. In the branch, make a bin/build_livecd.conf file that looks like this, changing the parameters as needed.

    SUITE   :   squeeze
    OUTDIR  :   /cluster/bccd-ng/testing/skylar
    WEBSVN  :   http://bccd-ng.cluster.earlham.edu/svn/bccd-ng/branches/skylar/bccd-3.3.2
    RELEASE :   3.3.2-skylar
   

2. Click "New Item"
3. Give the build a name based on the branch name. Avoid the use of spaces in the name, as it will be used in the workspace directory name and not all utilities (i.e. debootstrap) properly deal with paths with spaces.
4. Select "Build a free-style software project"
5. Select Subversion under "Source Code Management".
6. Supply the SVN repo URL for the branch you want to build (i.e. http://cluster.earlham.edu/svn/bccd-ng/branches/skylar/bccd-3.3.2)
7. Click on "Add build step" and select "Execute Shell".
8. Enter a variation of this, making sure to change the architecture as appropriate (choices are i386 or amd64):

   PERL5LIB=./trees/usr/local/lib/site_perl /usr/bin/perl bin/build_livecd.pl --arch i386
   

Cloning a build

1. Click "New Item"
2. Give the build a name based on the branch name.
3. Select "Copy existing item"
4. Enter existing item name

Scheduling a build

From the Jenkins home page (aka build dashboard), click the icon on the far right.

Troubleshooting a build

A failed build will be indicated by a red orb. A project with repeatedly-failed builds will have a thundercloud by it.

Diagnosing a failed build generally involves looking at the console output:

1. From the Jenkins login page, go to Build History
2. Click on the terminal icon associated with the failed build.

One can also see the "workspace" of the build, which contains all the files and directories used.

Install

Based on https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache and https://wiki.jenkins.io/display/JENKINS/Starting+and+Accessing+Jenkins

For bigfe:

1. Install from apt (seems to have latest): apt-get -y install jenkins
2. In /etc/default/jenkins:
• Set JENKINS_USER=root and JENKINS_GROUP=root. This is needed to have proper ownership as files are copied into the build directory.
• Uncomment the line with preferIPv4Stack=true and change JAVA_ARGS= to JAVA_ARGS=" ${JAVA_ARGS} ..."
• Add --prefix=${PREFIX} to JENKINS_ARGS
3. Start Jenkins: invoke-rc.d jenkins start
4. Apache2
1. Run the following commands to enable proxying:

   a2enmod proxy
   a2enmod proxy_http
   a2enmod headers
   

2. Add the following to /etc/apache2/conf-available/jenkins.conf, symlinking to conf-enabled when done

   ProxyPass         /jenkins  http://localhost:8080/jenkins nocanon
   ProxyPassReverse  /jenkins  http://localhost:8080/jenkins
   ProxyRequests     Off
   AllowEncodedSlashes NoDecode
   SSLProxyEngine    On
   
   # Local reverse proxy authorization override
   # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
   <Proxy http://localhost:8080/jenkins*>
     Order deny,allow
     Allow from all
   </Proxy>
   

3. Symlink /etc/apache2/sites-available/default-ssl.conf to /etc/apache2/sites-enabled/default-ssl.conf
4. Edit /etc/apache2/sites-available/default-ssl.conf and add (see Jenkins/Apache doc): <verbatim> RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" </verbatim>
5. Add the following to /etc/apache2/sites-available/000-default.conf to force SSL use for Jenkins:

   # Force SSL for Jenkins
   <Location /jenkins>
      RewriteEngine on
      RewriteCond %{HTTPS} off
      RewriteRule ^/?(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
   </Location>
   

6. Setup SSH SOCKS proxy through hopper.
7. Go to https://bigfe.cluster.earlham.edu/jenkins/
1. Enter generated password in /var/lib/jenkins/secrets/initialAdminPassword
2. Go to Manage Jenkins and install recommended plugins
3. Go to Configure Systems and make sure URL is set to https://bigfe.cluster.earlham.edu/jenkins (not http)
4. Go to Configure Global Security.
   1. Open Agents protocols, and disable all deprecated protocols.
   2. Set Access Control to LDAP
   • Server to cluster.earlham.edu
5. Advanced options: Root DN - dc=cluster,dc=loc
6. Enable Cross Site Request protection w/ default crumbs
5. Setup a firewall to protect the service
1. Install the iptables-persistent package if it is not already installed
2. Agree to save current rule set (both IPv4 and IPv6)
3. Add this line to /etc/iptables/rules.v4 before the COMMIT:

   # Block all Jenkins connections not from 127.0.0.1
   -A INPUT -p tcp ! -s 127.0.0.1 --dport 8080 -j REJECT
   

4. Add this line to /etc/iptables/rules.v6 before the COMMIT:

   # Block all Jenkins connections not from 127.0.0.1
   -A INPUT -p tcp ! -s ::1 --dport 8080 -j REJECT
   

5. Run systemctl restart netfilter-persistent.service
6. Run iptables -L and ip6tables -L and verify that the new rules are in place.

Backups

All of Jenkins except the workspace contents will be backed up to /cluster/bigfe-backups using the Backup Manager plugin.