diff --git a/manifests/site.pp b/manifests/site.pp index aab57290ab..4e4bdb1e18 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -70,6 +70,7 @@ node 'review-dev.openstack.org' { node 'jenkins.openstack.org' { class { 'openstack_project::jenkins': jenkins_jobs_password => hiera('jenkins_jobs_password'), + jenkins_ssh_private_key => hiera('jenkins_ssh_private_key_contents'), ssl_cert_file_contents => hiera('jenkins_ssl_cert_file_contents'), ssl_key_file_contents => hiera('jenkins_ssl_key_file_contents'), ssl_chain_file_contents => hiera('jenkins_ssl_chain_file_contents'), @@ -79,7 +80,8 @@ node 'jenkins.openstack.org' { node 'jenkins-dev.openstack.org' { class { 'openstack_project::jenkins_dev': - sysadmins => hiera('sysadmins'), + jenkins_ssh_private_key => hiera('jenkins_dev_ssh_private_key_contents'), + sysadmins => hiera('sysadmins'), } } @@ -256,6 +258,11 @@ node /^.*\.template\.openstack\.org$/ { include openstack_project::slave_template } +# A bare machine, but with a jenkins user +node /^.*dev-.*\.template\.openstack\.org$/ { + include openstack_project::dev_slave_template +} + # A backup machine. Don't run cron or puppet agent on it. node /^ci-backup-.*\.openstack\.org$/ { include openstack_project::backup_server @@ -299,114 +306,44 @@ node 'pypi.slave.openstack.org' { } } -node /^quantal.*\.slave\.openstack\.org$/ { - include openstack_project::puppet_cron - class { 'openstack_project::slave': - certname => 'quantal.slave.openstack.org', - sysadmins => hiera('sysadmins'), - } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } -} - -node /^precise.*\.slave\.openstack\.org$/ { +node /^precise-?\d+.*\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'precise.slave.openstack.org', + ssh_key => $openstack_project::jenkins_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } -node /^oneiric.*\.slave\.openstack\.org$/ { +node /^precise-dev\d+.*\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': - certname => 'oneiric.slave.openstack.org', + ssh_key => $openstack_project::jenkins_dev_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } - -node /^centos6.*\.slave\.openstack\.org$/ { +node /^centos6-?\d+\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'centos6.slave.openstack.org', + ssh_key => $openstack_project::jenkins_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } - -node /^rhel6.*\.slave\.openstack\.org$/ { +node /^centos6-dev\d+\.slave\.openstack\.org$/ { + include openstack_project include openstack_project::puppet_cron class { 'openstack_project::slave': - certname => 'rhel6.slave.openstack.org', + ssh_key => $openstack_project::jenkins_dev_ssh_key, sysadmins => hiera('sysadmins'), } - file { '/home/jenkins/.config/glance': - ensure => absent, - force => true, - recurse => true, - } - include jenkins::cgroups - include ulimit - ulimit::conf { 'limit_jenkins_procs': - limit_domain => 'jenkins', - limit_type => 'hard', - limit_item => 'nproc', - limit_value => '256' - } } - node /^.*\.jclouds\.openstack\.org$/ { class { 'openstack_project::bare_slave': certname => 'jclouds.openstack.org', diff --git a/modules/jenkins/manifests/master.pp b/modules/jenkins/manifests/master.pp index 145d404845..09ecd11c34 100644 --- a/modules/jenkins/manifests/master.pp +++ b/modules/jenkins/manifests/master.pp @@ -10,6 +10,8 @@ class jenkins::master( $ssl_cert_file_contents = '', # If left empty puppet will not create file. $ssl_key_file_contents = '', # If left empty puppet will not create file. $ssl_chain_file_contents = '', # If left empty puppet will not create file. + $jenkins_ssh_private_key = '', + $jenkins_ssh_public_key = '', ) { include pip include apt @@ -89,42 +91,11 @@ class jenkins::master( ensure => present, } - # devstack-gate - if ! defined(Package['python-jenkins']) { - package { 'python-jenkins': - ensure => present, - } - } - package { 'jenkins': ensure => present, require => Apt::Source['jenkins'], } - package { 'apache-libcloud': - ensure => present, - provider => pip, - require => Class[pip], - } - - package { 'git-review': - ensure => '1.18', - provider => pip, - require => Class[pip], - } - - package { 'tox': - ensure => latest, # okay to use latest for pip - provider => pip, - require => Class[pip], - } - - package { 'statsd': - ensure => latest, # okay to use latest for pip - provider => pip, - require => Class[pip], - } - exec { 'update apt cache': subscribe => File['/etc/apt/sources.list.d/jenkins.list'], refreshonly => true, @@ -139,6 +110,32 @@ class jenkins::master( require => Package['jenkins'], } + file { '/var/lib/jenkins/.ssh/': + ensure => directory, + owner => 'jenkins', + group => 'nogroup', + mode => '0700', + require => File['/var/lib/jenkins'], + } + + file { '/var/lib/jenkins/.ssh/id_rsa': + owner => 'jenkins', + group => 'nogroup', + mode => '0600', + content => $jenkins_ssh_private_key, + replace => true, + require => File['/var/lib/jenkins/.ssh/'], + } + + file { '/var/lib/jenkins/.ssh/id_rsa.pub': + owner => 'jenkins', + group => 'nogroup', + mode => '0644', + content => $jenkins_ssh_public_key, + replace => true, + require => File['/var/lib/jenkins/.ssh/'], + } + file { '/var/lib/jenkins/plugins': ensure => directory, owner => 'jenkins', @@ -156,24 +153,32 @@ class jenkins::master( file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.css': ensure => present, + owner => 'jenkins', + group => 'nogroup', source => 'puppet:///modules/jenkins/openstack.css', require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.js': ensure => present, + owner => 'jenkins', + group => 'nogroup', content => template('jenkins/openstack.js.erb'), require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack-page-bkg.jpg': ensure => present, + owner => 'jenkins', + group => 'nogroup', source => 'puppet:///modules/jenkins/openstack-page-bkg.jpg', require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } file { '/var/lib/jenkins/plugins/simple-theme-plugin/title.png': ensure => present, + owner => 'jenkins', + group => 'nogroup', source => "puppet:///modules/jenkins/${logo}", require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], } diff --git a/modules/openstack_project/manifests/dev_slave_template.pp b/modules/openstack_project/manifests/dev_slave_template.pp new file mode 100644 index 0000000000..f67ad234e8 --- /dev/null +++ b/modules/openstack_project/manifests/dev_slave_template.pp @@ -0,0 +1,16 @@ +# == Class: openstack_project::dev_slave_template +# +class openstack_project::dev_slave_template ( + $install_users = true, + $ssh_key = $openstack_project::jenkins_dev_ssh_key +) inherits openstack_project { + class { 'openstack_project::template': + iptables_public_tcp_ports => [], + install_users => $install_users, + } + class { 'jenkins::slave': + ssh_key => $ssh_key, + sudo => true, + bare => true, + } +} diff --git a/modules/openstack_project/manifests/init.pp b/modules/openstack_project/manifests/init.pp index bbeaa85648..c48873c7bf 100644 --- a/modules/openstack_project/manifests/init.pp +++ b/modules/openstack_project/manifests/init.pp @@ -4,4 +4,6 @@ class openstack_project { $jenkins_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVzWbrww7Q2oSXawjARz0QAh9Nzk899zKAj37no5jJEyv+2T6rWt1NSWm84TBywcifzu7p+j8rtOPJKNeHMID53rnMURX7MBCqBnpFeSb44KlV9Hno6Yl6J+dZFugXl6wxbuqpWicpFqu264SUupPdOw2SNQPqzQF01KNoj3KEYmvdSbvuzInlHWkRcFHSRuFKwXQCCKglpYDvRgajWGq8hKQ89SNa6hq7T7zfOJ8LHm4KD3tyWimSGuMgrAq9El3zzthsY/wymXCkUGccJuup/1/Z/QIOrhaf+lVoROhoVc2/nsZfmzX2RkLS/FZ+4RQAry15XkpCmmLZj9ldEPov hudson@hudson\n" + $jenkins_dev_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbncCli/usVge5xB5t753zvYTNDO6TB32h14BdVjpcFXbXdh5MMKvf//BrTJxJNNVOClWmL1ERclJYNWi/klIHyQcuTtAETlO/0gNlO+RkTBthpjPoM8s7zcuiQ/Qi/kbb2LPLV0Id7G31BZOoZNSZNUmHF2PbSE4bB+t4kAzvoFbEHDPJkQ4KUIJy/+TLAZ+o7sxeGM6ndljzNo98h0tBCTXmLzYJ7VNEhRE+2aPf6ozOWGX7RFTvDnSV7SdN9fswmdQ1bxwQ9lUbBbrecuWpzj/PmD8thT3Y+NJyBCP/FCdc1FKL8OMZxeZFFrzainEsEhsSNd8fRIcG2IYqlnpB jenkins@jenkins-dev.openstack.org\n" + } diff --git a/modules/openstack_project/manifests/jenkins.pp b/modules/openstack_project/manifests/jenkins.pp index b158f91e10..8d3c597b26 100644 --- a/modules/openstack_project/manifests/jenkins.pp +++ b/modules/openstack_project/manifests/jenkins.pp @@ -6,8 +6,11 @@ class openstack_project::jenkins ( $ssl_cert_file_contents = '', $ssl_key_file_contents = '', $ssl_chain_file_contents = '', + $jenkins_ssh_private_key = '', $sysadmins = [] ) { + include openstack_project + $iptables_rule = '-m state --state NEW -m tcp -p tcp --dport 8888 -s logstash.openstack.org -j ACCEPT' class { 'openstack_project::server': iptables_public_tcp_ports => [80, 443], @@ -27,6 +30,8 @@ class openstack_project::jenkins ( ssl_cert_file_contents => $ssl_cert_file_contents, ssl_key_file_contents => $ssl_key_file_contents, ssl_chain_file_contents => $ssl_chain_file_contents, + jenkins_ssh_private_key => $jenkins_ssh_private_key, + jenkins_ssh_public_key => $openstack_project::jenkins_ssh_key, } if $manage_jenkins_jobs == true { @@ -49,6 +54,9 @@ class openstack_project::jenkins ( file { '/etc/default/jenkins': ensure => present, + owner => 'root', + group => 'root', + mode => '0644', source => 'puppet:///modules/openstack_project/jenkins/jenkins.default', } } diff --git a/modules/openstack_project/manifests/jenkins_dev.pp b/modules/openstack_project/manifests/jenkins_dev.pp index cf91c2520a..7d6750d024 100644 --- a/modules/openstack_project/manifests/jenkins_dev.pp +++ b/modules/openstack_project/manifests/jenkins_dev.pp @@ -1,6 +1,7 @@ # == Class: openstack_project::jenkins_dev # class openstack_project::jenkins_dev ( + $jenkins_ssh_private_key = '', $sysadmins = [] ) { class { 'openstack_project::server': @@ -13,11 +14,13 @@ class openstack_project::jenkins_dev ( backup_server => 'ci-backup-rs-ord.openstack.org', } class { '::jenkins::master': - vhost_name => 'jenkins-dev.openstack.org', - serveradmin => 'webmaster@openstack.org', - logo => 'openstack.png', - ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem', - ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', - ssl_chain_file => '', + vhost_name => 'jenkins-dev.openstack.org', + serveradmin => 'webmaster@openstack.org', + logo => 'openstack.png', + ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem', + ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', + ssl_chain_file => '', + jenkins_ssh_private_key => $jenkins_ssh_private_key, + jenkins_ssh_public_key => $openstack_project::jenkins_dev_ssh_key, } } diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp index b700b3de69..538aa61faa 100644 --- a/modules/openstack_project/manifests/slave.pp +++ b/modules/openstack_project/manifests/slave.pp @@ -3,6 +3,7 @@ class openstack_project::slave ( $bare = false, $certname = $::fqdn, + $ssh_key = '', $sysadmins = [] ) { include openstack_project @@ -15,9 +16,17 @@ class openstack_project::slave ( } class { 'jenkins::slave': bare => $bare, - ssh_key => $openstack_project::jenkins_ssh_key, + ssh_key => $ssh_key, } class { 'salt': salt_master => 'ci-puppetmaster.openstack.org', } + include jenkins::cgroups + include ulimit + ulimit::conf { 'limit_jenkins_procs': + limit_domain => 'jenkins', + limit_type => 'hard', + limit_item => 'nproc', + limit_value => '256' + } }