Add jenkins dev slaves.

Allow them to use an ssh key distinct from production.
Clean up unused slave classes.
Use dedicated keys on dev slaves (do this in prod in the future, but it's a
breaking change).
Add a dev_slave_template class for devstack-gate to use.
Remove devstack-gate deps from jenkins master (they're on devstack-launch
now).
Clean up unneeded remove statements for glance creds.
Tidy up some permissions on files where they weren't specified before.

Change-Id: I02cef1ee3951c5780084118073770521bebb9eda
Reviewed-on: https://review.openstack.org/29319
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
This commit is contained in:
James E. Blair 2013-05-15 16:03:05 -07:00 committed by Jenkins
parent 52691a9db4
commit 00d9391958
7 changed files with 101 additions and 121 deletions

View File

@ -70,6 +70,7 @@ node 'review-dev.openstack.org' {
node 'jenkins.openstack.org' { node 'jenkins.openstack.org' {
class { 'openstack_project::jenkins': class { 'openstack_project::jenkins':
jenkins_jobs_password => hiera('jenkins_jobs_password'), jenkins_jobs_password => hiera('jenkins_jobs_password'),
jenkins_ssh_private_key => hiera('jenkins_ssh_private_key_contents'),
ssl_cert_file_contents => hiera('jenkins_ssl_cert_file_contents'), ssl_cert_file_contents => hiera('jenkins_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('jenkins_ssl_key_file_contents'), ssl_key_file_contents => hiera('jenkins_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('jenkins_ssl_chain_file_contents'), ssl_chain_file_contents => hiera('jenkins_ssl_chain_file_contents'),
@ -79,6 +80,7 @@ node 'jenkins.openstack.org' {
node 'jenkins-dev.openstack.org' { node 'jenkins-dev.openstack.org' {
class { 'openstack_project::jenkins_dev': class { 'openstack_project::jenkins_dev':
jenkins_ssh_private_key => hiera('jenkins_dev_ssh_private_key_contents'),
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
} }
} }
@ -256,6 +258,11 @@ node /^.*\.template\.openstack\.org$/ {
include openstack_project::slave_template include openstack_project::slave_template
} }
# A bare machine, but with a jenkins user
node /^.*dev-.*\.template\.openstack\.org$/ {
include openstack_project::dev_slave_template
}
# A backup machine. Don't run cron or puppet agent on it. # A backup machine. Don't run cron or puppet agent on it.
node /^ci-backup-.*\.openstack\.org$/ { node /^ci-backup-.*\.openstack\.org$/ {
include openstack_project::backup_server include openstack_project::backup_server
@ -299,114 +306,44 @@ node 'pypi.slave.openstack.org' {
} }
} }
node /^quantal.*\.slave\.openstack\.org$/ { node /^precise-?\d+.*\.slave\.openstack\.org$/ {
include openstack_project::puppet_cron include openstack_project
class { 'openstack_project::slave':
certname => 'quantal.slave.openstack.org',
sysadmins => hiera('sysadmins'),
}
file { '/home/jenkins/.config/glance':
ensure => absent,
force => true,
recurse => true,
}
include jenkins::cgroups
include ulimit
ulimit::conf { 'limit_jenkins_procs':
limit_domain => 'jenkins',
limit_type => 'hard',
limit_item => 'nproc',
limit_value => '256'
}
}
node /^precise.*\.slave\.openstack\.org$/ {
include openstack_project::puppet_cron include openstack_project::puppet_cron
class { 'openstack_project::slave': class { 'openstack_project::slave':
certname => 'precise.slave.openstack.org', certname => 'precise.slave.openstack.org',
ssh_key => $openstack_project::jenkins_ssh_key,
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
} }
file { '/home/jenkins/.config/glance':
ensure => absent,
force => true,
recurse => true,
}
include jenkins::cgroups
include ulimit
ulimit::conf { 'limit_jenkins_procs':
limit_domain => 'jenkins',
limit_type => 'hard',
limit_item => 'nproc',
limit_value => '256'
}
} }
node /^oneiric.*\.slave\.openstack\.org$/ { node /^precise-dev\d+.*\.slave\.openstack\.org$/ {
include openstack_project
include openstack_project::puppet_cron include openstack_project::puppet_cron
class { 'openstack_project::slave': class { 'openstack_project::slave':
certname => 'oneiric.slave.openstack.org', ssh_key => $openstack_project::jenkins_dev_ssh_key,
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
} }
file { '/home/jenkins/.config/glance':
ensure => absent,
force => true,
recurse => true,
}
include jenkins::cgroups
include ulimit
ulimit::conf { 'limit_jenkins_procs':
limit_domain => 'jenkins',
limit_type => 'hard',
limit_item => 'nproc',
limit_value => '256'
}
} }
node /^centos6-?\d+\.slave\.openstack\.org$/ {
node /^centos6.*\.slave\.openstack\.org$/ { include openstack_project
include openstack_project::puppet_cron include openstack_project::puppet_cron
class { 'openstack_project::slave': class { 'openstack_project::slave':
certname => 'centos6.slave.openstack.org', certname => 'centos6.slave.openstack.org',
ssh_key => $openstack_project::jenkins_ssh_key,
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
} }
file { '/home/jenkins/.config/glance':
ensure => absent,
force => true,
recurse => true,
}
include jenkins::cgroups
include ulimit
ulimit::conf { 'limit_jenkins_procs':
limit_domain => 'jenkins',
limit_type => 'hard',
limit_item => 'nproc',
limit_value => '256'
}
} }
node /^centos6-dev\d+\.slave\.openstack\.org$/ {
node /^rhel6.*\.slave\.openstack\.org$/ { include openstack_project
include openstack_project::puppet_cron include openstack_project::puppet_cron
class { 'openstack_project::slave': class { 'openstack_project::slave':
certname => 'rhel6.slave.openstack.org', ssh_key => $openstack_project::jenkins_dev_ssh_key,
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
} }
file { '/home/jenkins/.config/glance':
ensure => absent,
force => true,
recurse => true,
}
include jenkins::cgroups
include ulimit
ulimit::conf { 'limit_jenkins_procs':
limit_domain => 'jenkins',
limit_type => 'hard',
limit_item => 'nproc',
limit_value => '256'
}
} }
node /^.*\.jclouds\.openstack\.org$/ { node /^.*\.jclouds\.openstack\.org$/ {
class { 'openstack_project::bare_slave': class { 'openstack_project::bare_slave':
certname => 'jclouds.openstack.org', certname => 'jclouds.openstack.org',

View File

@ -10,6 +10,8 @@ class jenkins::master(
$ssl_cert_file_contents = '', # If left empty puppet will not create file. $ssl_cert_file_contents = '', # If left empty puppet will not create file.
$ssl_key_file_contents = '', # If left empty puppet will not create file. $ssl_key_file_contents = '', # If left empty puppet will not create file.
$ssl_chain_file_contents = '', # If left empty puppet will not create file. $ssl_chain_file_contents = '', # If left empty puppet will not create file.
$jenkins_ssh_private_key = '',
$jenkins_ssh_public_key = '',
) { ) {
include pip include pip
include apt include apt
@ -89,42 +91,11 @@ class jenkins::master(
ensure => present, ensure => present,
} }
# devstack-gate
if ! defined(Package['python-jenkins']) {
package { 'python-jenkins':
ensure => present,
}
}
package { 'jenkins': package { 'jenkins':
ensure => present, ensure => present,
require => Apt::Source['jenkins'], require => Apt::Source['jenkins'],
} }
package { 'apache-libcloud':
ensure => present,
provider => pip,
require => Class[pip],
}
package { 'git-review':
ensure => '1.18',
provider => pip,
require => Class[pip],
}
package { 'tox':
ensure => latest, # okay to use latest for pip
provider => pip,
require => Class[pip],
}
package { 'statsd':
ensure => latest, # okay to use latest for pip
provider => pip,
require => Class[pip],
}
exec { 'update apt cache': exec { 'update apt cache':
subscribe => File['/etc/apt/sources.list.d/jenkins.list'], subscribe => File['/etc/apt/sources.list.d/jenkins.list'],
refreshonly => true, refreshonly => true,
@ -139,6 +110,32 @@ class jenkins::master(
require => Package['jenkins'], require => Package['jenkins'],
} }
file { '/var/lib/jenkins/.ssh/':
ensure => directory,
owner => 'jenkins',
group => 'nogroup',
mode => '0700',
require => File['/var/lib/jenkins'],
}
file { '/var/lib/jenkins/.ssh/id_rsa':
owner => 'jenkins',
group => 'nogroup',
mode => '0600',
content => $jenkins_ssh_private_key,
replace => true,
require => File['/var/lib/jenkins/.ssh/'],
}
file { '/var/lib/jenkins/.ssh/id_rsa.pub':
owner => 'jenkins',
group => 'nogroup',
mode => '0644',
content => $jenkins_ssh_public_key,
replace => true,
require => File['/var/lib/jenkins/.ssh/'],
}
file { '/var/lib/jenkins/plugins': file { '/var/lib/jenkins/plugins':
ensure => directory, ensure => directory,
owner => 'jenkins', owner => 'jenkins',
@ -156,24 +153,32 @@ class jenkins::master(
file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.css': file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.css':
ensure => present, ensure => present,
owner => 'jenkins',
group => 'nogroup',
source => 'puppet:///modules/jenkins/openstack.css', source => 'puppet:///modules/jenkins/openstack.css',
require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], require => File['/var/lib/jenkins/plugins/simple-theme-plugin'],
} }
file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.js': file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack.js':
ensure => present, ensure => present,
owner => 'jenkins',
group => 'nogroup',
content => template('jenkins/openstack.js.erb'), content => template('jenkins/openstack.js.erb'),
require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], require => File['/var/lib/jenkins/plugins/simple-theme-plugin'],
} }
file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack-page-bkg.jpg': file { '/var/lib/jenkins/plugins/simple-theme-plugin/openstack-page-bkg.jpg':
ensure => present, ensure => present,
owner => 'jenkins',
group => 'nogroup',
source => 'puppet:///modules/jenkins/openstack-page-bkg.jpg', source => 'puppet:///modules/jenkins/openstack-page-bkg.jpg',
require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], require => File['/var/lib/jenkins/plugins/simple-theme-plugin'],
} }
file { '/var/lib/jenkins/plugins/simple-theme-plugin/title.png': file { '/var/lib/jenkins/plugins/simple-theme-plugin/title.png':
ensure => present, ensure => present,
owner => 'jenkins',
group => 'nogroup',
source => "puppet:///modules/jenkins/${logo}", source => "puppet:///modules/jenkins/${logo}",
require => File['/var/lib/jenkins/plugins/simple-theme-plugin'], require => File['/var/lib/jenkins/plugins/simple-theme-plugin'],
} }

View File

@ -0,0 +1,16 @@
# == Class: openstack_project::dev_slave_template
#
class openstack_project::dev_slave_template (
$install_users = true,
$ssh_key = $openstack_project::jenkins_dev_ssh_key
) inherits openstack_project {
class { 'openstack_project::template':
iptables_public_tcp_ports => [],
install_users => $install_users,
}
class { 'jenkins::slave':
ssh_key => $ssh_key,
sudo => true,
bare => true,
}
}

View File

@ -4,4 +4,6 @@ class openstack_project {
$jenkins_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVzWbrww7Q2oSXawjARz0QAh9Nzk899zKAj37no5jJEyv+2T6rWt1NSWm84TBywcifzu7p+j8rtOPJKNeHMID53rnMURX7MBCqBnpFeSb44KlV9Hno6Yl6J+dZFugXl6wxbuqpWicpFqu264SUupPdOw2SNQPqzQF01KNoj3KEYmvdSbvuzInlHWkRcFHSRuFKwXQCCKglpYDvRgajWGq8hKQ89SNa6hq7T7zfOJ8LHm4KD3tyWimSGuMgrAq9El3zzthsY/wymXCkUGccJuup/1/Z/QIOrhaf+lVoROhoVc2/nsZfmzX2RkLS/FZ+4RQAry15XkpCmmLZj9ldEPov hudson@hudson\n" $jenkins_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVzWbrww7Q2oSXawjARz0QAh9Nzk899zKAj37no5jJEyv+2T6rWt1NSWm84TBywcifzu7p+j8rtOPJKNeHMID53rnMURX7MBCqBnpFeSb44KlV9Hno6Yl6J+dZFugXl6wxbuqpWicpFqu264SUupPdOw2SNQPqzQF01KNoj3KEYmvdSbvuzInlHWkRcFHSRuFKwXQCCKglpYDvRgajWGq8hKQ89SNa6hq7T7zfOJ8LHm4KD3tyWimSGuMgrAq9El3zzthsY/wymXCkUGccJuup/1/Z/QIOrhaf+lVoROhoVc2/nsZfmzX2RkLS/FZ+4RQAry15XkpCmmLZj9ldEPov hudson@hudson\n"
$jenkins_dev_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbncCli/usVge5xB5t753zvYTNDO6TB32h14BdVjpcFXbXdh5MMKvf//BrTJxJNNVOClWmL1ERclJYNWi/klIHyQcuTtAETlO/0gNlO+RkTBthpjPoM8s7zcuiQ/Qi/kbb2LPLV0Id7G31BZOoZNSZNUmHF2PbSE4bB+t4kAzvoFbEHDPJkQ4KUIJy/+TLAZ+o7sxeGM6ndljzNo98h0tBCTXmLzYJ7VNEhRE+2aPf6ozOWGX7RFTvDnSV7SdN9fswmdQ1bxwQ9lUbBbrecuWpzj/PmD8thT3Y+NJyBCP/FCdc1FKL8OMZxeZFFrzainEsEhsSNd8fRIcG2IYqlnpB jenkins@jenkins-dev.openstack.org\n"
} }

View File

@ -6,8 +6,11 @@ class openstack_project::jenkins (
$ssl_cert_file_contents = '', $ssl_cert_file_contents = '',
$ssl_key_file_contents = '', $ssl_key_file_contents = '',
$ssl_chain_file_contents = '', $ssl_chain_file_contents = '',
$jenkins_ssh_private_key = '',
$sysadmins = [] $sysadmins = []
) { ) {
include openstack_project
$iptables_rule = '-m state --state NEW -m tcp -p tcp --dport 8888 -s logstash.openstack.org -j ACCEPT' $iptables_rule = '-m state --state NEW -m tcp -p tcp --dport 8888 -s logstash.openstack.org -j ACCEPT'
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
@ -27,6 +30,8 @@ class openstack_project::jenkins (
ssl_cert_file_contents => $ssl_cert_file_contents, ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents, ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents, ssl_chain_file_contents => $ssl_chain_file_contents,
jenkins_ssh_private_key => $jenkins_ssh_private_key,
jenkins_ssh_public_key => $openstack_project::jenkins_ssh_key,
} }
if $manage_jenkins_jobs == true { if $manage_jenkins_jobs == true {
@ -49,6 +54,9 @@ class openstack_project::jenkins (
file { '/etc/default/jenkins': file { '/etc/default/jenkins':
ensure => present, ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/openstack_project/jenkins/jenkins.default', source => 'puppet:///modules/openstack_project/jenkins/jenkins.default',
} }
} }

View File

@ -1,6 +1,7 @@
# == Class: openstack_project::jenkins_dev # == Class: openstack_project::jenkins_dev
# #
class openstack_project::jenkins_dev ( class openstack_project::jenkins_dev (
$jenkins_ssh_private_key = '',
$sysadmins = [] $sysadmins = []
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
@ -19,5 +20,7 @@ class openstack_project::jenkins_dev (
ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem', ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
ssl_chain_file => '', ssl_chain_file => '',
jenkins_ssh_private_key => $jenkins_ssh_private_key,
jenkins_ssh_public_key => $openstack_project::jenkins_dev_ssh_key,
} }
} }

View File

@ -3,6 +3,7 @@
class openstack_project::slave ( class openstack_project::slave (
$bare = false, $bare = false,
$certname = $::fqdn, $certname = $::fqdn,
$ssh_key = '',
$sysadmins = [] $sysadmins = []
) { ) {
include openstack_project include openstack_project
@ -15,9 +16,17 @@ class openstack_project::slave (
} }
class { 'jenkins::slave': class { 'jenkins::slave':
bare => $bare, bare => $bare,
ssh_key => $openstack_project::jenkins_ssh_key, ssh_key => $ssh_key,
} }
class { 'salt': class { 'salt':
salt_master => 'ci-puppetmaster.openstack.org', salt_master => 'ci-puppetmaster.openstack.org',
} }
include jenkins::cgroups
include ulimit
ulimit::conf { 'limit_jenkins_procs':
limit_domain => 'jenkins',
limit_type => 'hard',
limit_item => 'nproc',
limit_value => '256'
}
} }