Skip to content

Commit

Permalink
jenkins/cloud: Stop binding /srv, use workspace
Browse files Browse the repository at this point in the history
Just use $WORKSPACE for the images - it'll be naturally namespaced
by our job and lifecycled with it.

Note I tried *really* really hard to also drop `--privileged` but
the problem is the usage of bwrap drags us into unprivileged
nested containers.

One downside is we'll be rsyncing in the images on each job
invocation, but I'll work on a fix for that later.
  • Loading branch information
cgwalters committed Aug 7, 2018
1 parent a2176b2 commit e6f7942
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 6 deletions.
23 changes: 17 additions & 6 deletions Jenkinsfile.cloud
Original file line number Diff line number Diff line change
@@ -1,14 +1,21 @@
def TIMER = "H H/3 * * *"
def NODE = "rhcos-jenkins"
def DOCKER_IMG = "quay.io/cgwalters/coreos-assembler"
def DOCKER_ARGS = "-v /srv:/srv --privileged --device /dev/kvm"
// Disable seccomp so we can use bwrap internally,
// and also use spc_t to work around SELinux. See
// https://github.com/projectatomic/rpm-ostree/pull/1332
// and add KVM for virt-install. Otherwise no privileges
// or host mounts.
// def DOCKER_ARGS = "--security-opt label=type:spc_t --security-opt seccomp=unconfined --device /dev/kvm"
// TODO: Actually just stay privileged, this almost works but
// I am hitting an EPERM with bwrap --proc proc, and if I --bind /proc /proc
// then all the PIDs are wrong.
def DOCKER_ARGS = "--privileged --device /dev/kvm"

// Are there really other regions? We're sending explorers to find out
def AWS_REGION = "us-east-1"

// this var conveniently refers to a location on the server as well as the
// local dir we sync to/from
def images = "/srv/rhcos/output/images"
def remote_images = "/srv/rhcos/output/images"

def ref = "openshift/3.10/x86_64/os";

Expand All @@ -23,6 +30,8 @@ node(NODE) {

docker.image(DOCKER_IMG).pull()
docker.image(DOCKER_IMG).inside(DOCKER_ARGS) {
def images = "${WORKSPACE}/images";

stage("Clone qcow2-to-vagrant") {
// I tried to use git() but not sure where that went, it isn't the workspace
sh('git clone https://github.com/cgwalters/qcow2-to-vagrant')
Expand All @@ -34,7 +43,7 @@ node(NODE) {
sshUserPrivateKey(credentialsId: params.ARTIFACT_SSH_CREDS_ID, keyFileVariable: 'KEY_FILE'),
]) {
sh "mkdir -p ${images}"
utils.rsync_dir_in(ARTIFACT_SERVER, KEY_FILE, images)
utils.rsync_dir_in_dest(ARTIFACT_SERVER, KEY_FILE, remote_images, images)
}

// Also initialize an ostree repo for change detection
Expand Down Expand Up @@ -87,6 +96,8 @@ node(NODE) {
stage("Running coreos-virt-install") { sh """
chmod a+rw /dev/kvm
setfacl -m u:builder:rwX ${WORKSPACE}
# TODO use --unshare-user; this breaks setgroups() though, see
# https://lwn.net/Articles/626665/
bwrap --bind / / --dev-bind /dev /dev --proc /proc --unshare-pid runuser -u builder -- coreos-virt-install --dest ${image} --create-disk \
--console-log-file ${WORKSPACE}/rhcos-qcow2-install.txt \
--wait=25 --kickstart cloud.ks --location "${INSTALLER_TREE_URL}"
Expand Down Expand Up @@ -227,7 +238,7 @@ node(NODE) {
string(credentialsId: params.ARTIFACT_SERVER, variable: 'ARTIFACT_SERVER'),
sshUserPrivateKey(credentialsId: params.ARTIFACT_SSH_CREDS_ID, keyFileVariable: 'KEY_FILE'),
]) {
utils.rsync_dir_out(ARTIFACT_SERVER, KEY_FILE, images)
utils.rsync_dir_out_dest(ARTIFACT_SERVER, KEY_FILE, images, remote_images)
}
} }
par_stages["s3-upload"] = { -> stage("S3 upload") {
Expand Down
8 changes: 8 additions & 0 deletions pipeline-utils.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,14 @@ def rsync_dir_out(server, key, dir) {
rsync_dir(key, dir, "${server}:${dir}")
}

def rsync_dir_in_dest(server, key, srcdir, destdir) {
rsync_dir(key, "${server}:${srcdir}", destdir)
}

def rsync_dir_out_dest(server, key, srcdir, destdir) {
rsync_dir(key, srcdir, "${server}:${destdir}")
}

def rsync_dir(key, from_dir, to_dir) {
sh """
rsync -Hrlpt --stats --delete --delete-after \
Expand Down

0 comments on commit e6f7942

Please sign in to comment.