The CentOS Project has some resources available for each SIG to run some CI jobs/tests for their projects. We'll document soon how to get onboarded (on request) on the CentOS CI infra platform.
We offer the following resources :
metal
but in limited quantity) ephemeral nodes on which you can run some tests (including destructive ones), that will be automatically be discarded after tests are finished - aka Duffy
We provide access to an Openshift cluster, hosted (actually) next to the Duffy ephemeral nodes infra. Once Infra ticket/request is validated you'll be granted access (through ACO/FAS account) to a namespace on that cluster.
The openshift cluster is linked/tied to accounts.centos.org so it will be using SSO to let you login (no need for additional credentials)
One can use the web console to interact with deployed pods, see openshift logs, and also eventually interact with terminal on running pods.
But it's also possible to download the oc
cli tool and so interact with openshift from cli. Don't forget that for that to work, you need first to login through web console and then you'll have a copy login command
under your user name (top left corner) , that will basically take you to oauth token display.
You can just copy that command in your own terminal (be sure to have up2date oc binary !) and start interacting with openshift
We provide a Jenkins template that can be provisioned for you automatically. It's using the jenkins image from openshift catalog but we modified it with some extra parameters : Deployed jenkins will be able to launch ephemeral pods as jenkins executor (nothing should run on the jenkins pod itself)
For that you need to configure your job to use the cico-workspace
label, as that will be automatically trigger a pod deployment in openshift from a template (cico-workspace)
That environment pod is using a centos 8-stream based container, that will automatically connect to jenkins as "agent" and also contains the following tools :
That pod will mount the ssh private key used for your project under /duffy-ssh-key/ssh-privatekey (see ssh_config) and also have the CICO_API_KEY
env variable set up to request duffy v2 nodes
From that point, it's up to you to :
Note
As a test job, to "play" with the concept, you can just configure a simple "Freestyle project" that would just run "/bin/bash" (so that jenkins job continue to run in background) , and from Openshift console, you can take the pod terminal to explore it and try things.
Duffy is the middle layer running ci.centos.org that manages the provisioning, maintenance and teardown / rebuild of the Nodes (physical hardware and VMs) that are used to run the tests in the CI Cluster.
We provide both bare-metal and VMs and support the following architectures :
The EC2 instances are also provisioned with a second EBS volume (unconfigured) that you can then init the way you want (requested initially by Ceph for their own testing)
To be able to request ephemeral nodes to run your tests, you'll need both your project
name and api key
that will be generated for you once your project will have be allowed on that Infra.
Note
It's worth knowing that there are quotas in place to ensure that you can't request infinite number of nodes in parallel and each session
has a maximum lifetime of 6h. After that your nodes are automatically reclaimed by Duffy and are freshly reinstalled and put back in the Ready pool.
Use pip
(or pip3.8
on el8) to install duffy client. (already installed in cico-workspace
pod template in openshift so not needed there)
pip install --user duffy[client]
Duffy client needs the tenant's name and the tenant's API key to be able to request sessions from duffy server. If the tenant doesn't exist yet, it should be created in duffy server. Having the tenant's name and the tenant's API key, create the file .config/duffy
with the following content.
client: url: https://duffy.ci.centos.org/api/v1 auth: name: <tenant name> key: <API key>
One can also call duffy client
without any existing config file (if you want to):
duffy client --url https://duffy.ci.centos.org/api/v1 --auth-name <tenant_name> --auth-key $CICO_API_KEY <command>
Danger
never leak your API key so if you use this command from within jenkins, by default jenkins is using set -x
so outputing/echoing commands. So don't forget to use set +x
before the duffy call (or else).
Before creating a session, the name of the pool is required. Check the pool available executing the command.
duffy client list-pools
Note
The name of the pool is structured like this:
<AAA>-<BBB>-<CCC>-<DDD>-<EEE>-<FFF>
Having the name of the pool, request how many sessions needed. Duffy has a limit of sessions per tenant, this information is available in the duffy server.
Worth knowing that one can also see current pool usage and machines in ready
state, etc, by querying specific pool. Example:
duffy client show-pool virt-ec2-t2-centos-9s-x86_64 { "action": "get", "pool": { "name": "virt-ec2-t2-centos-9s-x86_64", "fill_level": 5, "levels": { "provisioning": 0, "ready": 5, "contextualizing": 0, "deployed": 0, "deprovisioning": 0 } } }
To then request some nodes from a pool one can use the following duffy call :
duffy client request-session pool=<name of the pool>,quantity=<number of machines to get>
By default this command outputs a json, but it's possible to change the format to yaml or flat using --format
. Under "node" key it's possible to find the node's hostname provisioned. Log in to it as root
user, using ssh
.
{ <...output ommited...> "nodes": [ { "hostname": "<hostname>", "ipaddr": "<ip address>", <...output ommited...> }
At the end of the test, you should "return" your ephemeral nodes to Duffy API service. This will trigger either a reinstall of the physical node (through kickstart) or just discarding/terminating it (if that's a cloud instance)
To retire a session, the session id is required. Check the id executing.
duffy client list-sessions
When needed to retire the session execute the command.
duffy client retire-session <session id>
There is a artifacts storage box that you can use to store ephemeral artifacts (logs, build, etc). It's publicly available as https://artifacts.ci.centos.org.
How can you push to that storage box ?
Each tenant will have a dedicated directory (owned by them) under /srv/artifacts.
You can use your project name as user and your project ssh keypair to push through ssh (rsync, scp) to ssh://tenant_name
@artifacts.ci.centos.org:/srv/artifacts/tenant_name
Worth knowing that while you can push through ssh, there is no allowed shell for you on that storage box, so use scp or rsync directly from the jenkins pod that has your private key to push to that storage box
Warning
We'll implement some rotation to clean-up used space on that machine on regular basis, so don't expect pushed files to remain available forever !
In case you want to migrate your old jenkins configuration to new CI instance follow this guide.
Copy login command
oc project <project_name>
(you should already be on correct project, but it's better to check)oc rsync <pod_name>:/var/lib/jenkins/jobs <target_directory>
(you can find the jenkins pod name with oc get pods|grep jenkins
)Note
Usually you want to only migrate jobs, but if you need any other configuration file, just
do oc rsh <pod_name>
and look inside /var/lib/jenkins
for all configuration files.
Just be aware that some of the files could contain IP or hostname that will no longer work
in new CI instance.
Copy login command
oc project <project_name>
(you should already be on correct project, but it's better to check)oc rsync jobs <pod_name>:/var/lib/jenkins
https://jenkins-<project_name>.apps.ocp.cloud.ci.centos.org
)Manage Jenkins
page click on Reload Configuration from Disk
Now you should have your old configuration available in new Jenkins instance.
Warning
This migration doesn't migrate any credentials from the old Jenkins instance. Those needs to be
migrated manually, because those are not stored in /var/lib/jenkins
.