system-config/doc/source/jenkins.rst
Robert Collins 32f42c745f Document Jenkin slave management.
This is correct-but-incomplete as I understand it: nodepool is not yet covered.

Change-Id: Ib45cdb94f876e51bd7c01aecad70f470923d9b52
2013-09-23 17:27:22 -04:00

5.7 KiB

title

Jenkins

Jenkins

Jenkins is a Continuous Integration system that runs tests and automates some parts of project operations. It is controlled for the most part by zuul which determines what jobs are run when.

At a Glance

Hosts
Puppet
  • modules/jenkins
  • modules/openstack_project/manifests/jenkins.pp
  • modules/openstack_project/manifests/jenkins_dev.pp
Configuration
  • modules/openstack_project/files/jenkins_job_builder/config/
Projects
Bugs
Resources
  • zuul
  • jjb

Overview

A large number and variety of jobs are defined in Jenkins. The configuration of all of those jobs is stored in git in the openstack-infra/config repository. They are defined in YAML files that are read by jjb which configures the actual jobs in Jenkins.

Anyone may submit a change to the openstack-infra/config repository that defines a new job or alters an existing job by editing the appropriate YAML files. See jjb for more information.

Because of the large number of builds that Jenkins executes, the OpenStack project favors the following approach in configuring Jenkins jobs:

  • Minimal use of plugins: the more post-processing work that Jenkins needs to perform on a job, the more likely we are to run into compatibility problems among plugins, and contention for shared resources on the Jenkins master. A number of popular plugins will cause all builds of a job to be serialized even if the jobs otherwise run in parallel.
  • Minimal build history: Jenkins stores build history in individual XML files on disk, and accessing a large build history can cause the Jenkins master to be unresponsive for a significant time while loading them. It also increases memory usage. Instead, we generally keep no more than a day's worth of builds.
  • Move artifacts off of Jenkins: Jenkins is not efficient at serving static information such as build artifacts (e.g., tarballs) or logs. Instead, we copy them to a static webserver which is far more efficient.

Authorization

Jenkins is set up to use OpenID in a Single Sign On mode with Launchpad. This means that all of the user and group information is managed via Launchpad users and teams. In the Jenkins Security Matrix, a Launchpad team name can be specified and any members of that team will be granted those permissions. However, because of the way the information is processed, a user will need to re-log in upon changing either team membership on Launchpad, or changing that team's authorization in Jenkins for the new privileges to take effect.

Devstack Gate

OpenStack integration testing is performed by the devstack gate test framework. This framework runs the devstack exercises and Tempest smoketests against a devstack install on single use cloud servers. The devstack gate source can be found on git.openstack.org and the Readme describes the process of using devstack gate to run your own devstack based tests.

The devstack-gate project is used to maintain a pool of Jenkins slaves that are used to run these tests. Devstack-gate jobs create and delete Jenkins slaves as needed in order to maintain the pool.

Sysadmin

Jenkins is largely hidden, and has no sensitive data exposed publically, so we use self-signed certs for Jenkins masters.

After bringing up a jenkins node (16G memory instance if you use the stock jenkins.default) with puppet, log in and configure Jenkins by hand:

  1. Configure the site so it knows it's correct url. (Jenkins URL in global config). This is needed to complete an SSO sign-in.
  2. Configure the OpenID plugin for your SSO site (e.g. Launchpad)
  3. Do not set CSRF protection - that breaks Jenkins job builder.
  4. Login.
  5. Setup matrix security: add the 'authenticated' pseudo user and grant Admin access to your own user.
  6. Setup one account per http://ci.openstack.org/jenkins-job-builder/installation.html#configuration-file and grab the API token for it.
  7. Configure the number of executors you want on the Jenkins Master (e.g. 1)
  8. Configure a maven environment (if you have Maven projects to test).
  9. Enable the gearman plugin globally. Your gearman server is zuul.$project. If Test Connection fails, do a puppet run (puppet agent --test) on the zuul machine, as gearman wouldn't have started with no workers configured.
  10. Configure the timestamper plugin. E.g. to '<b>'yyyy-MM-dd HH:mm:ss'</b> '
  11. Enable the zmq plugin globally if it is visible. No settings were visible when writing this doc.
  12. You will configure global scp and ftp credentials for static and docs sites respectively later, but as we haven't setup those sites yet, thats not possible :).

Puppet takes care of the rest.

Quirks

Note that jenkins talks to it's slaves via ssh, the modules/openstack_project/manifests/init.pp file contains the ssh public key that puppet installs on the slaves.

Slaves

Statically provisioned slaves have labels assigned by hand. E.g. centos6, and are added to a chosen Jenkins master by hand. Adding a slave is then:

  1. Launch a slave
  2. Add it to Jenkins Add your jenkins master key for the credentials (make it global, one-time operation). Set the jenkins home to /home/jenkins
  3. Set appropriate labels on it
  4. Profit!