Skip to content
Open
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions ceph-dev-pipeline/build/Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,8 @@ pipeline {
}
stage("builder container") {
environment {
CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci')
// Use quay-int.front cred if cve-pipeline, otherewise default to quay.ceph.io cred
CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}")
DOCKER_HUB_CREDS = credentials('dgalloway-docker-hub')
}
when {
Expand Down Expand Up @@ -591,7 +592,7 @@ pipeline {
export OS_VERSION="${os.version}"
export OS_VERSION_NAME="${os.version_name}"
export OS_PKG_TYPE="${os.pkg_type}"
if [ "$THROWAWAY" != "true" ]; then ./scripts/chacra_upload.sh; fi
if [ "$THROWAWAY" != "true" ] && [ "$CHACRA_UPLOAD" == "true" ]; then ./scripts/chacra_upload.sh; fi
"""

sh """#!/bin/bash
Expand All @@ -605,6 +606,7 @@ pipeline {
export FLAVOR="${env.FLAVOR}"

./scripts/pulp_upload.sh
./scripts/notify_shaman_pulp_repo.sh ready ceph ${os.name} ${os.version_name} $ARCH https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we find a way to just use spec_project_url ?

else
echo "Skipping pulp upload because PULP_UPLOAD=$PULP_UPLOAD"
fi
Expand All @@ -631,7 +633,7 @@ pipeline {
expression { env.CI_CONTAINER == 'true' && container_distros.contains(env.DIST) }
}
environment {
CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci')
CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}")
}
steps {
script {
Expand Down
7 changes: 6 additions & 1 deletion ceph-dev-pipeline/config/definitions/ceph-dev-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,14 +56,19 @@

- bool:
name: THROWAWAY
description: "Whether to push any binaries to Chacra"
description: "Whether to push any binaries to Chacra or Pulp. Overrides CHACRA_UPLOAD and PULP_UPLOAD if either are true."
default: false

- bool:
name: FORCE
description: "Whether to push new binaries to Chacra if some are already present"
default: false

- bool:
name: CHACRA_UPLOAD
description: "Whether to upload packages to Chacra"
default: true

- bool:
name: PULP_UPLOAD
description: "Whether to upload packages to Pulp"
Expand Down
133 changes: 133 additions & 0 deletions cve-pipeline/config/definitions/cve-pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
- job:
name: cve-pipeline
properties:
- authorization:
inheritance-strategy: none
GROUP:ceph*security:
- job-read
- job-discover
- job-build
- job-cancel
- job-configure
- job-workspace
- run-replay
- run-update
- run-delete
- scm-tag
description: |
This Jenkins pipeline is only used to develop CVE fixes. Its differences are:
- The job itself is not public-facing. It does not inherit the RBAC under https://jenkins.ceph.com/manage/configureSecurity/
- ceph-dev-pipeline pushes to the internal/private pulp instance instead of a public chacra instance
project-type: pipeline
quiet-period: 1
concurrent: true
pipeline-scm:
scm:
- git:
url: https://github.com/ceph/ceph-build
branches:
- ${{CEPH_BUILD_BRANCH}}
shallow-clone: true
submodule:
disable: true
wipe-workspace: true
script-path: ceph-dev-pipeline/build/Jenkinsfile
lightweight-checkout: true
do-not-fetch-tags: true

parameters:
- string:
name: BRANCH
description: "The branch from ceph-private.git to build"
default: main

- choice:
name: SHA1
description: "Intentionally blank. ceph-dev-pipeline requires this"
choices:
- ''

- choice:
name: CEPH_REPO
choices:
- git@github.com:ceph/ceph-private.git

- string:
name: DISTROS
description: "A list of distros to build for. Available options are: centos9, noble, jammy, bookworm, trixie"
default: "noble centos9 bookworm trixie"

- string:
name: ARCHS
description: "A list of architectures to build for. Available options are: x86_64, and arm64"
default: "x86_64 arm64"

- bool:
name: CI_COMPILE
description: "Whether to compile and build packages"
default: true

- bool:
Comment thread
djgalloway marked this conversation as resolved.
name: THROWAWAY
description: "Whether to push any binaries to Chacra or Pulp. Overrides CHACRA_UPLOAD and PULP_UPLOAD if either are true."
default: false

- bool:
name: CHACRA_UPLOAD
description: "DO NOT CHECK"
default: false

- bool:
name: PULP_UPLOAD
description: "If you want packages, this must be true. We do not push to chacra for CVE builds."
default: true

- choice:
name: FLAVORS
choices:
- default

- bool:
Comment thread
dmick marked this conversation as resolved.
name: CI_CONTAINER
description: "Whether to build and push container images"
default: true

- string:
name: CONTAINER_REPO_HOSTNAME
description: "FQDN of container repo server (e.g. 'quay.io')"
default: "quay-int.front.sepia.ceph.com"

- string:
name: CONTAINER_REPO_ORGANIZATION
description: "Name of container repo organization (e.g. 'ceph-ci')"
default: "ceph-ci"

- bool:
name: DWZ
description: "Use dwz to make debuginfo packages smaller"
default: false

- bool:
name: SCCACHE
description: "Use sccache to speed up compilation"
default: true

- string:
name: SETUP_BUILD_ID
description: "Reuse the source distribution from this cve-source-dist build instead of creating a new one"
default: ""

- choice:
name: SETUP_JOB
choices:
- cve-source-dist

- string:
name: CEPH_BUILD_BRANCH
description: "Use the Jenkinsfile from this ceph-build branch"
default: main

wrappers:
- build-name:
name: "#${{BUILD_NUMBER}} ${{BRANCH}}, ${{VERSION}}"

78 changes: 78 additions & 0 deletions cve-source-dist/config/definitions/cve-source-dist.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
- job:
name: cve-source-dist
description: This job is only called from https://jenkins.ceph.com/job/cve-pipeline. The entire job and its artifacts are only visible to the ceph/security Github Team.
project-type: pipeline
concurrent: true
pipeline-scm:
scm:
- git:
url: https://github.com/ceph/ceph-build
branches:
- ${{CEPH_BUILD_BRANCH}}
shallow-clone: true
submodule:
disable: true
wipe-workspace: true
script-path: ceph-source-dist/build/Jenkinsfile
lightweight-checkout: true
do-not-fetch-tags: true
properties:
- build-discarder:
days-to-keep: -1
num-to-keep: 100
artifact-days-to-keep: -1
artifact-num-to-keep: 50
- copyartifact:
projects: cve-pipeline
- authorization:
inheritance-strategy: none
GROUP:ceph*security:
- job-read
- job-discover
- job-build
- job-cancel
- job-configure
- job-workspace
- run-replay
- run-update
- run-delete
- scm-tag

parameters:
- choice:
name: CEPH_REPO
choices:
- git@github.com:ceph/ceph-private.git

- string:
name: BRANCH
description: "The Ceph branch to build"

- string:
name: SHA1
description: "The specific commit to build"

- string:
name: CEPH_BUILD_BRANCH
description: "Use the Jenkinsfile from this ceph-build branch"
default: main

scm:
- git:
url: ${{CEPH_REPO}}
# Use the SSH key attached to the ceph-jenkins GitHub account.
credentials-id: "jenkins-build"
branches:
- $BRANCH
timeout: 20
skip-tag: true
wipe-workspace: true

wrappers:
- inject-passwords:
global: true
mask-password-params: true
- credentials-binding:
- text:
credential-id: shaman-api-key
variable: SHAMAN_API_KEY
65 changes: 65 additions & 0 deletions scripts/notify_shaman_pulp_repo.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/bin/bash
# vim: ts=4 sw=4 expandtab

submit_repo_status() {

# A helper script to post (create) the status of a repo in shaman.
# 'state' is the repo status (e.g. 'ready').
# 'project' is used to post to the right url in shaman.
# shaman keys repos by 'chacra_url' and builds Arch rows from the 'archs'
# list, so the arch must be sent as a JSON array (not 'distro_arch').
http_method=$1
state=$2
project=$3
distro=$4
distro_version=$5
arch=$6
url=$7

# RPM builds also ship source RPMs (the SRPMS/ subdir), so advertise a
# "source" arch to shaman alongside the binary arch, mirroring chacra.
# Binary debs have no corresponding source repo. OS_PKG_TYPE is exported
# by the calling Jenkins step.
archs="\"$arch\""
if [ "$OS_PKG_TYPE" = "rpm" ]; then
archs="${archs},\"source\""
fi

# package_manager_version is computed by pulp_upload.sh (a separate
# process) and handed off via this file in the shared workspace.
PACKAGE_MANAGER_VERSION=""
if [ -r "$WORKSPACE/pulp_repo_info" ]; then
source "$WORKSPACE/pulp_repo_info"
fi

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it an error not to have a PACKAGE_MANAGER_VERSION? How does this synchronize?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It gets written here: https://github.com/ceph/ceph-build/pull/2614/changes/BASE..045d140e7cc55c72739aef8c6fbf3af18d7ac860#diff-e43616de828404d15446d65b52a9351b6042eefe915702c04074e6b674e46d71R424-R425.

pulp_upload.sh runs immediately before notify_shaman_pulp_repo.sh in the same step:

./scripts/pulp_upload.sh
./scripts/notify_shaman_pulp_repo.sh ready ceph ${os.name} ${os.version_name} $ARCH https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. So maybe mention in a comment "PACKAGE_MANAGER_VERSION is set in this file I'm about to source" and have an error condition in case it doesn't arrive for whatever reason, just to harden it a bit. Two scripts changing independently are easier to break in future


cat > $WORKSPACE/repo_status.json << EOF
{
"url":"$url",
"chacra_url":"$url",
"status":"$state",
"distro":"$distro",
"distro_version":"$distro_version",
"archs":[$archs],
"ref":"$BRANCH",
"sha1":"$SHA1",
"flavor":"$FLAVOR",
"extra":{
"version":"$CEPH_VERSION",
"package_manager_version":"$PACKAGE_MANAGER_VERSION",
"build_url":"$BUILD_URL",
"root_build_cause":"$ROOT_BUILD_CAUSE",
"node_name":"$NODE_NAME",
"job_name":"$JOB_NAME"
}
}
EOF

SHAMAN_URL="https://shaman.ceph.com/api/repos/$project/"
# post the repo information as JSON to shaman
curl -X $http_method -H "Content-Type:application/json" --data "@$WORKSPACE/repo_status.json" -u $SHAMAN_API_USER:$SHAMAN_API_KEY ${SHAMAN_URL}
}

# If the script is executed (as opposed to sourced), run the function now
if [ "$(basename -- "${0#-}")" = "$(basename -- "${BASH_SOURCE}")" ]; then
submit_repo_status "POST" "$@"
fi
Loading