Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 20 additions & 5 deletions ceph-dev-pipeline/build/Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,8 @@ pipeline {
}
stage("builder container") {
environment {
CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci')
// Use quay-int.front cred if cve-pipeline, otherewise default to quay.ceph.io cred
CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}")
DOCKER_HUB_CREDS = credentials('dgalloway-docker-hub')
}
when {
Expand Down Expand Up @@ -566,12 +567,25 @@ pipeline {
"""
// Push packages to chacra.ceph.com under the 'test' ref if ceph-release-pipeline's TEST=true
env.SHA1 = env.TEST?.toBoolean() ? 'test' : env.SHA1
def spec_text = get_ceph_release_spec_text("${chacra_url}r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/")
// The ceph-release RPM ships /etc/yum.repos.d/ceph.repo, so its
// baseurls must match where packages were actually published:
// pulp when PULP_UPLOAD=true, otherwise chacra.
def spec_project_url
def repo_base_url
if ( env.PULP_UPLOAD == "true" ) {
def pulp_repo_base = "https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}"
spec_project_url = "${pulp_repo_base}/"
repo_base_url = pulp_repo_base
} else {
spec_project_url = "${chacra_url}r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/"
repo_base_url = "${chacra_url}/r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there might be a typo here. I see the trailing / and assume it's desired, but the ${chacra_url}r/ceph vs ${chacra_url}/r/ceph feels less intentional. I'd rather see something like:

def string_a = "foo/bar"
def string_b = "${string_a}/"

}
def spec_text = get_ceph_release_spec_text(spec_project_url)
writeFile(
file: "dist/ceph/rpmbuild/SPECS/ceph-release.spec",
text: spec_text,
)
def repo_text = get_ceph_release_repo_text("${chacra_url}/r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}")
def repo_text = get_ceph_release_repo_text(repo_base_url)
writeFile(
file: "dist/ceph/rpmbuild/SOURCES/ceph.repo",
text: repo_text,
Expand All @@ -591,7 +605,7 @@ pipeline {
export OS_VERSION="${os.version}"
export OS_VERSION_NAME="${os.version_name}"
export OS_PKG_TYPE="${os.pkg_type}"
if [ "$THROWAWAY" != "true" ]; then ./scripts/chacra_upload.sh; fi
if [ "$THROWAWAY" != "true" ] && [ "$CHACRA_UPLOAD" == "true" ]; then ./scripts/chacra_upload.sh; fi
"""

sh """#!/bin/bash
Expand All @@ -605,6 +619,7 @@ pipeline {
export FLAVOR="${env.FLAVOR}"

./scripts/pulp_upload.sh
./scripts/notify_shaman_pulp_repo.sh ready ceph ${os.name} ${os.version_name} $ARCH https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we find a way to just use spec_project_url ?

else
echo "Skipping pulp upload because PULP_UPLOAD=$PULP_UPLOAD"
fi
Expand All @@ -631,7 +646,7 @@ pipeline {
expression { env.CI_CONTAINER == 'true' && container_distros.contains(env.DIST) }
}
environment {
CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci')
CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}")
}
steps {
script {
Expand Down
7 changes: 6 additions & 1 deletion ceph-dev-pipeline/config/definitions/ceph-dev-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,14 +56,19 @@

- bool:
name: THROWAWAY
description: "Whether to push any binaries to Chacra"
description: "Whether to push any binaries to Chacra or Pulp. Overrides CHACRA_UPLOAD and PULP_UPLOAD if either are true."
default: false

- bool:
name: FORCE
description: "Whether to push new binaries to Chacra if some are already present"
default: false

- bool:
name: CHACRA_UPLOAD
description: "Whether to upload packages to Chacra"
default: true

- bool:
name: PULP_UPLOAD
description: "Whether to upload packages to Pulp"
Expand Down
133 changes: 133 additions & 0 deletions cve-pipeline/config/definitions/cve-pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
- job:
name: cve-pipeline
properties:
- authorization:
inheritance-strategy: none
GROUP:ceph*security:
- job-read
- job-discover
- job-build
- job-cancel
- job-configure
- job-workspace
- run-replay
- run-update
- run-delete
- scm-tag
description: |
This Jenkins pipeline is only used to develop CVE fixes. Its differences are:
- The job itself is not public-facing. It does not inherit the RBAC under https://jenkins.ceph.com/manage/configureSecurity/
- ceph-dev-pipeline pushes to the internal/private pulp instance instead of a public chacra instance
project-type: pipeline
quiet-period: 1
concurrent: true
pipeline-scm:
scm:
- git:
url: https://github.com/ceph/ceph-build
branches:
- ${{CEPH_BUILD_BRANCH}}
shallow-clone: true
submodule:
disable: true
wipe-workspace: true
script-path: ceph-dev-pipeline/build/Jenkinsfile
lightweight-checkout: true
do-not-fetch-tags: true

parameters:
- string:
name: BRANCH
description: "The branch from ceph-private.git to build"
default: main

- choice:
name: SHA1
description: "Intentionally blank. ceph-dev-pipeline requires this"
choices:
- ''

- choice:
name: CEPH_REPO
choices:
- git@github.com:ceph/ceph-private.git

- string:
name: DISTROS
description: "A list of distros to build for. Available options are: centos9, noble, jammy, bookworm, trixie"
default: "noble centos9 bookworm trixie"

- string:
name: ARCHS
description: "A list of architectures to build for. Available options are: x86_64, and arm64"
default: "x86_64 arm64"

- bool:
name: CI_COMPILE
description: "Whether to compile and build packages"
default: true

- bool:
Comment thread
djgalloway marked this conversation as resolved.
name: THROWAWAY
description: "Whether to push any binaries to Chacra or Pulp. Overrides CHACRA_UPLOAD and PULP_UPLOAD if either are true."
default: false

- bool:
name: CHACRA_UPLOAD
description: "DO NOT CHECK"
default: false

- bool:
name: PULP_UPLOAD
description: "If you want packages, this must be true. We do not push to chacra for CVE builds."
default: true

- choice:
name: FLAVORS
choices:
- default

- bool:
Comment thread
dmick marked this conversation as resolved.
name: CI_CONTAINER
description: "Whether to build and push container images"
default: true

- string:
name: CONTAINER_REPO_HOSTNAME
description: "FQDN of container repo server (e.g. 'quay.io')"
default: "quay-int.front.sepia.ceph.com"

- string:
name: CONTAINER_REPO_ORGANIZATION
description: "Name of container repo organization (e.g. 'ceph-ci')"
default: "ceph-ci"

- bool:
name: DWZ
description: "Use dwz to make debuginfo packages smaller"
default: false

- bool:
name: SCCACHE
description: "Use sccache to speed up compilation"
default: true

- string:
name: SETUP_BUILD_ID
description: "Reuse the source distribution from this cve-source-dist build instead of creating a new one"
default: ""

- choice:
name: SETUP_JOB
choices:
- cve-source-dist

- string:
name: CEPH_BUILD_BRANCH
description: "Use the Jenkinsfile from this ceph-build branch"
default: main

wrappers:
- build-name:
name: "#${{BUILD_NUMBER}} ${{BRANCH}}, ${{VERSION}}"

78 changes: 78 additions & 0 deletions cve-source-dist/config/definitions/cve-source-dist.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
- job:
name: cve-source-dist
description: This job is only called from https://jenkins.ceph.com/job/cve-pipeline. The entire job and its artifacts are only visible to the ceph/security Github Team.
project-type: pipeline
concurrent: true
pipeline-scm:
scm:
- git:
url: https://github.com/ceph/ceph-build
branches:
- ${{CEPH_BUILD_BRANCH}}
shallow-clone: true
submodule:
disable: true
wipe-workspace: true
script-path: ceph-source-dist/build/Jenkinsfile
lightweight-checkout: true
do-not-fetch-tags: true
properties:
- build-discarder:
days-to-keep: -1
num-to-keep: 100
artifact-days-to-keep: -1
artifact-num-to-keep: 50
- copyartifact:
projects: cve-pipeline
- authorization:
inheritance-strategy: none
GROUP:ceph*security:
- job-read
- job-discover
- job-build
- job-cancel
- job-configure
- job-workspace
- run-replay
- run-update
- run-delete
- scm-tag

parameters:
- choice:
name: CEPH_REPO
choices:
- git@github.com:ceph/ceph-private.git

- string:
name: BRANCH
description: "The Ceph branch to build"

- string:
name: SHA1
description: "The specific commit to build"

- string:
name: CEPH_BUILD_BRANCH
description: "Use the Jenkinsfile from this ceph-build branch"
default: main

scm:
- git:
url: ${{CEPH_REPO}}
# Use the SSH key attached to the ceph-jenkins GitHub account.
credentials-id: "jenkins-build"
branches:
- $BRANCH
timeout: 20
skip-tag: true
wipe-workspace: true

wrappers:
- inject-passwords:
global: true
mask-password-params: true
- credentials-binding:
- text:
credential-id: shaman-api-key
variable: SHAMAN_API_KEY
65 changes: 65 additions & 0 deletions scripts/notify_shaman_pulp_repo.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/bin/bash
# vim: ts=4 sw=4 expandtab

submit_repo_status() {

# A helper script to post (create) the status of a repo in shaman.
# 'state' is the repo status (e.g. 'ready').
# 'project' is used to post to the right url in shaman.
# shaman keys repos by 'chacra_url' and builds Arch rows from the 'archs'
# list, so the arch must be sent as a JSON array (not 'distro_arch').
http_method=$1
state=$2
project=$3
distro=$4
distro_version=$5
arch=$6
url=$7

# RPM builds also ship source RPMs (the SRPMS/ subdir), so advertise a
# "source" arch to shaman alongside the binary arch, mirroring chacra.
# Binary debs have no corresponding source repo. OS_PKG_TYPE is exported
# by the calling Jenkins step.
archs="\"$arch\""
if [ "$OS_PKG_TYPE" = "rpm" ]; then
archs="${archs},\"source\""
fi

# package_manager_version is computed by pulp_upload.sh (a separate
# process) and handed off via this file in the shared workspace.
PACKAGE_MANAGER_VERSION=""
if [ -r "$WORKSPACE/pulp_repo_info" ]; then
source "$WORKSPACE/pulp_repo_info"
fi

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it an error not to have a PACKAGE_MANAGER_VERSION? How does this synchronize?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It gets written here: https://github.com/ceph/ceph-build/pull/2614/changes/BASE..045d140e7cc55c72739aef8c6fbf3af18d7ac860#diff-e43616de828404d15446d65b52a9351b6042eefe915702c04074e6b674e46d71R424-R425.

pulp_upload.sh runs immediately before notify_shaman_pulp_repo.sh in the same step:

./scripts/pulp_upload.sh
./scripts/notify_shaman_pulp_repo.sh ready ceph ${os.name} ${os.version_name} $ARCH https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. So maybe mention in a comment "PACKAGE_MANAGER_VERSION is set in this file I'm about to source" and have an error condition in case it doesn't arrive for whatever reason, just to harden it a bit. Two scripts changing independently are easier to break in future


cat > $WORKSPACE/repo_status.json << EOF
{
"url":"$url",
"chacra_url":"$url",
"status":"$state",
"distro":"$distro",
"distro_version":"$distro_version",
"archs":[$archs],
"ref":"$BRANCH",
"sha1":"$SHA1",
"flavor":"$FLAVOR",
"extra":{
"version":"$CEPH_VERSION",
"package_manager_version":"$PACKAGE_MANAGER_VERSION",
"build_url":"$BUILD_URL",
"root_build_cause":"$ROOT_BUILD_CAUSE",
"node_name":"$NODE_NAME",
"job_name":"$JOB_NAME"
}
}
EOF

SHAMAN_URL="https://shaman.ceph.com/api/repos/$project/"
# post the repo information as JSON to shaman
curl -X $http_method -H "Content-Type:application/json" --data "@$WORKSPACE/repo_status.json" -u $SHAMAN_API_USER:$SHAMAN_API_KEY ${SHAMAN_URL}
}

# If the script is executed (as opposed to sourced), run the function now
if [ "$(basename -- "${0#-}")" = "$(basename -- "${BASH_SOURCE}")" ]; then
submit_repo_status "POST" "$@"
fi
Loading