-
Notifications
You must be signed in to change notification settings - Fork 104
CVE pipeline #2614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
CVE pipeline #2614
Changes from all commits
9ee1bb8
329da2b
66ce43e
f9bf330
045d140
49b2430
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -360,7 +360,8 @@ pipeline { | |
| } | ||
| stage("builder container") { | ||
| environment { | ||
| CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci') | ||
| // Use quay-int.front cred if cve-pipeline, otherewise default to quay.ceph.io cred | ||
| CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}") | ||
| DOCKER_HUB_CREDS = credentials('dgalloway-docker-hub') | ||
| } | ||
| when { | ||
|
|
@@ -566,12 +567,25 @@ pipeline { | |
| """ | ||
| // Push packages to chacra.ceph.com under the 'test' ref if ceph-release-pipeline's TEST=true | ||
| env.SHA1 = env.TEST?.toBoolean() ? 'test' : env.SHA1 | ||
| def spec_text = get_ceph_release_spec_text("${chacra_url}r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/") | ||
| // The ceph-release RPM ships /etc/yum.repos.d/ceph.repo, so its | ||
| // baseurls must match where packages were actually published: | ||
| // pulp when PULP_UPLOAD=true, otherwise chacra. | ||
| def spec_project_url | ||
| def repo_base_url | ||
| if ( env.PULP_UPLOAD == "true" ) { | ||
| def pulp_repo_base = "https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}" | ||
| spec_project_url = "${pulp_repo_base}/" | ||
| repo_base_url = pulp_repo_base | ||
| } else { | ||
| spec_project_url = "${chacra_url}r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/" | ||
| repo_base_url = "${chacra_url}/r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}" | ||
| } | ||
| def spec_text = get_ceph_release_spec_text(spec_project_url) | ||
| writeFile( | ||
| file: "dist/ceph/rpmbuild/SPECS/ceph-release.spec", | ||
| text: spec_text, | ||
| ) | ||
| def repo_text = get_ceph_release_repo_text("${chacra_url}/r/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}") | ||
| def repo_text = get_ceph_release_repo_text(repo_base_url) | ||
| writeFile( | ||
| file: "dist/ceph/rpmbuild/SOURCES/ceph.repo", | ||
| text: repo_text, | ||
|
|
@@ -591,7 +605,7 @@ pipeline { | |
| export OS_VERSION="${os.version}" | ||
| export OS_VERSION_NAME="${os.version_name}" | ||
| export OS_PKG_TYPE="${os.pkg_type}" | ||
| if [ "$THROWAWAY" != "true" ]; then ./scripts/chacra_upload.sh; fi | ||
| if [ "$THROWAWAY" != "true" ] && [ "$CHACRA_UPLOAD" == "true" ]; then ./scripts/chacra_upload.sh; fi | ||
| """ | ||
|
|
||
| sh """#!/bin/bash | ||
|
|
@@ -605,6 +619,7 @@ pipeline { | |
| export FLAVOR="${env.FLAVOR}" | ||
|
|
||
| ./scripts/pulp_upload.sh | ||
| ./scripts/notify_shaman_pulp_repo.sh ready ceph ${os.name} ${os.version_name} $ARCH https://pulp.front.sepia.ceph.com/pulp/content/repos/ceph/${env.BRANCH}/${env.SHA1}/${os.name}/${os.version_name}/flavors/${env.FLAVOR}/ | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. can we find a way to just use |
||
| else | ||
| echo "Skipping pulp upload because PULP_UPLOAD=$PULP_UPLOAD" | ||
| fi | ||
|
|
@@ -631,7 +646,7 @@ pipeline { | |
| expression { env.CI_CONTAINER == 'true' && container_distros.contains(env.DIST) } | ||
| } | ||
| environment { | ||
| CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci') | ||
| CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}") | ||
| } | ||
| steps { | ||
| script { | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| - job: | ||
| name: cve-pipeline | ||
| properties: | ||
| - authorization: | ||
| inheritance-strategy: none | ||
| GROUP:ceph*security: | ||
| - job-read | ||
| - job-discover | ||
| - job-build | ||
| - job-cancel | ||
| - job-configure | ||
| - job-workspace | ||
| - run-replay | ||
| - run-update | ||
| - run-delete | ||
| - scm-tag | ||
| description: | | ||
| This Jenkins pipeline is only used to develop CVE fixes. Its differences are: | ||
| - The job itself is not public-facing. It does not inherit the RBAC under https://jenkins.ceph.com/manage/configureSecurity/ | ||
| - ceph-dev-pipeline pushes to the internal/private pulp instance instead of a public chacra instance | ||
| project-type: pipeline | ||
| quiet-period: 1 | ||
| concurrent: true | ||
| pipeline-scm: | ||
| scm: | ||
| - git: | ||
| url: https://github.com/ceph/ceph-build | ||
| branches: | ||
| - ${{CEPH_BUILD_BRANCH}} | ||
| shallow-clone: true | ||
| submodule: | ||
| disable: true | ||
| wipe-workspace: true | ||
| script-path: ceph-dev-pipeline/build/Jenkinsfile | ||
| lightweight-checkout: true | ||
| do-not-fetch-tags: true | ||
|
|
||
| parameters: | ||
| - string: | ||
| name: BRANCH | ||
| description: "The branch from ceph-private.git to build" | ||
| default: main | ||
|
|
||
| - choice: | ||
| name: SHA1 | ||
| description: "Intentionally blank. ceph-dev-pipeline requires this" | ||
| choices: | ||
| - '' | ||
|
|
||
| - choice: | ||
| name: CEPH_REPO | ||
| choices: | ||
| - git@github.com:ceph/ceph-private.git | ||
|
|
||
| - string: | ||
| name: DISTROS | ||
| description: "A list of distros to build for. Available options are: centos9, noble, jammy, bookworm, trixie" | ||
| default: "noble centos9 bookworm trixie" | ||
|
|
||
| - string: | ||
| name: ARCHS | ||
| description: "A list of architectures to build for. Available options are: x86_64, and arm64" | ||
| default: "x86_64 arm64" | ||
|
|
||
| - bool: | ||
| name: CI_COMPILE | ||
| description: "Whether to compile and build packages" | ||
| default: true | ||
|
|
||
| - bool: | ||
|
djgalloway marked this conversation as resolved.
|
||
| name: THROWAWAY | ||
| description: "Whether to push any binaries to Chacra or Pulp. Overrides CHACRA_UPLOAD and PULP_UPLOAD if either are true." | ||
| default: false | ||
|
|
||
| - bool: | ||
| name: CHACRA_UPLOAD | ||
| description: "DO NOT CHECK" | ||
| default: false | ||
|
|
||
| - bool: | ||
| name: PULP_UPLOAD | ||
| description: "If you want packages, this must be true. We do not push to chacra for CVE builds." | ||
| default: true | ||
|
|
||
| - choice: | ||
| name: FLAVORS | ||
| choices: | ||
| - default | ||
|
|
||
| - bool: | ||
|
dmick marked this conversation as resolved.
|
||
| name: CI_CONTAINER | ||
| description: "Whether to build and push container images" | ||
| default: true | ||
|
|
||
| - string: | ||
| name: CONTAINER_REPO_HOSTNAME | ||
| description: "FQDN of container repo server (e.g. 'quay.io')" | ||
| default: "quay-int.front.sepia.ceph.com" | ||
|
|
||
| - string: | ||
| name: CONTAINER_REPO_ORGANIZATION | ||
| description: "Name of container repo organization (e.g. 'ceph-ci')" | ||
| default: "ceph-ci" | ||
|
|
||
| - bool: | ||
| name: DWZ | ||
| description: "Use dwz to make debuginfo packages smaller" | ||
| default: false | ||
|
|
||
| - bool: | ||
| name: SCCACHE | ||
| description: "Use sccache to speed up compilation" | ||
| default: true | ||
|
|
||
| - string: | ||
| name: SETUP_BUILD_ID | ||
| description: "Reuse the source distribution from this cve-source-dist build instead of creating a new one" | ||
| default: "" | ||
|
|
||
| - choice: | ||
| name: SETUP_JOB | ||
| choices: | ||
| - cve-source-dist | ||
|
|
||
| - string: | ||
| name: CEPH_BUILD_BRANCH | ||
| description: "Use the Jenkinsfile from this ceph-build branch" | ||
| default: main | ||
|
|
||
| wrappers: | ||
| - build-name: | ||
| name: "#${{BUILD_NUMBER}} ${{BRANCH}}, ${{VERSION}}" | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| - job: | ||
| name: cve-source-dist | ||
| description: This job is only called from https://jenkins.ceph.com/job/cve-pipeline. The entire job and its artifacts are only visible to the ceph/security Github Team. | ||
| project-type: pipeline | ||
| concurrent: true | ||
| pipeline-scm: | ||
| scm: | ||
| - git: | ||
| url: https://github.com/ceph/ceph-build | ||
| branches: | ||
| - ${{CEPH_BUILD_BRANCH}} | ||
| shallow-clone: true | ||
| submodule: | ||
| disable: true | ||
| wipe-workspace: true | ||
| script-path: ceph-source-dist/build/Jenkinsfile | ||
| lightweight-checkout: true | ||
| do-not-fetch-tags: true | ||
| properties: | ||
| - build-discarder: | ||
| days-to-keep: -1 | ||
| num-to-keep: 100 | ||
| artifact-days-to-keep: -1 | ||
| artifact-num-to-keep: 50 | ||
| - copyartifact: | ||
| projects: cve-pipeline | ||
| - authorization: | ||
| inheritance-strategy: none | ||
| GROUP:ceph*security: | ||
| - job-read | ||
| - job-discover | ||
| - job-build | ||
| - job-cancel | ||
| - job-configure | ||
| - job-workspace | ||
| - run-replay | ||
| - run-update | ||
| - run-delete | ||
| - scm-tag | ||
|
|
||
| parameters: | ||
| - choice: | ||
| name: CEPH_REPO | ||
| choices: | ||
| - git@github.com:ceph/ceph-private.git | ||
|
|
||
| - string: | ||
| name: BRANCH | ||
| description: "The Ceph branch to build" | ||
|
|
||
| - string: | ||
| name: SHA1 | ||
| description: "The specific commit to build" | ||
|
|
||
| - string: | ||
| name: CEPH_BUILD_BRANCH | ||
| description: "Use the Jenkinsfile from this ceph-build branch" | ||
| default: main | ||
|
|
||
| scm: | ||
| - git: | ||
| url: ${{CEPH_REPO}} | ||
| # Use the SSH key attached to the ceph-jenkins GitHub account. | ||
| credentials-id: "jenkins-build" | ||
| branches: | ||
| - $BRANCH | ||
| timeout: 20 | ||
| skip-tag: true | ||
| wipe-workspace: true | ||
|
|
||
| wrappers: | ||
| - inject-passwords: | ||
| global: true | ||
| mask-password-params: true | ||
| - credentials-binding: | ||
| - text: | ||
| credential-id: shaman-api-key | ||
| variable: SHAMAN_API_KEY |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,65 @@ | ||||||
| #!/bin/bash | ||||||
| # vim: ts=4 sw=4 expandtab | ||||||
|
|
||||||
| submit_repo_status() { | ||||||
|
|
||||||
| # A helper script to post (create) the status of a repo in shaman. | ||||||
| # 'state' is the repo status (e.g. 'ready'). | ||||||
| # 'project' is used to post to the right url in shaman. | ||||||
| # shaman keys repos by 'chacra_url' and builds Arch rows from the 'archs' | ||||||
| # list, so the arch must be sent as a JSON array (not 'distro_arch'). | ||||||
| http_method=$1 | ||||||
| state=$2 | ||||||
| project=$3 | ||||||
| distro=$4 | ||||||
| distro_version=$5 | ||||||
| arch=$6 | ||||||
| url=$7 | ||||||
|
|
||||||
| # RPM builds also ship source RPMs (the SRPMS/ subdir), so advertise a | ||||||
| # "source" arch to shaman alongside the binary arch, mirroring chacra. | ||||||
| # Binary debs have no corresponding source repo. OS_PKG_TYPE is exported | ||||||
| # by the calling Jenkins step. | ||||||
| archs="\"$arch\"" | ||||||
| if [ "$OS_PKG_TYPE" = "rpm" ]; then | ||||||
| archs="${archs},\"source\"" | ||||||
| fi | ||||||
|
|
||||||
| # package_manager_version is computed by pulp_upload.sh (a separate | ||||||
| # process) and handed off via this file in the shared workspace. | ||||||
| PACKAGE_MANAGER_VERSION="" | ||||||
| if [ -r "$WORKSPACE/pulp_repo_info" ]; then | ||||||
| source "$WORKSPACE/pulp_repo_info" | ||||||
| fi | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is it an error not to have a PACKAGE_MANAGER_VERSION? How does this synchronize?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It gets written here: https://github.com/ceph/ceph-build/pull/2614/changes/BASE..045d140e7cc55c72739aef8c6fbf3af18d7ac860#diff-e43616de828404d15446d65b52a9351b6042eefe915702c04074e6b674e46d71R424-R425. pulp_upload.sh runs immediately before notify_shaman_pulp_repo.sh in the same step: ceph-build/ceph-dev-pipeline/build/Jenkinsfile Lines 621 to 622 in 49b2430
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK. So maybe mention in a comment "PACKAGE_MANAGER_VERSION is set in this file I'm about to source" and have an error condition in case it doesn't arrive for whatever reason, just to harden it a bit. Two scripts changing independently are easier to break in future |
||||||
|
|
||||||
| cat > $WORKSPACE/repo_status.json << EOF | ||||||
| { | ||||||
| "url":"$url", | ||||||
| "chacra_url":"$url", | ||||||
| "status":"$state", | ||||||
| "distro":"$distro", | ||||||
| "distro_version":"$distro_version", | ||||||
| "archs":[$archs], | ||||||
| "ref":"$BRANCH", | ||||||
| "sha1":"$SHA1", | ||||||
| "flavor":"$FLAVOR", | ||||||
| "extra":{ | ||||||
| "version":"$CEPH_VERSION", | ||||||
| "package_manager_version":"$PACKAGE_MANAGER_VERSION", | ||||||
| "build_url":"$BUILD_URL", | ||||||
| "root_build_cause":"$ROOT_BUILD_CAUSE", | ||||||
| "node_name":"$NODE_NAME", | ||||||
| "job_name":"$JOB_NAME" | ||||||
| } | ||||||
| } | ||||||
| EOF | ||||||
|
|
||||||
| SHAMAN_URL="https://shaman.ceph.com/api/repos/$project/" | ||||||
| # post the repo information as JSON to shaman | ||||||
| curl -X $http_method -H "Content-Type:application/json" --data "@$WORKSPACE/repo_status.json" -u $SHAMAN_API_USER:$SHAMAN_API_KEY ${SHAMAN_URL} | ||||||
| } | ||||||
|
|
||||||
| # If the script is executed (as opposed to sourced), run the function now | ||||||
| if [ "$(basename -- "${0#-}")" = "$(basename -- "${BASH_SOURCE}")" ]; then | ||||||
| submit_repo_status "POST" "$@" | ||||||
| fi | ||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there might be a typo here. I see the trailing
/and assume it's desired, but the${chacra_url}r/cephvs${chacra_url}/r/cephfeels less intentional. I'd rather see something like: