summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile7
-rw-r--r--krebs/3modules/buildbot/master.nix (renamed from makefu/3modules/buildbot/master.nix)63
-rw-r--r--krebs/3modules/buildbot/slave.nix (renamed from makefu/3modules/buildbot/slave.nix)5
-rw-r--r--krebs/3modules/default.nix2
-rw-r--r--krebs/5pkgs/default.nix4
-rw-r--r--krebs/5pkgs/test/infest-cac-centos7/default.nix39
-rwxr-xr-xkrebs/5pkgs/test/infest-cac-centos7/notes116
-rw-r--r--makefu/2configs/default.nix2
-rw-r--r--makefu/3modules/default.nix2
-rw-r--r--shared/1systems/test-centos7.nix3
-rw-r--r--shared/1systems/test-failing.nix6
-rw-r--r--shared/1systems/wolf.nix4
-rw-r--r--shared/2configs/base.nix8
-rw-r--r--shared/2configs/buildbot-standalone.nix31
-rw-r--r--shared/2configs/cac-ci.nix11
-rw-r--r--shared/2configs/temp/dirs.nix1
-rw-r--r--shared/2configs/temp/networking.nix1
17 files changed, 259 insertions, 46 deletions
diff --git a/Makefile b/Makefile
index aefd17147..5b898c54c 100644
--- a/Makefile
+++ b/Makefile
@@ -35,7 +35,7 @@ ifeq ($(filter),json)
else
filter() { cat; }
endif
- nix-instantiate \
+ result=$$(nix-instantiate \
$${extraArgs-} \
--eval \
-A "$$get" \
@@ -45,8 +45,9 @@ endif
--argstr current-host-name "$$HOSTNAME" \
--argstr current-user-name "$$LOGNAME" \
$${system+--argstr system "$$system"} \
- $${target+--argstr target "$$target"} \
- | filter
+ $${target+--argstr target "$$target"})
+ echo "$$result" | filter
+
else
$(error unbound variable: system[s])
endif
diff --git a/makefu/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 58e2f8175..19aecead1 100644
--- a/makefu/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -44,7 +44,7 @@ let
# files everyone depends on or are part of the share branch
def shared_files(change):
- r =re.compile("^((krebs|share)/.*|Makefile|default.nix)")
+ r =re.compile("^((krebs|shared)/.*|Makefile|default.nix)")
for file in change.files:
if r.match(file):
return True
@@ -59,27 +59,28 @@ let
###### The actual build
# couple of fast steps:
f = util.BuildFactory()
+ # some slow steps
+ s = util.BuildFactory()
## fetch repo
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
f.addStep(grab_repo)
+ s.addStep(grab_repo)
# the dependencies which are used by the test script
- deps = [ "gnumake", "jq" ]
- nixshell = ["nix-shell", "-p" ] + deps + [ "--run" ]
+ deps = [ "gnumake", "jq", "(import <stockholm> {}).pkgs.test.infest-cac-centos7" ]
+ nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ]
+
def addShell(f,**kwargs):
f.addStep(steps.ShellCommand(**kwargs))
- addShell(f,name="centos7-eval",env={"LOGNAME": "shared",
- "get" : "krebs.deploy",
- "filter" : "json"
- },
- command=nixshell + ["make -s eval system=test-centos7"])
+ addShell(f,name="centos7-eval",env={"LOGNAME": "shared"},
+ command=nixshell + ["make -s eval get=krebs.deploy filter=json system=test-centos7"])
+
+ addShell(f,name="wolf-eval",env={"LOGNAME": "shared"},
+ command=nixshell + ["make -s eval get=krebs.deploy filter=json system=wolf"])
- addShell(f,name="wolf-eval",env={"LOGNAME": "shared",
- "get" : "krebs.deploy",
- "filter" : "json"
- },
- command=nixshell + ["make -s eval system=wolf"])
+ addShell(f,name="eval-cross-check",env={"LOGNAME": "shared"},
+ command=nixshell + ["! make eval get=krebs.deploy filter=json system=test-failing"])
c['builders'] = []
c['builders'].append(
@@ -87,11 +88,25 @@ let
slavenames=slavenames,
factory=f))
- # TODO slow build
+ # slave needs 2 files:
+ # * cac.json
+ # * retiolum
+ for file in ["cac.json", "retiolum.rsa_key.priv"]:
+ s.addStep(steps.FileDownload(mastersrc="${cfg.workDir}/{}".format(file),
+ slavedest=file))
+
+<<<<<<< HEAD
+ addShell(s,name="infest-cac-centos7",env={"LOGNAME": "shared"},
+ command=nixshell + ["infest-cac-centos7"])
+=======
+ addShell(s,name="complete-build-centos7",env={"LOGNAME": "shared"},
+ command=nix-shell + ["krebs-ci"])
+>>>>>>> f59080e76f950a5a8e33d1edd4314ffaa14187fc
+
c['builders'].append(
util.BuilderConfig(name="full-tests",
slavenames=slavenames,
- factory=f))
+ factory=s))
####### Status of Builds
c['status'] = []
@@ -106,7 +121,7 @@ let
forceBuild = 'auth',
forceAllBuilds = 'auth',
pingBuilder = False,
- stopBuild = False,
+ stopBuild = 'auth',
stopAllBuilds = False,
cancelPendingBuild = False,
)
@@ -119,8 +134,8 @@ let
# TODO: multiple channels
channels=["${cfg.irc.channel}"],
notify_events={
- #'success': 1,
- #'failure': 1,
+ 'success': 1,
+ 'failure': 1,
'exception': 1,
'successToFailure': 1,
'failureToSuccess': 1,
@@ -143,7 +158,7 @@ let
${cfg.extraConfig}
'';
- cfg = config.makefu.buildbot.master;
+ cfg = config.krebs.buildbot.master;
api = {
enable = mkEnableOption "Buildbot Master";
@@ -219,8 +234,12 @@ let
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.git ];
+ environment = {
+ SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+ };
serviceConfig = let
workdir="${lib.shell.escape cfg.workDir}";
+ secretsdir="${lib.shell.escape (toString <secrets>)}";
# TODO: check if git is the only dep
in {
PermissionsStartOnly = true;
@@ -236,6 +255,10 @@ let
fi
# always override the master.cfg
cp ${buildbot-master-config} ${workdir}/master.cfg
+ # copy secrets
+ cp ${secretsdir}/cac.json ${workdir}
+ cp ${secretsdir}/retiolum-ci.rsa_key.priv \
+ ${workdir}/retiolum.rsa_key.priv
# sanity
${buildbot}/bin/buildbot checkconfig ${workdir}
@@ -258,6 +281,6 @@ let
};
in
{
- options.makefu.buildbot.master = api;
+ options.krebs.buildbot.master = api;
config = mkIf cfg.enable imp;
}
diff --git a/makefu/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 69d0361bf..8711a287a 100644
--- a/makefu/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -39,7 +39,7 @@ let
s.setServiceParent(application)
'';
default-packages = [ pkgs.git pkgs.bash ];
- cfg = config.makefu.buildbot.slave;
+ cfg = config.krebs.buildbot.slave;
api = {
enable = mkEnableOption "Buildbot Slave";
@@ -144,6 +144,7 @@ let
path = default-packages ++ cfg.packages;
environment = {
+ SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
NIX_REMOTE="daemon";
} // cfg.extraEnviron;
@@ -180,6 +181,6 @@ let
};
in
{
- options.makefu.buildbot.slave = api;
+ options.krebs.buildbot.slave = api;
config = mkIf cfg.enable imp;
}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 740ba67b8..cbc1291fa 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -9,6 +9,8 @@ let
./apt-cacher-ng.nix
./bepasty-server.nix
./build.nix
+ ./buildbot/master.nix
+ ./buildbot/slave.nix
./current.nix
./exim-retiolum.nix
./exim-smarthost.nix
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 7df7b7d3c..0562fe836 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -40,6 +40,10 @@ subdirs // rec {
}
'';
+ test = {
+ infest-cac-centos7 = pkgs.callPackage ./test/infest-cac-centos7 {};
+ };
+
execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; });
writeC = name: { destination ? "" }: src: pkgs.runCommand name {} ''
diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix
new file mode 100644
index 000000000..7f2e3f231
--- /dev/null
+++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix
@@ -0,0 +1,39 @@
+{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }:
+
+stdenv.mkDerivation rec {
+ name = "${shortname}-${version}";
+ shortname = "infest-cac-centos7";
+ version = "0.2.0";
+
+ src = ./notes;
+
+ phases = [
+ "installPhase"
+ ];
+ buildInputs = [ makeWrapper ];
+
+ path = stdenv.lib.makeSearchPath "bin" [
+ coreutils
+ cac
+ cacpanel
+ gnumake
+ gnused
+ jq
+ openssh
+ ];
+
+ installPhase =
+ ''
+ mkdir -p $out/bin
+ cp ${src} $out/bin/${shortname}
+ chmod +x $out/bin/${shortname}
+ wrapProgram $out/bin/${shortname} \
+ --prefix PATH : ${path}
+ '';
+ meta = with stdenv.lib; {
+ homepage = http://krebsco.de;
+ description = "Krebs CI Scripts";
+ license = licenses.wtfpl;
+ maintainers = [ maintainers.makefu ];
+ };
+}
diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes
new file mode 100755
index 000000000..5fd0cae61
--- /dev/null
+++ b/krebs/5pkgs/test/infest-cac-centos7/notes
@@ -0,0 +1,116 @@
+#! /bin/sh
+
+# nix-shell -p gnumake jq openssh cac cacpanel
+set -eufx
+
+# 2 secrets are required:
+
+krebs_cred=${krebs_cred-./cac.json}
+retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
+
+# Sanity
+if test ! -r "$krebs_cred";then
+ echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
+fi
+if test ! -r "$retiolum_key";then
+ echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
+fi
+
+krebs_secrets=$(mktemp -d)
+sec_file=$krebs_secrets/cac_config
+krebs_ssh=$krebs_secrets/tempssh
+export cac_resources_cache=$krebs_secrets/res_cache.json
+export cac_servers_cache=$krebs_secrets/servers_cache.json
+export cac_tasks_cache=$krebs_secrets/tasks_cache.json
+export cac_templates_cache=$krebs_secrets/templates_cache.json
+# we need to receive this key from buildmaster to speed up tinc bootstrap
+TRAP="rm -r $krebs_secrets;trap - INT TERM EXIT"
+trap "$TRAP" INT TERM EXIT
+
+cat > $sec_file <<EOF
+cac_login="$(jq -r .email $krebs_cred)"
+cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)"
+EOF
+
+export cac_secrets=$sec_file
+cac-cli panel --config $krebs_cred update-api-ip
+
+# test login:
+cac update
+cac servers
+
+# Template 26: CentOS7
+# TODO: use cac templates to determine the real Centos7 template in case it changes
+name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\
+ | jq -r .servername)
+
+id=servername:$name
+trap "cac delete $id;$TRAP;exit" INT TERM EXIT
+# TODO: timeout?
+
+wait_login_cac(){
+ # timeout
+ for t in `seq 180`;do
+ # now we have a working cac server
+ if cac ssh $1 -o ConnectTimeout=10 \
+ cat /etc/redhat-release | \
+ grep CentOS ;then
+ return 0
+ fi
+ sleep 10
+ done
+ return 1
+}
+# die on timeout
+wait_login_cac $id
+
+mkdir -p shared/2configs/temp
+cac generatenetworking $id > \
+ shared/2configs/temp/networking.nix
+# new temporary ssh key we will use to log in after infest
+ssh-keygen -f $krebs_ssh -N ""
+cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
+# we override the directories for secrets and stockholm
+# additionally we set the ssh key we generated
+ip=$(cac getserver $id | jq -r .ip)
+
+cat > shared/2configs/temp/dirs.nix <<EOF
+_: {
+ krebs.build.source.dir = {
+ secrets.path = "$krebs_secrets";
+ stockholm.path = "$(pwd)";
+ };
+ users.extraUsers.root.openssh.authorizedKeys.keys = [
+ "$(cat ${krebs_ssh}.pub)"
+ ];
+ krebs.build.target = "$ip";
+}
+EOF
+
+LOGNAME=shared make eval get=krebs.infest \
+ target=derp system=test-centos7 filter=json \
+ | sed -e "s#^ssh.*<<#cac ssh $id<<#" \
+ -e "/^rsync/a -e 'cac ssh $id' \\\\" \
+ -e "s#root.derp:#:#" > $krebs_secrets/infest
+sh -x $krebs_secrets/infest
+
+# TODO: generate secrets directory $krebs_secrets for nix import
+cac powerop $id reset
+
+wait_login(){
+ # timeout
+ for t in `seq 20`;do
+ # now we have a working cac server
+ if ssh -o StrictHostKeyChecking=no \
+ -o UserKnownHostsFile=/dev/null \
+ -i $krebs_ssh \
+ -o ConnectTimeout=10 \
+ -o BatchMode=yes \
+ root@$1 nixos-version ;then
+ return 0
+ fi
+ sleep 10
+ done
+ return 1
+}
+wait_login $ip
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index c0d7685e3..a0b49edaf 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -24,7 +24,7 @@ with lib;
git.nixpkgs = {
#url = https://github.com/NixOS/nixpkgs;
url = mkDefault https://github.com/makefu/nixpkgs;
- rev = mkDefault "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picking
+ rev = mkDefault "3fd2c24685f604edc925f73ed56600b8c66236b3"; # nixos-15.09 + cherry-picking
target-path = "/var/src/nixpkgs";
};
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index ffbf54cc0..a8a1f69d0 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -2,8 +2,6 @@ _:
{
imports = [
- ./buildbot/master.nix
- ./buildbot/slave.nix
];
}
diff --git a/shared/1systems/test-centos7.nix b/shared/1systems/test-centos7.nix
index 077a5d61b..48cecc877 100644
--- a/shared/1systems/test-centos7.nix
+++ b/shared/1systems/test-centos7.nix
@@ -7,7 +7,8 @@ in {
imports = [
../2configs/base.nix
../2configs/os-templates/CAC-CentOS-7-64bit.nix
- ../2configs/os-templates/temp-networking.nix
+ ../2configs/temp/networking.nix
+ ../2configs/temp/dirs.nix
];
sound.enable = false;
diff --git a/shared/1systems/test-failing.nix b/shared/1systems/test-failing.nix
new file mode 100644
index 000000000..81a9e48d6
--- /dev/null
+++ b/shared/1systems/test-failing.nix
@@ -0,0 +1,6 @@
+{ config, pkgs, ... }:
+
+{
+ programs.ssh.startAgent = true;
+ programs.ssh.startAgent = false;
+}
diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix
index 2c51ac8fe..f05356f0f 100644
--- a/shared/1systems/wolf.nix
+++ b/shared/1systems/wolf.nix
@@ -11,7 +11,7 @@ in
../2configs/collectd-base.nix
../2configs/shack-nix-cacher.nix
../2configs/shack-drivedroid.nix
- ../2configs/cac-ci.nix
+ ../2configs/buildbot-standalone.nix
../2configs/graphite.nix
];
# use your own binary cache, fallback use cache.nixos.org (which is used by
@@ -33,8 +33,6 @@ in
# uninteresting stuff
#####################
krebs.build.host = config.krebs.hosts.wolf;
- # TODO rename shared user to "krebs"
- krebs.build.user = config.krebs.users.shared;
krebs.build.target = "wolf";
boot.kernel.sysctl = {
diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix
index df41eae1a..0ce336558 100644
--- a/shared/2configs/base.nix
+++ b/shared/2configs/base.nix
@@ -13,6 +13,8 @@ with lib;
];
};
+ # TODO rename shared user to "krebs"
+ krebs.build.user = mkDefault config.krebs.users.shared;
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
@@ -20,11 +22,11 @@ with lib;
};
dir.secrets = {
host = config.krebs.current.host;
- path = "${getEnv "HOME"}/secrets/krebs/wolf";
+ path = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}";
};
dir.stockholm = {
host = config.krebs.current.host;
- path = "${getEnv "HOME"}/stockholm";
+ path = mkDefault "${getEnv "HOME"}/stockholm";
};
};
@@ -65,7 +67,7 @@ with lib;
config.krebs.users.lass.pubkey
config.krebs.users.makefu.pubkey
# TODO HARDER:
- (readFile ../../krebs/Zpubkeys/makefu_omo.ssh.pub)
+ config.krebs.users.makefu-omo.pubkey
config.krebs.users.tv.pubkey
];
diff --git a/shared/2configs/buildbot-standalone.nix b/shared/2configs/buildbot-standalone.nix
new file mode 100644
index 000000000..adf44cada
--- /dev/null
+++ b/shared/2configs/buildbot-standalone.nix
@@ -0,0 +1,31 @@
+{ lib, config, pkgs, ... }:
+let
+ pkgs-unst = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {};
+in {
+ nixpkgs.config.packageOverrides = pkgs: {
+ buildbot = pkgs-unst.buildbot;
+ buildbot-slave = pkgs-unst.buildbot-slave;
+ };
+ networking.firewall.allowedTCPPorts = [ 8010 ];
+ krebs.buildbot.master = {
+ enable = true;
+ irc = {
+ enable = true;
+ server = "cd.retiolum";
+ channel = "retiolum";
+ allowForce = true;
+ };
+ extraConfig = ''
+ c['buildbotURL'] = "http://${config.krebs.build.host.name}:8010/"
+ '';
+ };
+
+ krebs.buildbot.slave = {
+ enable = true;
+ masterhost = "localhost";
+ username = "testslave";
+ password = "krebspass";
+ packages = with pkgs;[ git nix ];
+ extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
+ };
+}
diff --git a/shared/2configs/cac-ci.nix b/shared/2configs/cac-ci.nix
deleted file mode 100644
index 06cce2746..000000000
--- a/shared/2configs/cac-ci.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-{
- environment.systemPackages = with pkgs;[
- get
- cac
- cacpanel
- jq
- ];
-}
diff --git a/shared/2configs/temp/dirs.nix b/shared/2configs/temp/dirs.nix
new file mode 100644
index 000000000..958608a54
--- /dev/null
+++ b/shared/2configs/temp/dirs.nix
@@ -0,0 +1 @@
+_: { }
diff --git a/shared/2configs/temp/networking.nix b/shared/2configs/temp/networking.nix
new file mode 100644
index 000000000..958608a54
--- /dev/null
+++ b/shared/2configs/temp/networking.nix
@@ -0,0 +1 @@
+_: { }