Refactor code to support installs of jenkins agent only (#30)

* Refactor default to split build tools + agent connection
  * Split default recipe into default + build_setup
  * Add attribute install_agent_build_setup defaulting to true to install build tools
  * Support testing of both approaches

Signed-off-by: Jose Luis Rivero <[email protected]>

.github/workflows/main.yml

@@ -23,12 +23,16 @@ jobs:
       matrix:
         suite:
           - 'agent'
+          - 'agent-only'
         chef_version:
           - '16'
           - '17'
         nvidia_support:
           - true
           - false
+        exclude:
+          - suite: 'agent-only'
+            nvidia_support: true
       fail-fast: false
     steps:
       - name: check out code

attributes/default.rb

@@ -1,5 +1,10 @@
 default['osrfbuild']['agent']['linux_username'] = 'default_linux_username'
 
+# If set to true, install common build tools for linux agents in the buildfarm
+# If set to false, install just the Jenkins agent connection. Useful for
+# special machines like the package repositories.
+default['osrfbuild']['agent']['install_agent_build_setup'] = true
+
 default['osrfbuild']['agent']['jenkins_url'] = "https://default_url.org"
 default['osrfbuild']['agent']['java_args'] = ''
 default['osrfbuild']['agent']['username'] = 'default_username'

kitchen.dokken.yml

@@ -38,4 +38,17 @@ suites:
       - recipe[osrf_jenkins_agent]
     verifier:
       inspec_tests:
-        - test/integration/default
+        - test/integration/agent
+        - test/integration/x11_support
+  - name: agent-only
+    data_bags_path: "test/integration/data_bags"
+    run_list:
+      - recipe[osrf_jenkins_agent]
+    attributes:
+      'osrfbuild':
+        'agent':
+          'install_agent_build_setup': false
+    verifier:
+      inspec_tests:
+        - test/integration/agent
+        - test/integration/x11_no_support

recipes/agent_build_tools.rb

@@ -0,0 +1,147 @@
+# Set of tools for the buildfarm Linux Build Agents
+
+linux_username = node['osrfbuild']['agent']['linux_username']
+
+# Problems with seccomp policy and Ubuntu Jammy images require at least version 20.10.12
+# More info at: https://github.com/ignition-tooling/release-tools/issues/654#issue-1162900579
+docker_installation_package 'default' do
+  version '20.10.12'
+  action :create
+end
+
+# Add agent user to the docker group to allow them to build and run docker
+# containers.
+group 'docker' do
+  append true
+  members linux_username
+  action :manage # Group should be created by docker package.
+end
+
+%w[
+  gnupg2
+  groovy
+  libffi-dev
+  libssl-dev
+  mercurial
+  ntp
+  pciutils
+  qemu-user-static
+  sudo
+  x11-xserver-utils
+  wget
+].each do |pkg|
+  package pkg
+end
+
+# Focal uses 18.04 repository
+for repo_uri in ['https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/$(ARCH)',
+                'https://nvidia.github.io/nvidia-container-runtime/stable/ubuntu18.04/$(ARCH)',
+                'https://nvidia.github.io/nvidia-docker/ubuntu18.04/$(ARCH)'] do
+  apt_repository "nvidia-docker#{repo_uri.hash}" do
+    uri repo_uri
+    distribution '/'
+    key ['https://nvidia.github.io/nvidia-docker/gpgkey']
+    action :add
+    only_if { has_nvidia_support? }
+  end
+end
+
+# install nvidia-docker2 is recommended although real support is via
+# container-toolkit
+package "nvidia-docker2" do
+  only_if { has_nvidia_support? }
+end
+
+# GeForce GTX 550 Ti requires old 3xx.xx series
+package 'nvidia-384' do
+  only_if { has_nvidia_support? }
+end
+
+cookbook_file '/etc/modprobe.d/blacklist-nvidia-nouveau.conf' do
+  source 'blacklist-nvidia-nouveau.conf'
+  mode '0744'
+  only_if { has_nvidia_support? }
+end
+
+cookbook_file '/etc/X11/xorg.conf' do
+  source 'xorg.conf.no_gpu'
+  mode "0744"
+  not_if { has_nvidia_support? }
+end
+# Detecting AWS GRID cards that needs special configuration
+cookbook_file '/etc/X11/xorg.conf' do
+  source 'xorg.conf.nvidia_aws'
+  mode "0744"
+  only_if { has_nvidia_grid_support? }
+end
+# Other NVIDIA cards use generic configuration
+cookbook_file '/etc/X11/xorg.conf' do
+  source 'xorg.conf.nvidia'
+  mode "0744"
+  only_if { has_nvidia_support? }
+  not_if { has_nvidia_grid_support? }
+end
+# TODO: assuming :0 here is fragile
+ENV['DISPLAY'] = ':0'
+
+# gdm3 systemctl delete the display-manager systemctl when disabled
+# be sure of installing lightdm after this and not before
+service "gdm3" do
+  action [:start, :disable]
+  only_if { node['packages'].keys.include? "gdm3" }
+  only_if { has_nvidia_support? }
+end
+
+package "lightdm"
+cookbook_file "/etc/lightdm/xhost.sh" do
+  source "lightdm/xhost.sh"
+  mode "0744"
+  notifies :restart, "service[lightdm]", :delayed
+end
+cookbook_file "/etc/lightdm/lightdm.conf" do
+  source "lightdm/lightdm.conf"
+  action :create_if_missing
+end
+ruby_block "Ensure display-setup-script" do
+  block do
+    lightdm_conf = Chef::Util::FileEdit.new("/etc/lightdm/lightdm.conf")
+    lightdm_conf.search_file_replace_line %r{^display-setup-script=.*},
+      "display-setup-script=/etc/lightdm/xhost.sh"
+    lightdm_conf.insert_line_if_no_match %r{^display-setup-script=.*},
+      "display-setup-script=/etc/lightdm/xhost.sh"
+    lightdm_conf.write_file if lightdm_conf.unwritten_changes?
+  end
+end
+
+# set lightdm as the display manager requires 3 commands
+execute 'set-lightdm-display-manager debconf' do
+  command 'echo set shared/default-x-display-manager lightdm | debconf-communicate'
+  not_if 'grep lightdm /etc/X11/default-display-manager'
+end
+execute 'reconfigure-gdm3' do
+  command 'dpkg-reconfigure lightdm'
+  environment ({'DEBIAN_FRONTEND' => 'noninteractive', 'DEBCONF_NONINTERACTIVE_SEEN' => 'true'})
+  not_if 'grep lightdm /etc/X11/default-display-manager'
+end
+execute 'set-lightdm-display-manager-etc' do
+  command 'echo "/usr/sbin/lightdm" > /etc/X11/default-display-manager'
+  not_if 'grep lightdm /etc/X11/default-display-manager'
+end
+service "lightdm" do
+  action [:start, :enable]
+end
+
+package "squid-deb-proxy"
+directory "/etc/squid-deb-proxy/mirror-dstdomain.acl.d" do
+  recursive true
+end
+%w[11-ubuntuppa 12-osrfoundation 13-debian].each do |conf|
+  cookbook_file "/etc/squid-deb-proxy/mirror-dstdomain.acl.d/#{conf}" do
+    source "squid-deb-proxy/mirror-dstdomain.acl.d/#{conf}"
+    notifies :restart, "service[squid-deb-proxy]", :delayed
+  end
+end
+service "squid-deb-proxy" do
+  action [:start, :enable]
+end
+

recipes/default.rb

@@ -8,148 +8,6 @@
 linux_username = node['osrfbuild']['agent']['linux_username']
 agent_homedir = "/home/#{linux_username}"
 
-apt_update "default" do
-  action :periodic
-  frequency 3600
-end
-
-# Problems with seccomp policy and Ubuntu Jammy images require at least version 20.10.12
-# More info at: https://github.com/ignition-tooling/release-tools/issues/654#issue-1162900579
-docker_installation_package 'default' do
-  version '20.10.12'
-  action :create
-end
-
-%w[
-  default-jre-headless
-  gnupg2
-  groovy
-  libffi-dev
-  libssl-dev
-  mercurial
-  ntp
-  pciutils
-  qemu-user-static
-  sudo
-  x11-xserver-utils
-  wget
-].each do |pkg|
-  package pkg
-end
-
-
-# Focal uses 18.04 repository
-for repo_uri in ['https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/$(ARCH)',
-                'https://nvidia.github.io/nvidia-container-runtime/stable/ubuntu18.04/$(ARCH)',
-                'https://nvidia.github.io/nvidia-docker/ubuntu18.04/$(ARCH)'] do
-  apt_repository "nvidia-docker#{repo_uri.hash}" do
-    uri repo_uri
-    distribution '/'
-    key ['https://nvidia.github.io/nvidia-docker/gpgkey']
-    action :add
-    only_if { has_nvidia_support? }
-  end
-end
-
-# install nvidia-docker2 is recommended although real support is via
-# container-toolkit
-package "nvidia-docker2" do
-  only_if { has_nvidia_support? }
-end
-
-# GeForce GTX 550 Ti requires old 3xx.xx series
-package 'nvidia-384' do
-  only_if { has_nvidia_support? }
-end
-
-cookbook_file '/etc/modprobe.d/blacklist-nvidia-nouveau.conf' do
-  source 'blacklist-nvidia-nouveau.conf'
-  mode '0744'
-  only_if { has_nvidia_support? }
-end
-
-cookbook_file '/etc/X11/xorg.conf' do
-  source 'xorg.conf.no_gpu'
-  mode "0744"
-  not_if { has_nvidia_support? }
-end
-# Detecting AWS GRID cards that needs special configuration
-cookbook_file '/etc/X11/xorg.conf' do
-  source 'xorg.conf.nvidia_aws'
-  mode "0744"
-  only_if { has_nvidia_grid_support? }
-end
-# Other NVIDIA cards use generic configuration
-cookbook_file '/etc/X11/xorg.conf' do
-  source 'xorg.conf.nvidia'
-  mode "0744"
-  only_if { has_nvidia_support? }
-  not_if { has_nvidia_grid_support? }
-end
-# TODO: assuming :0 here is fragile
-ENV['DISPLAY'] = ':0'
-
-# gdm3 systemctl delete the display-manager systemctl when disabled
-# be sure of installing lightdm after this and not before
-service "gdm3" do
-  action [:start, :disable]
-  only_if { node['packages'].keys.include? "gdm3" }
-  only_if { has_nvidia_support? }
-end
-
-package "lightdm"
-cookbook_file "/etc/lightdm/xhost.sh" do
-  source "lightdm/xhost.sh"
-  mode "0744"
-  notifies :restart, "service[lightdm]", :delayed
-end
-cookbook_file "/etc/lightdm/lightdm.conf" do
-  source "lightdm/lightdm.conf"
-  action :create_if_missing
-end
-ruby_block "Ensure display-setup-script" do
-  block do
-    lightdm_conf = Chef::Util::FileEdit.new("/etc/lightdm/lightdm.conf")
-    lightdm_conf.search_file_replace_line %r{^display-setup-script=.*},
-      "display-setup-script=/etc/lightdm/xhost.sh"
-    lightdm_conf.insert_line_if_no_match %r{^display-setup-script=.*},
-      "display-setup-script=/etc/lightdm/xhost.sh"
-    lightdm_conf.write_file if lightdm_conf.unwritten_changes?
-  end
-end
-
-# set lightdm as the display manager requires 3 commands
-execute 'set-lightdm-display-manager debconf' do
-  command 'echo set shared/default-x-display-manager lightdm | debconf-communicate'
-  not_if 'grep lightdm /etc/X11/default-display-manager'
-end
-execute 'reconfigure-gdm3' do
-  command 'dpkg-reconfigure lightdm'
-  environment ({'DEBIAN_FRONTEND' => 'noninteractive', 'DEBCONF_NONINTERACTIVE_SEEN' => 'true'})
-  not_if 'grep lightdm /etc/X11/default-display-manager'
-end
-execute 'set-lightdm-display-manager-etc' do
-  command 'echo "/usr/sbin/lightdm" > /etc/X11/default-display-manager'
-  not_if 'grep lightdm /etc/X11/default-display-manager'
-end
-service "lightdm" do
-  action [:start, :enable]
-end
-
-package "squid-deb-proxy"
-directory "/etc/squid-deb-proxy/mirror-dstdomain.acl.d" do
-  recursive true
-end
-%w[11-ubuntuppa 12-osrfoundation 13-debian].each do |conf|
-  cookbook_file "/etc/squid-deb-proxy/mirror-dstdomain.acl.d/#{conf}" do
-    source "squid-deb-proxy/mirror-dstdomain.acl.d/#{conf}"
-    notifies :restart, "service[squid-deb-proxy]", :delayed
-  end
-end
-service "squid-deb-proxy" do
-  action [:start, :enable]
-end
-
 user linux_username  do
   shell "/bin/bash"
   home "#{agent_homedir}"
@@ -160,14 +18,15 @@
   nopasswd true
 end
 
-# Add agent user to the docker group to allow them to build and run docker
-# containers.
-group 'docker' do
-  append true
-  members linux_username
-  action :manage # Group should be created by docker package.
+apt_update "default" do
+  action :periodic
+  frequency 3600
 end
 
+package 'default-jre-headless'
+
+puts node['osrfbuild']['agent']['install_agent_build_setup']
+include_recipe 'osrf_jenkins_agent::agent_build_tools' if node['osrfbuild']['agent']['install_agent_build_setup']
 
 # TODO: how to read attributes from chef-osrf plugins into this cookbook
 # swarm_client_version = node['jenkins-plugins']['swarm']

test/integration/agent/agent.rb

@@ -0,0 +1,27 @@
+control 'agent_user' do
+  impact 'critical'
+  title 'User jenkins should present in the system'
+  # attributes are not directly accesible from inspec. Hardcoding user here
+  describe user('default_linux_username') do
+    it { should exist }
+  end
+end
+
+control 'no_open_ports' do
+  impact 'low'
+  title 'Check no expected open ports exists'
+  describe port(80) do
+    it { should_not be_listening }
+  end
+end
+
+control 'jenkins-agent' do
+  impact 'critical'
+  title 'jenkins-agent service should installed, not running'
+  describe service('jenkins-agent') do
+    it { should be_installed }
+    # imposible to connect to server in tests, should not be up
+    it { should_not be_enabled }
+    it { should_not be_running }
+  end
+end